Skip to content

accessgraph sync: Add AWS IAM role for EKS audit logs#61364

Merged
camscale merged 2 commits intomasterfrom
camh/tag/kube-audit-logs-iam
Nov 17, 2025
Merged

accessgraph sync: Add AWS IAM role for EKS audit logs#61364
camscale merged 2 commits intomasterfrom
camh/tag/kube-audit-logs-iam

Conversation

@camscale
Copy link
Copy Markdown
Contributor

@camscale camscale commented Nov 14, 2025
edited
Loading

Update the teleport configure integration acces-graph aws-iam command
to add a permission to access EKS audit logs via CloudWatch Logs if the
--eks-audit-logs flag is passed. This is necessary so that an
integration can pull the EKS audit logs if so configured in a discovery
access graph matcher.

Issue: https://github.com/gravitational/access-graph/issues/1589

@camscale
accessgraph sync: Add AWS IAM role for EKS audit logs
91c5a55 
Update the `teleport configure integration acces-graph aws-iam` command
to add a permission to access EKS audit logs via CloudWatch Logs if the
`--eks-audit-logs` flag is passed. This is necessary so that an
integration can pull the EKS audit logs if so configured in a discovery
access graph matcher.
@camscale camscale added the no-changelog Indicates that a PR does not require a changelog entry label Nov 14, 2025
@github-actions github-actions bot requested review from nklaassen and tcsc November 14, 2025 06:17
marcoandredinis
marcoandredinis approved these changes Nov 14, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@marcoandredinis marcoandredinis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would also add the new param here

teleport/lib/web/integrations_awsoidc.go

Line 1339 in 57a7f8c

func (h *Handler) awsAccessGraphOIDCSync(w http.ResponseWriter, r *http.Request, _ httprouter.Params) (any, error) {

I think it's the only required change in the backend that is missing.

@camscale
Copy link
Copy Markdown
Contributor Author

camscale commented Nov 17, 2025

I would also add the new param here

Thanks Marco. I've added a query parameter there and added tests for the endpoint since they were missing.

@camscale
web: Add web eksAuditLogs to integration configure endpoint
f9a789a 
Extend the web endpoint for the webscript for integrations configure
access-graph-cloud-sync-iam.sh to add the `eksAuditLogs` query param to
configure with EKS audit logs enabled. Add tests for this endpoint as
there were none.
@camscale camscale force-pushed the camh/tag/kube-audit-logs-iam branch from f17feef to f9a789a Compare November 17, 2025 04:31
@camscale camscale added this pull request to the merge queue Nov 17, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Nov 17, 2025
@camscale camscale added this pull request to the merge queue Nov 17, 2025
Merged via the queue into master with commit da3d763 Nov 17, 2025
44 checks passed
@camscale camscale deleted the camh/tag/kube-audit-logs-iam branch November 17, 2025 23:11
@camscale camscale mentioned this pull request Nov 21, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@juliaogris juliaogris juliaogris approved these changes

Assignees

No one assigned

Labels

no-changelog Indicates that a PR does not require a changelog entry size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@camscale @r0mant @marcoandredinis @juliaogris