Workload Identity: Roles Anywhere `tbot` service. by strideynet · Pull Request #52426 · gravitational/teleport

strideynet · 2025-02-24T13:25:51Z

Closes #51915

version: v2
proxy_server: redacted
onboarding:
  join_method: kubernetes
  token: redacted
certificate_ttl: 24h
renewal_interval: 5m
storage:
  type: directory
  path: /Users/noah/code/gravitational/teleport-scratch/tbot/ra/storage
# outputs will be filled in during the completion of an access guide.
services:
  - type: workload-identity-aws-roles-anywhere
    destination:
      type: directory
      path: /Users/noah/code/gravitational/teleport-scratch/tbot/ra/out
    selector:
      name: ra-example
    role_arn: arn:aws:iam::redacted:role/noah_workload_id_gitlab_production
    profile_arn: arn:aws:rolesanywhere:us-west-2:redacted:profile/8260c238-fcb4-4d83-a529-e673b5b551d4
    trust_anchor_arn: arn:aws:rolesanywhere:us-west-2:redacted:trust-anchor/15f2a697-4b5d-42ae-9b9b-759f9250f4cd

➜  out AWS_PAGER="" AWS_SHARED_CREDENTIALS_FILE=/Users/noah/code/gravitational/teleport-scratch/tbot/ra/out/aws_credentials aws sts get-caller-identity
{
    "UserId": "redacted:00fec7212029bc6ef48006aa5c5b1f1222",
    "Account": "redacted",
    "Arn": "arn:aws:sts::redacted:assumed-role/noah_workload_id_gitlab_production/00fec7212029bc6ef48006aa5c5b1f1222"
}

changelog: Introduce workload-identity-aws-ra service for generating AWS credentials using Roles Anywhere directly from tbot.

boxofrad

Looking great! Excited to see this land 🚀

backport-bot-workflows · 2025-03-25T15:28:53Z

@strideynet See the table below for backport results.

Branch	Result
branch/v16	Failed
branch/v17	Failed

* Add config for WorkloadIdenttiyAWSRAService * Add CLI command * Start hacking on service impl * Write credentials in AWS credentials file format * Fix go.mod/go.sum * Go mod tidy * Add ARN validation * Add specific config for AWS session duration/renewal * Update golden file * Fix gomod/gosum * Refactor CheckAndSetDefaults * Initialize service * Update CLI flags * Refactor & add tests * Use *Context slog calls * Update service name to include full `roles-anywhere` * Add mocked AWS rolesanywhere API based test * Validate region

) * Workload Identity: Roles Anywhere `tbot` service. (#52426) * Add config for WorkloadIdenttiyAWSRAService * Add CLI command * Start hacking on service impl * Write credentials in AWS credentials file format * Fix go.mod/go.sum * Go mod tidy * Add ARN validation * Add specific config for AWS session duration/renewal * Update golden file * Fix gomod/gosum * Refactor CheckAndSetDefaults * Initialize service * Update CLI flags * Refactor & add tests * Use *Context slog calls * Update service name to include full `roles-anywhere` * Add mocked AWS rolesanywhere API based test * Validate region * Bump grpc to 1.68

strideynet added 4 commits March 20, 2025 14:45

Add config for WorkloadIdenttiyAWSRAService

a104014

Add CLI command

887d30a

Start hacking on service impl

98f9a30

Write credentials in AWS credentials file format

fca1b43

strideynet force-pushed the strideynet/aws-ra-credentials-workload-identity branch from a42d222 to fca1b43 Compare March 20, 2025 14:45

strideynet added 7 commits March 20, 2025 14:53

Fix go.mod/go.sum

7b8687d

Go mod tidy

4b8f4ab

Add ARN validation

66ac41b

Add specific config for AWS session duration/renewal

c414604

Update golden file

bd3ca8f

Fix gomod/gosum

b313aa3

Refactor CheckAndSetDefaults

0c9899f

strideynet added backport/branch/v16 backport/branch/v17 labels Mar 21, 2025

strideynet added 4 commits March 21, 2025 12:19

Initialize service

af52846

Update CLI flags

b88ad09

Refactor & add tests

969a7fe

Use *Context slog calls

f8e5ee3

strideynet marked this pull request as ready for review March 24, 2025 10:30

github-actions Bot added machine-id size/lg labels Mar 24, 2025

github-actions Bot requested review from boxofrad, hugoShaka, marcoandredinis, tigrato and timothyb89 March 24, 2025 10:30

strideynet mentioned this pull request Mar 24, 2025

Add documentation for workload-identity-aws-ra tbot service #53322

Merged

boxofrad reviewed Mar 24, 2025

View reviewed changes

Comment thread lib/tbot/config/service_workload_identity_aws_ra.go Outdated

Comment thread lib/tbot/config/service_workload_identity_aws_ra.go

Comment thread lib/tbot/service_workload_identity_aws_ra_test.go

strideynet added 2 commits March 24, 2025 15:23

Update service name to include full roles-anywhere

68047c3

Add mocked AWS rolesanywhere API based test

f5d4768

strideynet requested a review from boxofrad March 24, 2025 16:35

boxofrad approved these changes Mar 25, 2025

View reviewed changes

marcoandredinis approved these changes Mar 25, 2025

View reviewed changes

Comment thread lib/tbot/config/service_workload_identity_aws_ra.go

Validate region

71ae6d0

ryanclark approved these changes Mar 25, 2025

View reviewed changes

public-teleport-github-review-bot Bot removed request for hugoShaka, tigrato and timothyb89 March 25, 2025 15:04

strideynet added this pull request to the merge queue Mar 25, 2025

Merged via the queue into master with commit eb90f7c Mar 25, 2025
43 checks passed

strideynet deleted the strideynet/aws-ra-credentials-workload-identity branch March 25, 2025 15:26

strideynet mentioned this pull request Mar 25, 2025

[v17] Workload Identity: Roles Anywhere tbot service. (#52426) #53401

Closed

strideynet mentioned this pull request Mar 25, 2025

[v17] Workload Identity: Roles Anywhere tbot service. (#52426) #53408

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Workload Identity: Roles Anywhere `tbot` service.#52426

Workload Identity: Roles Anywhere `tbot` service.#52426
strideynet merged 18 commits intomasterfrom
strideynet/aws-ra-credentials-workload-identity

strideynet commented Feb 24, 2025 •

edited

Loading

Uh oh!

boxofrad left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

backport-bot-workflows Bot commented Mar 25, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

strideynet commented Feb 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

boxofrad left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

backport-bot-workflows Bot commented Mar 25, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

strideynet commented Feb 24, 2025 •

edited

Loading