Adds Identity Center account assignments to role conditions

api/proto/teleport/legacy/types/types.proto

@@ -3248,6 +3248,20 @@ message RoleConditions {
   reserved "SAMLIdPServiceProviderLabels";
   reserved 41; // removed saml_idp_service_provider_labels_expression in favor of using app_labels_expression.
   reserved "SAMLIdPServiceProviderLabelsExpression";
+
+  // AccountAssignments holds the list of account assignments affected by this
+  // condition.
+  repeated IdentityCenterAccountAssignment AccountAssignments = 42 [
+    (gogoproto.nullable) = false,
+    (gogoproto.jsontag) = "account_assignments,omitempty"
+  ];
+}
+
+// IdentityCenterAccountAssignment captures an AWS Identity Center account
+// assignment (acccount + permission set) pair.
+message IdentityCenterAccountAssignment {
+  string PermissionSet = 1 [(gogoproto.jsontag) = "permission_set,omitempty"];
+  string Account = 2 [(gogoproto.jsontag) = "account,omitempty"];
 }
 
 // SPIFFERoleCondition sets out which SPIFFE identities this role is allowed or

docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx

@@ -34,6 +34,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
+|account_assignments|[][object](#specallowaccount_assignments-items)|AccountAssignments holds the list of account assignments affected by this condition.|
 |app_labels|object|AppLabels is a map of labels used as part of the RBAC system.|
 |app_labels_expression|string|AppLabelsExpression is a predicate expression used to allow/deny access to Apps.|
 |aws_role_arns|[]string|AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.|
@@ -73,6 +74,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
 
+### spec.allow.account_assignments items
+
+|Field|Type|Description|
+|---|---|---|
+|account|string||
+|permission_set|string||
+
 ### spec.allow.db_permissions items
 
 |Field|Type|Description|
@@ -184,6 +192,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
+|account_assignments|[][object](#specdenyaccount_assignments-items)|AccountAssignments holds the list of account assignments affected by this condition.|
 |app_labels|object|AppLabels is a map of labels used as part of the RBAC system.|
 |app_labels_expression|string|AppLabelsExpression is a predicate expression used to allow/deny access to Apps.|
 |aws_role_arns|[]string|AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.|
@@ -223,6 +232,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
 
+### spec.deny.account_assignments items
+
+|Field|Type|Description|
+|---|---|---|
+|account|string||
+|permission_set|string||
+
 ### spec.deny.db_permissions items
 
 |Field|Type|Description|
@@ -417,6 +433,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
+|account_assignments|[][object](#specallowaccount_assignments-items)|AccountAssignments holds the list of account assignments affected by this condition.|
 |app_labels|object|AppLabels is a map of labels used as part of the RBAC system.|
 |app_labels_expression|string|AppLabelsExpression is a predicate expression used to allow/deny access to Apps.|
 |aws_role_arns|[]string|AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.|
@@ -456,6 +473,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
 
+### spec.allow.account_assignments items
+
+|Field|Type|Description|
+|---|---|---|
+|account|string||
+|permission_set|string||
+
 ### spec.allow.db_permissions items
 
 |Field|Type|Description|
@@ -567,6 +591,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
+|account_assignments|[][object](#specdenyaccount_assignments-items)|AccountAssignments holds the list of account assignments affected by this condition.|
 |app_labels|object|AppLabels is a map of labels used as part of the RBAC system.|
 |app_labels_expression|string|AppLabelsExpression is a predicate expression used to allow/deny access to Apps.|
 |aws_role_arns|[]string|AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.|
@@ -606,6 +631,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
 
+### spec.deny.account_assignments items
+
+|Field|Type|Description|
+|---|---|---|
+|account|string||
+|permission_set|string||
+
 ### spec.deny.db_permissions items
 
 |Field|Type|Description|

docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx

@@ -34,6 +34,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
+|account_assignments|[][object](#specallowaccount_assignments-items)|AccountAssignments holds the list of account assignments affected by this condition.|
 |app_labels|object|AppLabels is a map of labels used as part of the RBAC system.|
 |app_labels_expression|string|AppLabelsExpression is a predicate expression used to allow/deny access to Apps.|
 |aws_role_arns|[]string|AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.|
@@ -73,6 +74,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
 
