You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Expected behavior:
I'm able to use the AWS OIDC Integration in my AWS Gov Cloud account.
Current behavior:
It's currently not possible to use the AWS OIDC Integration in a AWS Gov Cloud account because there are some assumptions in Teleport that this is going to use the non-gov regions.
Wrong link for CloudShell
During the initial set up, users are asked to run a command in CloudShell.
This command will create the required AWS resources for setting up the trust between AWS and Teleport.
The CloudShell link currently points to https://console.aws.amazon.com/cloudshell/home.
For AWS Gov Cloud, the link should point to https://console.amazonaws-us-gov.com/cloudshell/home
Note:
This one should apply to all scenarios where Teleport asks users to run a script.
However, for other locations we can provide only one link by looking into the Role ARN stored in the integration.
Wrong IAM Role custom trust policy
When running the set up script, the Identity Provider and Role are created.
The Role must have a Trust Relationship which trusts the created Identity Provider.
However, it is being hard-coded to using the aws partition.
Instead, it should lookup the region and pick either the aws or the aws-us-gov partitions.
After running the script the user is asked to navigate to the IAM Role in AWS Dashboard.
That link is invalid when using an Gov Cloud account. https://console.aws.amazon .com/iamv2/home#/roles/details/<RoleName> https://console.amazonaws-us-gov.com/iamv2/home#/roles/details/<RoleName>
Testing connection (Ping) fails
Before letting the user save the integration, Teleport will call sts.GetCallerIdentity to ensure the current values are valid.
This fails because we are using a hard-coded value for the region in the STS API.
This can be fixed by using one of the Gov Cloud regions instead: us-gov-east-1 or us-gov-west-1.
AFAIK, there's no aws-global equivalent for AWS Gov Cloud.
Note:
This method is also used when editing the Integration.
Region selection does not contain AWS Gov Cloud regions
After setting up the integration, users can enroll EC2, EKS or RDS resources into Teleport.
To do so, they always need to select a region.
The list of regions does not contain the AWS Gov Cloud regions.
This should be changed to only list AWS Gov Cloud regions when the Integration's Role ARN partition is aws-us-gov.
Note:
This should also be changed in Region selection in UserTasks dashboard.
One off scripts fail with InvalidClientTokenId
Running the oneoff scripts for configuring the Integration are failing with
2025-02-21T11:42:03.282Z INFO Running action:PutRolePolicy provisioning/operations.go:180
ERROR: "PutRolePolicy" failed operation error IAM: PutRolePolicy, https response error StatusCode: 403, RequestID: 11111111, api error InvalidClientTokenId: The security token included in the request is invalid
The text was updated successfully, but these errors were encountered:
Expected behavior:
I'm able to use the AWS OIDC Integration in my AWS Gov Cloud account.
Current behavior:
It's currently not possible to use the AWS OIDC Integration in a AWS Gov Cloud account because there are some assumptions in Teleport that this is going to use the non-gov regions.
Wrong link for CloudShell
During the initial set up, users are asked to run a command in CloudShell.
This command will create the required AWS resources for setting up the trust between AWS and Teleport.
The CloudShell link currently points to
https://console.aws.amazon.com/cloudshell/home.For AWS Gov Cloud, the link should point to
https://console.amazonaws-us-gov.com/cloudshell/homeNote:
This one should apply to all scenarios where Teleport asks users to run a script.
However, for other locations we can provide only one link by looking into the Role ARN stored in the integration.
Wrong IAM Role custom trust policy
When running the set up script, the Identity Provider and Role are created.
The Role must have a Trust Relationship which trusts the created Identity Provider.
However, it is being hard-coded to using the
awspartition.Instead, it should lookup the region and pick either the
awsor theaws-us-govpartitions.teleport/lib/cloud/aws/policy_statements.go
Line 192 in 7131032
Invalid link to navigate to the IAM Role URL
After running the script the user is asked to navigate to the IAM Role in AWS Dashboard.
That link is invalid when using an Gov Cloud account.
https://console.aws.amazon .com/iamv2/home#/roles/details/<RoleName>https://console.amazonaws-us-gov.com/iamv2/home#/roles/details/<RoleName>Testing connection (Ping) fails
Before letting the user save the integration, Teleport will call
sts.GetCallerIdentityto ensure the current values are valid.This fails because we are using a hard-coded value for the region in the STS API.
teleport/lib/auth/integration/integrationv1/awsoidc.go
Line 866 in 0ff9480
This can be fixed by using one of the Gov Cloud regions instead:
us-gov-east-1orus-gov-west-1.AFAIK, there's no
aws-globalequivalent for AWS Gov Cloud.Note:
This method is also used when editing the Integration.
Region selection does not contain AWS Gov Cloud regions
After setting up the integration, users can enroll EC2, EKS or RDS resources into Teleport.
To do so, they always need to select a region.
The list of regions does not contain the AWS Gov Cloud regions.
This should be changed to only list AWS Gov Cloud regions when the Integration's Role ARN partition is
aws-us-gov.Note:
This should also be changed in Region selection in UserTasks dashboard.
One off scripts fail with
InvalidClientTokenIdRunning the oneoff scripts for configuring the Integration are failing with
The text was updated successfully, but these errors were encountered: