Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds AWS Role ARN to IC Integration settings #53024

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Adds AWS Role ARN to IC Integration settings #53024

wants to merge 1 commit into from
+1,705 −653

Conversation

tcsc
Copy link
Contributor

@tcsc tcsc commented Mar 13, 2025

The Identity Center integration needs to be able to assume an AWS role
when using the ambient system credentials. This patch updates the IC
integration protobuf definition to include the role ARN, by refactoring
the settings block to replace the CredentialSource enumeration with a
Credentials type containing a oneof union of System and OIDC credential blocks.

The CredentalSource value is preserved for backwards compatibility with previous
Teleport releases.

This patch includes

  • the updated protobuf message and generated types
  • update tests, etc
  • updated tctl to handle new plugin settings structure

Chagnges required to actually use this information are coming in a later PR.

@tcsc
Adds AWS Role ARN to IC Integration settings
3b71016 
The Identity Center integration needs to be able to assume an AWS role
when using the ambient system credentials. This patch updates the IC
integration protobuf definition to include the role ARN, by refactoring
the settings block to replace the CredentialSource enumeration with a
`Credentials` type containing a `oneof` union of System and OIDC credential blocks.

The CredentalSource value is preserved for backwards compatibility with previous
Teleport releases.

This patch includes
- the updated protobuf message and generated types
- update tests, etc
- updated `tctl` to handle new plugin settings structure

Chagnges required to actually use this information are coming in a later PR.
@tcsc tcsc added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v17 aws-iam-identity-center labels Mar 13, 2025
@tcsc tcsc requested a review from smallinsky March 13, 2025 02:47
@github-actions github-actions bot added size/md tctl tctl - Teleport admin tool labels Mar 13, 2025
@github-actions github-actions bot requested review from espadolini and Tener March 13, 2025 02:48
zmb3
zmb3 approved these changes Mar 13, 2025
View reviewed changes
api/types/plugin.go

if c.CredentialsSource == AWSICCredentialsSource_AWSIC_CREDENTIALS_SOURCE_OIDC && c.IntegrationName == "" {
return trace.BadParameter("AWS OIDC integration name must be set")
// Handle legacy records that pre-date the polymorphic Credentials settings
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Handle legacy records that pre-date the polymorphic Credentials settings
// Handle legacy records that pre-date the polymorphic Credentials settings
// TODO(tcsc): remove this check in v19

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tener Tener Tener approved these changes

@zmb3 zmb3 zmb3 approved these changes

Assignees
No one assigned
Labels
aws-iam-identity-center backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/md tctl tctl - Teleport admin tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tcsc @Tener @zmb3