AWS OIDC IdP Configuration: support S3 buckets as provider by marcoandredinis · Pull Request #39026 · gravitational/teleport

marcoandredinis · 2024-03-06T17:08:45Z

This PR adds support for setting the AWS OIDC Integration with an S3 bucket as issuer.

Demo:

$ teleport integration configure awsoidc-idp --cluster lenix --name teleportdev --role MarcoTestRoleOIDCProvider --s3-bucket-uri s3://marcotest-teleport2/lenix-super-idp --s3-jwks-base64=eyJrZXlzIjpbeyJrdHkiOiJSU0EiLCJhbGciOiJSUzI1NiIsIm4iOiJ6SW5HWWRxMlFjWlJ6a2YxVDllaW5DQ0Vvcjc0TWNGVGJ1eTZDWXJpQ3JmV1YyRGNZSVFrcW93dm9JSFNiRlBhUlVrRVkyMHJQMGRYSTlVdF9pcjlETS1tUmtyTkJzZjRTTkNFYUEtRGJXRF92S1R6UG9CWWdqQ3ZPdW5CWHFRZGlmSmJyUjRPSFlCVDFObkhid3MwcXR5VGlJWTY2TmlLMEN1WEpkYXJzSnQwd2RHWWpOVGZFd0tZU1AzMk43OEpfMno5dmVWZFBvcVNPZTZIeVNsYVA3XzhxcHFOV09EUTBWR1dmN1lxc2MxNlNhRGhFeUVUNVhkcVl2RmMwbnB1ejN4ME1MU3ZheVJIVkFvLUY2a2pVa3diUElqQml1OUREMy0tRWxzXzdtRktOQjFsaVhwNEpFRnR3RjFPUWYtMmMyU3dYOTFGYlJQb1BEekk2bGZ2elEiLCJlIjoiQVFBQiIsInVzZSI6InNpZyIsImtpZCI6IiJ9XX0=
INFO             Creating IAM OpenID Connect Provider: url="https://marcotest-teleport2.s3.amazonaws.com/lenix-super-idp". awsoidc/idp_iam_config.go:331
INFO             Creating IAM Role "MarcoTestRoleOIDCProvider". awsoidc/idp_iam_config.go:336
INFO             Creating bucket in region "eu-west-2" bucket:marcotest-teleport2 bucket-prefix:lenix-super-idp awsoidc/idp_iam_config.go:351
INFO             Bucket already exists in "eu-west-2" bucket:marcotest-teleport2 bucket-prefix:lenix-super-idp awsoidc/idp_iam_config.go:356
INFO             Setting public access. bucket:marcotest-teleport2 bucket-prefix:lenix-super-idp awsoidc/idp_iam_config.go:359
INFO             Uploading 'openid-configuration' and 'jwks' files. bucket:marcotest-teleport2 bucket-prefix:lenix-super-idp awsoidc/idp_iam_config.go:364

Context: #38782

public-teleport-github-review-bot · 2024-03-06T18:03:56Z

@marcoandredinis - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

This PR adds support for setting the AWS OIDC Integration with an S3 bucket as issuer.

r0mant

Bot.

public-teleport-github-review-bot · 2024-03-15T22:29:34Z

@marcoandredinis See the table below for backport results.

Branch	Result
branch/v14	Failed
branch/v15	Create PR

This PR adds support for setting the AWS OIDC Integration with an S3 bucket as issuer.

