[v14] AWS OIDC Integration: use S3 bucket as IdP issuer#39490
Merged
marcoandredinis merged 4 commits intobranch/v14from Mar 18, 2024
Merged
[v14] AWS OIDC Integration: use S3 bucket as IdP issuer#39490marcoandredinis merged 4 commits intobranch/v14from
marcoandredinis merged 4 commits intobranch/v14from
Conversation
marcoandredinis
changed the title
github-actions
Bot
requested review from
AntonAM,
capnspacehook,
kimlisa and
reedloden
marcoandredinis
force-pushed
the
marco/v14/backport_awsoidc_s3_setup
branch
10 times, most recently
from
d1cdfd8 to
e8ea0f6
Compare
marcoandredinis
added
no-changelog
|
@marcoandredinis - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes. |
* AWS OIDC: Accept custom issuers This PR adds a new field into the AWS OIDC fields: - issuer This is the issuer that was configured in AWS. It is used by teleport to set the `issuer/iss` field when generating the JWT. This way we'll be able to set a custom issuer. As an example, we could set this to be a public S3 bucket which doesn't suffer from the thumbprint validation issuer. * ensure issuer is a valid https url * use s3 uri instead of any url for issuer * typo and require s3 fields * add missing s3 location when creating integration * improve error messages
This PR adds support for setting the AWS OIDC Integration with an S3 bucket as issuer.
There are two new required fields for generating the configure IdP script: - s3Bucket - s3Prefix This must form a valid URI when joining them: s3://<s3Bucket>/<s3Prefix>
marcoandredinis
force-pushed
the
marco/v14/backport_awsoidc_s3_setup
branch
from
e8ea0f6 to
9455bed
Compare
kimlisa
approved these changes
Mar 18, 2024
r0mant
approved these changes
Mar 18, 2024
public-teleport-github-review-bot
Bot
removed request for
AntonAM,
capnspacehook and
reedloden
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport to branch/v14:
AWS SDK was upgraded because there's a new field in
s3:HeadBucketthat we use.We can't upgrade individual packages because they might break with
not found, ResolveEndpointV2error.Instead of updating everything to latest, I upgraded to v15 versions, which is a combination of versions that we know that work.