-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creates built-in role for AWS Identity Center integration #47791
Conversation
This is just the pure CRUD read/write. Caching & watching support coming as necessary in subsequent PRs. Co-authored-by: Pawel Kopiczko <[email protected]> Co-authored-by: Sakshyam Shah <[email protected]>
|
||
// RoleAWSIdentityCenter is the role used by the AWS Identity Center integration | ||
// when manipulating Teleport resources. | ||
RoleAWSIdentityCenter SystemRole = "AWS-IdentityCenter" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tcsc Why do we need a system role? System roles are used by services that can be run as standalone agents (ssh, app, database, etc.), but the Identity Center integration always runs inside auth similar to hosted plugins?
Can we simplify and just pass local auth to the IC service?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I used this role to allow the Identity Center integration to use the OIDC integration, as the list of roles that are allowed to use OIDC was small.
That said, I drastically changed the way I used the OIDC integration since I originally did this. It may be a non-issue now. Will audit and get back to you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to auth/integration/integrationv1
, the auth role should be fine.
New system role is unnecessary. Non-role changes added in #47844. |
No description provided.