* AWS OIDC: Accept custom issuers (#38785) * AWS OIDC: Accept custom issuers This PR adds a new field into the AWS OIDC fields: - issuer This is the issuer that was configured in AWS. It is used by teleport to set the `issuer/iss` field when generating the JWT. This way we'll be able to set a custom issuer. As an example, we could set this to be a public S3 bucket which doesn't suffer from the thumbprint validation issuer. * ensure issuer is a valid https url * use s3 uri instead of any url for issuer * typo and require s3 fields * add missing s3 location when creating integration * improve error messages * AWS OIDC IdP Configuration: support S3 buckets as provider (#39026) This PR adds support for setting the AWS OIDC Integration with an S3 bucket as issuer. * AWS OIDC: Require S3 for configure IdP Script (#39113) There are two new required fields for generating the configure IdP script: - s3Bucket - s3Prefix This must form a valid URI when joining them: s3://<s3Bucket>/<s3Prefix> * update aws sdk to branch/v15

* AWS OIDC: Accept custom issuers (#38785) * AWS OIDC: Accept custom issuers This PR adds a new field into the AWS OIDC fields: - issuer This is the issuer that was configured in AWS. It is used by teleport to set the `issuer/iss` field when generating the JWT. This way we'll be able to set a custom issuer. As an example, we could set this to be a public S3 bucket which doesn't suffer from the thumbprint validation issuer. * ensure issuer is a valid https url * use s3 uri instead of any url for issuer * typo and require s3 fields * add missing s3 location when creating integration * improve error messages * AWS OIDC IdP Configuration: support S3 buckets as provider (#39026) This PR adds support for setting the AWS OIDC Integration with an S3 bucket as issuer. * AWS OIDC: Require S3 for configure IdP Script (#39113) There are two new required fields for generating the configure IdP script: - s3Bucket - s3Prefix This must form a valid URI when joining them: s3://<s3Bucket>/<s3Prefix>

marcoandredinis added backport/branch/v14 no-changelog Indicates that a PR does not require a changelog entry labels Mar 6, 2024

marcoandredinis mentioned this pull request Mar 6, 2024

AWS OIDC Integration: use S3 bucket as IdP issuer #38782

Closed

marcoandredinis force-pushed the marco/awsoidc-conf-custom-idp branch 2 times, most recently from d4d358f to 62a2136 Compare March 6, 2024 17:39

marcoandredinis marked this pull request as ready for review March 6, 2024 18:03

github-actions Bot added the size/xl label Mar 6, 2024

github-actions Bot requested review from fheinecke and r0mant March 6, 2024 18:03

marcoandredinis force-pushed the marco/awsoidc-custom-issuer branch from e737ef6 to 0b6d710 Compare March 7, 2024 18:38

marcoandredinis force-pushed the marco/awsoidc-conf-custom-idp branch from 62a2136 to 4e2fd7b Compare March 7, 2024 18:42

marcoandredinis force-pushed the marco/awsoidc-custom-issuer branch from 0b6d710 to 0f25316 Compare March 8, 2024 09:39

marcoandredinis force-pushed the marco/awsoidc-conf-custom-idp branch from 4e2fd7b to 2884b39 Compare March 8, 2024 09:46

marcoandredinis force-pushed the marco/awsoidc-custom-issuer branch from 0f25316 to 09860f5 Compare March 8, 2024 10:55

marcoandredinis force-pushed the marco/awsoidc-conf-custom-idp branch from 2884b39 to 40fcb1a Compare March 8, 2024 10:55

AntonAM reviewed Mar 11, 2024

View reviewed changes

marcoandredinis force-pushed the marco/awsoidc-custom-issuer branch from 09860f5 to cde7c08 Compare March 11, 2024 10:00

marcoandredinis force-pushed the marco/awsoidc-conf-custom-idp branch from 40fcb1a to 07ea739 Compare March 11, 2024 10:32

marcoandredinis requested a review from AntonAM March 11, 2024 10:45

AntonAM approved these changes Mar 12, 2024

View reviewed changes

marcoandredinis force-pushed the marco/awsoidc-custom-issuer branch from cde7c08 to d07e452 Compare March 13, 2024 09:12

marcoandredinis force-pushed the marco/awsoidc-conf-custom-idp branch from 07ea739 to 4f90fbf Compare March 13, 2024 09:12

marcoandredinis force-pushed the marco/awsoidc-custom-issuer branch from d07e452 to 5837314 Compare March 14, 2024 08:58

