gravitational · kimlisa · Jul 9, 2025 · Jun 26, 2025
diff --git a/web/packages/teleport/src/Discover/Server/DiscoveryConfigSsm/DiscoveryConfigSsm.tsx b/web/packages/teleport/src/Discover/Server/DiscoveryConfigSsm/DiscoveryConfigSsm.tsx
@@ -39,6 +39,7 @@ import { makeEmptyAttempt, useAsync } from 'shared/hooks/useAsync';
 import cfg from 'teleport/config';
 import { AwsRegionSelector } from 'teleport/Discover/Shared/AwsRegionSelector';
 import { useDiscover } from 'teleport/Discover/useDiscover';
+import auth from 'teleport/services/auth';
 import {
   createDiscoveryConfig,
   DISCOVERY_GROUP_CLOUD,
@@ -91,11 +92,19 @@ export function DiscoveryConfigSsm() {
         // This can happen if creating discovery config attempt failed
         // and the user retries.
         if (!joinTokenRef.current) {
-          joinTokenRef.current = await joinTokenService.fetchJoinToken({
-            roles: ['Node'],
-            method: 'iam',
-            rules: [{ awsAccountId }],
-          });
+          const mfaResponse = await auth.getWebauthnResponseForAdminAction(
+            true /* allow re-use */
+          );
+
+          joinTokenRef.current = await joinTokenService.fetchJoinToken(
+            {
+              roles: ['Node'],
+              method: 'iam',
+              rules: [{ awsAccountId }],
+            },
+            null /* abortSignal */,
+            mfaResponse
+          );
         }
 
         const config = await createDiscoveryConfig(clusterId, {

diff --git a/web/packages/teleport/src/services/joinToken/joinToken.test.ts b/web/packages/teleport/src/services/joinToken/joinToken.test.ts
@@ -36,7 +36,8 @@ test('fetchJoinToken with an empty request properly sets defaults', () => {
       allow: [],
       suggested_agent_matcher_labels: {},
     },
-    null
+    null,
+    undefined
   );
 });
 
@@ -59,6 +60,7 @@ test('fetchJoinToken request fields are set as requested', () => {
       allow: [{ aws_account: '1234', aws_arn: 'xxxx' }],
       suggested_agent_matcher_labels: { env: ['dev'] },
     },
-    null
+    null,
+    undefined
   );
 });
diff --git a/web/packages/teleport/src/services/joinToken/joinToken.ts b/web/packages/teleport/src/services/joinToken/joinToken.ts
@@ -30,7 +30,8 @@ class JoinTokenService {
   // TODO (avatus) refactor this code to eventually use `createJoinToken`
   fetchJoinToken(
     req: JoinTokenRequest,
-    signal: AbortSignal = null
+    signal: AbortSignal = null,
+    mfaResponse?: WebauthnAssertionResponse
   ): Promise<JoinToken> {
     return api
       .post(
@@ -43,7 +44,8 @@ class JoinTokenService {
             req.suggestedAgentMatcherLabels
           ),
         },
-        signal
+        signal,
+        mfaResponse
       )
       .then(makeJoinToken);
   }