Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creates built-in role for AWS Identity Center integration #47791

Closed
wants to merge 7 commits into from
Closed

Creates built-in role for AWS Identity Center integration #47791

wants to merge 7 commits into from
+60 −0

Conversation

tcsc
Copy link
Contributor

@tcsc tcsc commented Oct 22, 2024

No description provided.

@tcsc tcsc added the no-changelog Indicates that a PR does not require a changelog entry label Oct 22, 2024
@tcsc tcsc requested a review from smallinsky October 22, 2024 11:11
Base automatically changed from tcsc/identitycenter-crud to master October 22, 2024 11:22
@tcsc tcsc requested a review from r0mant October 22, 2024 11:25
r0mant
r0mant reviewed Oct 22, 2024
View reviewed changes
api/types/system_role.go

// RoleAWSIdentityCenter is the role used by the AWS Identity Center integration
// when manipulating Teleport resources.
RoleAWSIdentityCenter SystemRole = "AWS-IdentityCenter"
Copy link
Collaborator

@r0mant r0mant Oct 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tcsc Why do we need a system role? System roles are used by services that can be run as standalone agents (ssh, app, database, etc.), but the Identity Center integration always runs inside auth similar to hosted plugins?

Can we simplify and just pass local auth to the IC service?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used this role to allow the Identity Center integration to use the OIDC integration, as the list of roles that are allowed to use OIDC was small.

That said, I drastically changed the way I used the OIDC integration since I originally did this. It may be a non-issue now. Will audit and get back to you.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to auth/integration/integrationv1, the auth role should be fine.

@tcsc
Copy link
Contributor Author

tcsc commented Oct 23, 2024

New system role is unnecessary. Non-role changes added in #47844.

@tcsc tcsc closed this Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r0mant r0mant r0mant left review comments

@avatus avatus avatus approved these changes

@EdwardDowling EdwardDowling Awaiting requested review from EdwardDowling

@smallinsky smallinsky Awaiting requested review from smallinsky

Assignees
No one assigned
Labels
no-changelog Indicates that a PR does not require a changelog entry size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tcsc @r0mant @avatus