marcoandredinis force-pushed the marco/awsoidc-conf-custom-idp branch from 4f90fbf to b02f73a Compare March 14, 2024 08:58

marcoandredinis force-pushed the marco/awsoidc-custom-issuer branch from 5837314 to 70fdcd3 Compare March 15, 2024 14:29

marcoandredinis force-pushed the marco/awsoidc-conf-custom-idp branch from b02f73a to 59ae769 Compare March 15, 2024 14:34

kimlisa approved these changes Mar 15, 2024

View reviewed changes

Comment thread tool/teleport/common/teleport.go Outdated

Comment thread tool/teleport/common/teleport.go Outdated

Comment thread lib/cloud/aws/policy_test.go Outdated

marcoandredinis force-pushed the marco/awsoidc-custom-issuer branch from 8fa75a2 to f0a6336 Compare March 15, 2024 17:21

marcoandredinis force-pushed the marco/awsoidc-conf-custom-idp branch from 59ae769 to be1db40 Compare March 15, 2024 17:25

marcoandredinis force-pushed the marco/awsoidc-custom-issuer branch from f0a6336 to bc21b5d Compare March 15, 2024 17:31

marcoandredinis force-pushed the marco/awsoidc-conf-custom-idp branch from be1db40 to 82d0b5a Compare March 15, 2024 17:32

marcoandredinis force-pushed the marco/awsoidc-custom-issuer branch from bc21b5d to 2b2866c Compare March 15, 2024 17:52

Base automatically changed from marco/awsoidc-custom-issuer to master March 15, 2024 18:26

AWS OIDC IdP Configuration: support S3 buckets as provider

a9df6f6

This PR adds support for setting the AWS OIDC Integration with an S3 bucket as issuer.

marcoandredinis force-pushed the marco/awsoidc-conf-custom-idp branch from 82d0b5a to a9df6f6 Compare March 15, 2024 21:44

marcoandredinis enabled auto-merge March 15, 2024 21:44

r0mant approved these changes Mar 15, 2024

View reviewed changes

public-teleport-github-review-bot Bot removed the request for review from fheinecke March 15, 2024 22:11

marcoandredinis added this pull request to the merge queue Mar 15, 2024

Merged via the queue into master with commit 64ad6ba Mar 15, 2024

marcoandredinis deleted the marco/awsoidc-conf-custom-idp branch March 15, 2024 22:28

marcoandredinis mentioned this pull request Mar 18, 2024

[v15] AWS OIDC Integration: use S3 bucket as IdP issuer #39489

Merged

marcoandredinis mentioned this pull request Mar 18, 2024

[v14] AWS OIDC Integration: use S3 bucket as IdP issuer #39490

Merged

marcoandredinis added a commit that referenced this pull request Mar 18, 2024

AWS OIDC IdP Configuration: support S3 buckets as provider (#39026)

945841c

This PR adds support for setting the AWS OIDC Integration with an S3 bucket as issuer.

marcoandredinis added a commit that referenced this pull request Mar 18, 2024

AWS OIDC IdP Configuration: support S3 buckets as provider (#39026)

9f1028f

This PR adds support for setting the AWS OIDC Integration with an S3 bucket as issuer.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AWS OIDC IdP Configuration: support S3 buckets as provider#39026

AWS OIDC IdP Configuration: support S3 buckets as provider#39026
marcoandredinis merged 1 commit intomasterfrom
marco/awsoidc-conf-custom-idp

marcoandredinis commented Mar 6, 2024 •

edited

Loading

Uh oh!

public-teleport-github-review-bot Bot commented Mar 6, 2024

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

r0mant left a comment

Uh oh!

public-teleport-github-review-bot Bot commented Mar 15, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

marcoandredinis commented Mar 6, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

public-teleport-github-review-bot Bot commented Mar 6, 2024

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

r0mant left a comment

Choose a reason for hiding this comment

Uh oh!

public-teleport-github-review-bot Bot commented Mar 15, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

marcoandredinis commented Mar 6, 2024 •

edited

Loading