From 3598f6cf8983159f81eeee0e82edcd25a53767a9 Mon Sep 17 00:00:00 2001
From: Lisa Kim <lisa@goteleport.com>
Date: Thu, 26 Jun 2025 12:03:25 -0700
Subject: [PATCH] Web: fix error when creating IAM token during ec2 ssm flow
 (#55970)

---
 .../DiscoveryConfigSsm/DiscoveryConfigSsm.tsx | 19 ++++++++++++++-----
 .../src/services/joinToken/joinToken.test.ts  |  6 ++++--
 .../src/services/joinToken/joinToken.ts       |  6 ++++--
 3 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/web/packages/teleport/src/Discover/Server/DiscoveryConfigSsm/DiscoveryConfigSsm.tsx b/web/packages/teleport/src/Discover/Server/DiscoveryConfigSsm/DiscoveryConfigSsm.tsx
index 0f7d18e864a91..26f80dd29a50a 100644
--- a/web/packages/teleport/src/Discover/Server/DiscoveryConfigSsm/DiscoveryConfigSsm.tsx
+++ b/web/packages/teleport/src/Discover/Server/DiscoveryConfigSsm/DiscoveryConfigSsm.tsx
@@ -39,6 +39,7 @@ import { makeEmptyAttempt, useAsync } from 'shared/hooks/useAsync';
 import cfg from 'teleport/config';
 import { AwsRegionSelector } from 'teleport/Discover/Shared/AwsRegionSelector';
 import { useDiscover } from 'teleport/Discover/useDiscover';
+import auth from 'teleport/services/auth';
 import {
   createDiscoveryConfig,
   DISCOVERY_GROUP_CLOUD,
@@ -91,11 +92,19 @@ export function DiscoveryConfigSsm() {
         // This can happen if creating discovery config attempt failed
         // and the user retries.
         if (!joinTokenRef.current) {
-          joinTokenRef.current = await joinTokenService.fetchJoinToken({
-            roles: ['Node'],
-            method: 'iam',
-            rules: [{ awsAccountId }],
-          });
+          const mfaResponse = await auth.getWebauthnResponseForAdminAction(
+            true /* allow re-use */
+          );
+
+          joinTokenRef.current = await joinTokenService.fetchJoinToken(
+            {
+              roles: ['Node'],
+              method: 'iam',
+              rules: [{ awsAccountId }],
+            },
+            null /* abortSignal */,
+            mfaResponse
+          );
         }
 
         const config = await createDiscoveryConfig(clusterId, {
diff --git a/web/packages/teleport/src/services/joinToken/joinToken.test.ts b/web/packages/teleport/src/services/joinToken/joinToken.test.ts
index 1f941345c1006..db1e204d3ccb8 100644
--- a/web/packages/teleport/src/services/joinToken/joinToken.test.ts
+++ b/web/packages/teleport/src/services/joinToken/joinToken.test.ts
@@ -36,7 +36,8 @@ test('fetchJoinToken with an empty request properly sets defaults', () => {
       allow: [],
       suggested_agent_matcher_labels: {},
     },
-    null
+    null,
+    undefined
   );
 });
 
@@ -59,6 +60,7 @@ test('fetchJoinToken request fields are set as requested', () => {
       allow: [{ aws_account: '1234', aws_arn: 'xxxx' }],
       suggested_agent_matcher_labels: { env: ['dev'] },
     },
-    null
+    null,
+    undefined
   );
 });
diff --git a/web/packages/teleport/src/services/joinToken/joinToken.ts b/web/packages/teleport/src/services/joinToken/joinToken.ts
index 14f29c10ecb5f..91248e6ef7a2c 100644
--- a/web/packages/teleport/src/services/joinToken/joinToken.ts
+++ b/web/packages/teleport/src/services/joinToken/joinToken.ts
@@ -30,7 +30,8 @@ class JoinTokenService {
   // TODO (avatus) refactor this code to eventually use `createJoinToken`
   fetchJoinToken(
     req: JoinTokenRequest,
-    signal: AbortSignal = null
+    signal: AbortSignal = null,
+    mfaResponse?: WebauthnAssertionResponse
   ): Promise<JoinToken> {
     return api
       .post(
@@ -43,7 +44,8 @@ class JoinTokenService {
             req.suggestedAgentMatcherLabels
           ),
         },
-        signal
+        signal,
+        mfaResponse
       )
       .then(makeJoinToken);
   }