Skip to content

Display available allowed logins for leaf AWS Console Apps in the root Web UI#44611

Merged
greedy52 merged 1 commit intomasterfrom
gabrielcorado/list-leaf-aws-console-roles
Jul 25, 2024
Merged

Display available allowed logins for leaf AWS Console Apps in the root Web UI#44611
greedy52 merged 1 commit intomasterfrom
gabrielcorado/list-leaf-aws-console-roles

Conversation

@gabrielcorado
Copy link
Copy Markdown
Contributor

@gabrielcorado gabrielcorado commented Jul 25, 2024
edited
Loading

Related to https://github.com/gravitational/customer-sensitive-requests/issues/303 and #44410.

This change follows the same solution used by SSH logins (introduced by #39579), where allowed logins (AWS ARN roles) are returned by the auth server (through enriched resources) instead of by the API.

Given this change, we must also keep the root AWS role ARNs on the remote access info. Otherwise, the enriched resource will only contain the leaf cluster roles.

As a result, the roles shown in the Web UI will include AWS role ARNs from the user, root cluster roles, and leaf cluster roles.

changelog: Correctly display available allowed logins of leaf AWS Console Apps in the root cluster Web UI

@gravitational gravitational deleted a comment from github-actions Bot Jul 25, 2024
@rosstimothy
Copy link
Copy Markdown
Contributor

rosstimothy commented Jul 25, 2024

I think in order for #44410 to be closed we need to address tsh app login as well. It is pulling AWS ARN information from the root certificate when logging into an app in a leaf cluster.

@flyinghermit flyinghermit removed their request for review July 25, 2024 13:10
greedy52
greedy52 approved these changes Jul 25, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@greedy52 greedy52 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and worked great (for WebUI). We might want to do a separate fix for GCP and Azure which function similar way.

@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from espadolini July 25, 2024 14:24
@gabrielcorado gabrielcorado added this pull request to the merge queue Jul 25, 2024
@greedy52 greedy52 removed this pull request from the merge queue due to a manual request Jul 25, 2024
@greedy52 greedy52 added this pull request to the merge queue Jul 25, 2024
Merged via the queue into master with commit 2db4bc0 Jul 25, 2024
@greedy52 greedy52 deleted the gabrielcorado/list-leaf-aws-console-roles branch July 25, 2024 15:10
This was referenced Aug 1, 2024
Merged
Merged
@zmb3 zmb3 mentioned this pull request Aug 5, 2024
Closed
@gabrielcorado gabrielcorado mentioned this pull request Sep 20, 2024
Closed
@joaoubaldo joaoubaldo mentioned this pull request Dec 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greedy52 greedy52 greedy52 approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

No one assigned

Labels

size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gabrielcorado @rosstimothy @greedy52