Add IAM Method support to Wizard

[russjones]

Investigate and propose adding IAM method support to the "Add Server" wizard.

[russjones]

Potential approach.

[mcbattirola]

@russjones @xinding33

Here's a PR adding capabilities for the web ui generate a iam method join token using the web API: #11339

We can add a new tab IAM on the Add Server button in the web UI, ask the users for AWS accounts and arn (optional). Since multiple rules are allowed, new fields can be added.

Here's a proposal, please let me know your thoughts:

(multiple rules)

---

The docs suggest that this method could be used for starting multiple agents, maybe we should add this information and allow the user to set a custom TTL?

---

Draft PR for this proposed solution: gravitational/webapps#690

[rishibarbhaya-design]

[nklaassen]

I should point out that it's valid to set just the AWS account, just the AWS ARN, or both.

Also there's currently no way to start a node to join with the IAM method from just the command line, a config file is necessary. Could pretty easily add the necessary command line args though to avoid the config file.

[mcbattirola]

I should point out that it's valid to set just the AWS account, just the AWS ARN, or both.

I see, thanks for pointing that out

Also there's currently no way to start a node to join with the IAM method from just the command line, a config file is necessary. Could pretty easily add the necessary command line args though to avoid the config file.

I was able to start a node with the command line like this, am I missing something?:

 sudo /usr/local/bin/teleport start --roles=node --token=iam-token --auth-server=https://matheus13.cloud.gravitational.io:443
2022-03-23T13:10:59Z INFO [PROC:1]    Connecting to the cluster matheus13.cloud.gravitational.io with TLS client certificate. service/connect.go:146
2022-03-23T13:11:01Z INFO [PROC:1]    Node: features loaded from auth server: Kubernetes:true App:true DB:true OIDC:true SAML:true AccessControls:true AdvancedAccessWorkflows:true Cloud:true HSM:true  service/connect.go:64
2022-03-23T13:11:03Z [NODE:1:CA] INFO Cache "node" first init succeeded. cache/cache.go:716
2022-03-23T13:11:03Z INFO [AUDIT:1]   Creating directory /var/lib/teleport/log. service/service.go:2113
2022-03-23T13:11:03Z INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload. service/service.go:2113
2022-03-23T13:11:03Z INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/sessions. service/service.go:2113
2022-03-23T13:11:03Z INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/sessions/default. service/service.go:2113
2022-03-23T13:11:03Z INFO [AUDIT:1]   Creating directory /var/lib/teleport/log. service/service.go:2113
2022-03-23T13:11:03Z INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload. service/service.go:2113
2022-03-23T13:11:03Z INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/streaming. service/service.go:2113
2022-03-23T13:11:03Z INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/streaming/default. service/service.go:2113
2022-03-23T13:11:03Z INFO [NODE:1]    Service is starting in tunnel mode. service/service.go:2025
2022-03-23T13:11:03Z INFO [PROC:1]    The new service has started successfully. Starting syncing rotation status with period 10m0s. service/connect.go:459
2022-03-23T13:11:04Z [NODE:PROX] INFO Connected. addr:172.31.34.115:49244 remote-addr:13.248.223.84:443 leaseID:1 target:matheus13.cloud.gravitational.io:443 reversetunnel/agent.go:403
2022-03-23T13:11:05Z [NODE:PROX] INFO Connected. addr:172.31.34.115:49248 remote-addr:13.248.223.84:443 leaseID:2 target:matheus13.cloud.gravitational.io:443 reversetunnel/agent.go:403

[nklaassen]

@mcbattirola it should not work unless there is already an identity in /var/lib/teleport from this host previously joining the cluster, in which case it will use that instead of re-joining (the token flag will be ignored). If you clear out /var/lib/teleport the iam method should not work today without a config file

[mcbattirola]

I see, that is exactly what was happening.
Thanks for clarifying it

[nklaassen]

but like I said above, it should be quite easy to add a --join-method=iam command line arg, we do the same for tbot

[mcbattirola]

Here are some updates:

• Added --join-method arg to the CLI on PR Allow requesting a join token with IAM method from the web api #11339
• The label IAM should be changed to AWS
• Talked with @rishibarbhaya-design about what the flow will look like:

The user can add one or multiple rules for the token
Each rule need either an AWS Account ID, a ARN, or both

Step two (Copy and run teleport start...) can only be shown after step one since the token will be generated after step 1.

We need a button to generate the token/command after the user is done inputting their rules.

@nklaassen @xinding33 does that make sense to you?

[mcbattirola]

PRs:

• master
  • teleport Allow requesting a join token with IAM method from the web api #11339
  • webapps Add IAM method to web ui webapps#690
• v9
  • teleport [v9] Allow requesting a join token with IAM method from the web api #12060
  • webapps [v9] Add IAM method to web ui (#690) webapps#744
• v8
  • teleport [v8] Allow requesting a join token with IAM method from the web api #12065
  • webapps [v8] Add IAM method to web ui (#690) webapps#746

[rishibarbhaya-design]

[mcbattirola]

All branches merged (#10972 (comment))

[pierrebeaucamp]

Cloud is waiting for release 8.3.8 or 9.1.0