search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.2k stars 1.73k forks source link

Ability to associate different aws_role_arns with separate app_labels in single role #9916

Open deusxanima opened 2 years ago

deusxanima commented 2 years ago

What

It would streamline the RBAC management process if users had the ability to nest aws console logins under app_labels and associate different aws_role_arns with separate app_labels in a single role.

For example, if I have the following role:

kind: role
metadata:
  id: XXX
  name: admin
spec:
  allow:
    app_labels:
      '*': '*'
    aws_role_arns:
    - arn:aws:iam::account1:role/TeleportReadOnly
    - arn:aws:iam::account2:role/TeleportReadOnly2

and I have two aws apps aws-prod and aws-dev.

In the above instance, both roles show up for both accounts because of the app_labels (even specifying individual labels doesn't resolve it b/c it applies to all specified labels). The only way to separate them out is to create a separate role for each application. It would be nice to have a way to write a syntax so that role1 TeleportReadOnly is only for aws-prod and TelportReadOnly2 is for aws-dev and do so from a single application RBAC file.

zmb3 commented 3 months ago

@marcoandredinis you're working on something similar to this right now, aren't you?

marcoandredinis commented 3 months ago

I think it's slightly different.

IIUC, they are expecting something like this to configure specific AWS Roles for each (AWS) App. Eg

kind: role
metadata:
  name: admin
spec:
  allow:
    aws_role_arns:
    - iam_role: arn:aws:iam::account1:role/TeleportReadOnly
      app_label:
        app-env: aws-prod
    - iam_role: arn:aws:iam::account1:role/TeleportReadOnly2
      app_label:
        app-env: aws-dev
---
kind: app
metadata:
  name: my-aws-prod-env
  labels:
    app-env: aws-prod
# ...
---
kind: app
metadata:
  name: my-aws-dev-env
  labels:
    app-env: aws-dev
# ...

And then, when showing the my-aws-dev-env only the role TeleportReadOnly2 would be listed (same thing for the prod app).

For reference, the latest developments in this topic: https://github.com/gravitational/teleport/pull/41585 https://github.com/gravitational/teleport/issues/41499 Which could solve the root problem described above, but is not exactly what is being asked in this feature request.

Here's how it currently (after next release) works

kind: role
metadata:
  name: aws-prod-access
spec:
  allow:
    app_labels:
      app-env: aws-prod
    aws_role_arns:
    - iam_role: arn:aws:iam::account1:role/TeleportReadOnly
---
kind: role
metadata:
  name: aws-dev-access
spec:
  allow:
    app_labels:
      app-env: aws-dev
    aws_role_arns:
    - iam_role: arn:aws:iam::account1:role/TeleportReadOnly2
---
kind: app
metadata:
  name: my-aws-prod-env
  labels:
    app-env: aws-prod
# ...
---
kind: app
metadata:
  name: my-aws-dev-env
  labels:
    app-env: aws-dev
# ...

The main difference is that you need two roles and not just one.