AWS OIDC: Accept custom issuers#38785
Merged
marcoandredinis merged 6 commits intomasterfrom Mar 15, 2024
Merged
Conversation
marcoandredinis
added
the
no-changelog
marcoandredinis
force-pushed
the
marco/awsoidc-custom-issuer
branch
2 times, most recently
from
ad181fa to
4e0f2fa
Compare
marcoandredinis
force-pushed
the
marco/awsoidc-custom-issuer
branch
from
4e0f2fa to
2267c21
Compare
capnspacehook
approved these changes
Mar 1, 2024
marcoandredinis
force-pushed
the
marco/awsoidc-custom-issuer
branch
6 times, most recently
from
e737ef6 to
0b6d710
Compare
Contributor
Author
|
@capnspacehook Can you please take another look? After some discussion I ended up being explicit about using an S3 bucket instead of using any URL |
reedloden
reviewed
Mar 7, 2024
AntonAM
approved these changes
Mar 7, 2024
marcoandredinis
force-pushed
the
marco/awsoidc-custom-issuer
branch
3 times, most recently
from
09860f5 to
cde7c08
Compare
capnspacehook
approved these changes
Mar 12, 2024
marcoandredinis
force-pushed
the
marco/awsoidc-custom-issuer
branch
3 times, most recently
from
5837314 to
70fdcd3
Compare
kimlisa
approved these changes
Mar 15, 2024
public-teleport-github-review-bot
Bot
removed the request for review
from fspmarshall
marcoandredinis
force-pushed
the
marco/awsoidc-custom-issuer
branch
from
8fa75a2 to
f0a6336
Compare
This PR adds a new field into the AWS OIDC fields: - issuer This is the issuer that was configured in AWS. It is used by teleport to set the `issuer/iss` field when generating the JWT. This way we'll be able to set a custom issuer. As an example, we could set this to be a public S3 bucket which doesn't suffer from the thumbprint validation issuer.
marcoandredinis
force-pushed
the
marco/awsoidc-custom-issuer
branch
from
f0a6336 to
bc21b5d
Compare
marcoandredinis
force-pushed
the
marco/awsoidc-custom-issuer
branch
from
bc21b5d to
2b2866c
Compare
|
@marcoandredinis See the table below for backport results.
|
marcoandredinis
added a commit
that referenced
this pull request
Mar 18, 2024
* AWS OIDC: Accept custom issuers This PR adds a new field into the AWS OIDC fields: - issuer This is the issuer that was configured in AWS. It is used by teleport to set the `issuer/iss` field when generating the JWT. This way we'll be able to set a custom issuer. As an example, we could set this to be a public S3 bucket which doesn't suffer from the thumbprint validation issuer. * ensure issuer is a valid https url * use s3 uri instead of any url for issuer * typo and require s3 fields * add missing s3 location when creating integration * improve error messages
marcoandredinis
added a commit
that referenced
this pull request
Mar 18, 2024
* AWS OIDC: Accept custom issuers This PR adds a new field into the AWS OIDC fields: - issuer This is the issuer that was configured in AWS. It is used by teleport to set the `issuer/iss` field when generating the JWT. This way we'll be able to set a custom issuer. As an example, we could set this to be a public S3 bucket which doesn't suffer from the thumbprint validation issuer. * ensure issuer is a valid https url * use s3 uri instead of any url for issuer * typo and require s3 fields * add missing s3 location when creating integration * improve error messages
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Mar 18, 2024
* AWS OIDC: Accept custom issuers (#38785) * AWS OIDC: Accept custom issuers This PR adds a new field into the AWS OIDC fields: - issuer This is the issuer that was configured in AWS. It is used by teleport to set the `issuer/iss` field when generating the JWT. This way we'll be able to set a custom issuer. As an example, we could set this to be a public S3 bucket which doesn't suffer from the thumbprint validation issuer. * ensure issuer is a valid https url * use s3 uri instead of any url for issuer * typo and require s3 fields * add missing s3 location when creating integration * improve error messages * AWS OIDC IdP Configuration: support S3 buckets as provider (#39026) This PR adds support for setting the AWS OIDC Integration with an S3 bucket as issuer. * AWS OIDC: Require S3 for configure IdP Script (#39113) There are two new required fields for generating the configure IdP script: - s3Bucket - s3Prefix This must form a valid URI when joining them: s3://<s3Bucket>/<s3Prefix> * update aws sdk to branch/v15
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Mar 18, 2024
* AWS OIDC: Accept custom issuers (#38785) * AWS OIDC: Accept custom issuers This PR adds a new field into the AWS OIDC fields: - issuer This is the issuer that was configured in AWS. It is used by teleport to set the `issuer/iss` field when generating the JWT. This way we'll be able to set a custom issuer. As an example, we could set this to be a public S3 bucket which doesn't suffer from the thumbprint validation issuer. * ensure issuer is a valid https url * use s3 uri instead of any url for issuer * typo and require s3 fields * add missing s3 location when creating integration * improve error messages * AWS OIDC IdP Configuration: support S3 buckets as provider (#39026) This PR adds support for setting the AWS OIDC Integration with an S3 bucket as issuer. * AWS OIDC: Require S3 for configure IdP Script (#39113) There are two new required fields for generating the configure IdP script: - s3Bucket - s3Prefix This must form a valid URI when joining them: s3://<s3Bucket>/<s3Prefix>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AWS OIDC Integration now support custom issuers.
There's a new optional field in the integration:
issuer.If this field is present, it will be used as the
issuer/issclaim in the JWT.If not, the previous logic applies: it uses the proxy's public endpoint.
As an example, we could set this to be a public S3 bucket which doesn't suffer from the thumbprint validation issue.
Context: #38782