Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS console access #7590

Merged
merged 1 commit into from
Jul 26, 2021
Merged

AWS console access #7590

merged 1 commit into from
Jul 26, 2021

Conversation

r0mant
Copy link
Collaborator

@r0mant r0mant commented Jul 19, 2021
edited
Loading

Add support to Teleport for generating auto-sign-in AWS management console URLs using federation API.

This functionality is implemented as a part of app access currently where an AWS console is represented as an application. This is how a user would configure it in their configuration:

app_service:
  enabled: "yes"
  apps:
  - name: "awsconsole-1"
    uri: "https://console.aws.amazon.com/ec2/v2/home"
    labels:
      aws_account_id: 123
  - name: "awsconsole-2"
    uri: "https://console.aws.amazon.com/ec2/v2/home"
    labels:
      aws_account_id: 456

In their role definitions, users are able to specify which AWS roles a role can assume, in the form of AWS role resource ARNs:

spec:
  allow:
    app_labels:
      '*': '*'
    aws_role_arns:
    - arn:aws:iam::123:role/ec2-read-only
    - arn:aws:iam::456:role/ec2-full-access

The UI will display roles matching the account as long as the application configuration has aws_account_id label as shown above:

Screen Shot 2021-07-19 at 9 37 28 AM

After clicking on the appropriate role to assume, Teleport app service will generate a federated login token and redirect the user to the console which will log them in automatically.

Note, a user interacts with AWS console directly - it is not proxied via Teleport like "normal" application access web apps since it would be pretty challenging (if not impossible) and very fragile to try and proxy all AWS console requests through Teleport. The federated session is marked with Teleport's user name so it can be easily queried in CloudWatch. In future, we will import CloudWatch events to Teleport's audit log.

The UX of this feature has been approved by @klizhentas. Docs PR: #7640.

Closes #7027.

@r0mant r0mant added this to the 7.1 milestone Jul 19, 2021
@r0mant r0mant requested review from timothyb89 and smallinsky July 19, 2021 06:46
@r0mant r0mant requested a review from alex-kovoy as a code owner July 19, 2021 06:46
@r0mant r0mant self-assigned this Jul 19, 2021
timothyb89
timothyb89 approved these changes Jul 21, 2021
View reviewed changes
Copy link
Contributor

@timothyb89 timothyb89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple small questions

lib/web/app/middleware.go Outdated Show resolved Hide resolved
lib/services/role.go Show resolved Hide resolved
@r0mant r0mant force-pushed the roman/awsconsole2 branch from ee5a3a8 to 3d24a24 Compare July 22, 2021 11:13
smallinsky
smallinsky reviewed Jul 22, 2021
View reviewed changes
lib/srv/app/cloud.go Outdated Show resolved Hide resolved
@r0mant r0mant mentioned this pull request Jul 22, 2021
Merged
@r0mant r0mant force-pushed the roman/awsconsole2 branch from 3d24a24 to cee6d73 Compare July 23, 2021 07:55
@r0mant r0mant requested a review from smallinsky July 23, 2021 07:56
@r0mant r0mant force-pushed the roman/awsconsole2 branch from cee6d73 to dba2cf0 Compare July 26, 2021 11:37
@r0mant r0mant enabled auto-merge (squash) July 26, 2021 11:37
russjones
russjones approved these changes Jul 26, 2021
View reviewed changes
Copy link
Contributor

@russjones russjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bot.

@r0mant r0mant merged commit 1576833 into master Jul 26, 2021
@r0mant r0mant deleted the roman/awsconsole2 branch July 26, 2021 15:17
@r0mant r0mant mentioned this pull request Jul 27, 2021
Merged
r0mant added a commit that referenced this pull request Jul 28, 2021
@r0mant
AWS console access (#7590)
9d683d7
r0mant added a commit that referenced this pull request Jul 28, 2021
@r0mant
AWS console access (#7590) (#7703)
4c05a54
@russjones russjones mentioned this pull request Aug 3, 2022
Open
@smallinsky smallinsky mentioned this pull request Sep 14, 2022
Closed
2 tasks
@r0mant r0mant mentioned this pull request Oct 11, 2022
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rudream rudream rudream left review comments

@smallinsky smallinsky smallinsky approved these changes

@alex-kovoy alex-kovoy alex-kovoy approved these changes

@russjones russjones russjones approved these changes

@timothyb89 timothyb89 timothyb89 approved these changes

@klizhentas klizhentas Awaiting requested review from klizhentas

Assignees

@r0mant r0mant

Labels
application-access
Projects
None yet
Milestone
7.1
Development

Successfully merging this pull request may close these issues.

Control Access to AWS Management Console
6 participants
@r0mant @timothyb89 @russjones @alex-kovoy @smallinsky @rudream