+### spec.allow.account_assignments items
+
+|Field|Type|Description|
+|---|---|---|
+|account|string||
+|permission_set|string||
+
 ### spec.allow.db_permissions items
 
 |Field|Type|Description|
@@ -184,6 +192,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
+|account_assignments|[][object](#specdenyaccount_assignments-items)|AccountAssignments holds the list of account assignments affected by this condition.|
 |app_labels|object|AppLabels is a map of labels used as part of the RBAC system.|
 |app_labels_expression|string|AppLabelsExpression is a predicate expression used to allow/deny access to Apps.|
 |aws_role_arns|[]string|AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.|
@@ -223,6 +232,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
 
+### spec.deny.account_assignments items
+
+|Field|Type|Description|
+|---|---|---|
+|account|string||
+|permission_set|string||
+
 ### spec.deny.db_permissions items
 
 |Field|Type|Description|

docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx

@@ -34,6 +34,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
+|account_assignments|[][object](#specallowaccount_assignments-items)|AccountAssignments holds the list of account assignments affected by this condition.|
 |app_labels|object|AppLabels is a map of labels used as part of the RBAC system.|
 |app_labels_expression|string|AppLabelsExpression is a predicate expression used to allow/deny access to Apps.|
 |aws_role_arns|[]string|AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.|
@@ -73,6 +74,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
 
+### spec.allow.account_assignments items
+
+|Field|Type|Description|
+|---|---|---|
+|account|string||
+|permission_set|string||
+
 ### spec.allow.db_permissions items
 
 |Field|Type|Description|
@@ -184,6 +192,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
+|account_assignments|[][object](#specdenyaccount_assignments-items)|AccountAssignments holds the list of account assignments affected by this condition.|
 |app_labels|object|AppLabels is a map of labels used as part of the RBAC system.|
 |app_labels_expression|string|AppLabelsExpression is a predicate expression used to allow/deny access to Apps.|
 |aws_role_arns|[]string|AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.|
@@ -223,6 +232,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
 
+### spec.deny.account_assignments items
+
+|Field|Type|Description|
+|---|---|---|
+|account|string||
+|permission_set|string||
+
 ### spec.deny.db_permissions items
 
 |Field|Type|Description|

docs/pages/reference/terraform-provider/data-sources/role.mdx

@@ -48,6 +48,7 @@ Optional:
 
 Optional:
 
+- `account_assignments` (Attributes List) AccountAssignments holds the list of account assignments affected by this condition. (see [below for nested schema](#nested-schema-for-specallowaccount_assignments))
 - `app_labels` (Map of List of String) AppLabels is a map of labels used as part of the RBAC system.
 - `app_labels_expression` (String) AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
 - `aws_role_arns` (List of String) AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
@@ -87,6 +88,14 @@ Optional:
 - `windows_desktop_labels_expression` (String) WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
 - `windows_desktop_logins` (List of String) WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
 
+### Nested Schema for `spec.allow.account_assignments`
+
+Optional:
+
+- `account` (String)
+- `permission_set` (String)
+
+
 ### Nested Schema for `spec.allow.db_permissions`
 
 Optional:
@@ -211,6 +220,7 @@ Optional:
 
 Optional:
 
+- `account_assignments` (Attributes List) AccountAssignments holds the list of account assignments affected by this condition. (see [below for nested schema](#nested-schema-for-specdenyaccount_assignments))
 - `app_labels` (Map of List of String) AppLabels is a map of labels used as part of the RBAC system.
 - `app_labels_expression` (String) AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
 - `aws_role_arns` (List of String) AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
@@ -250,6 +260,14 @@ Optional:
 - `windows_desktop_labels_expression` (String) WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
 - `windows_desktop_logins` (List of String) WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
 
+### Nested Schema for `spec.deny.account_assignments`
+
+Optional:
+
+- `account` (String)
+- `permission_set` (String)
+
+
 ### Nested Schema for `spec.deny.db_permissions`
 
 Optional:

docs/pages/reference/terraform-provider/resources/role.mdx

@@ -102,6 +102,7 @@ Optional:
 
 Optional:
 
+- `account_assignments` (Attributes List) AccountAssignments holds the list of account assignments affected by this condition. (see [below for nested schema](#nested-schema-for-specallowaccount_assignments))
 - `app_labels` (Map of List of String) AppLabels is a map of labels used as part of the RBAC system.
 - `app_labels_expression` (String) AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
 - `aws_role_arns` (List of String) AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
@@ -141,6 +142,14 @@ Optional:
 - `windows_desktop_labels_expression` (String) WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
 - `windows_desktop_logins` (List of String) WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
 
+### Nested Schema for `spec.allow.account_assignments`
+
+Optional:
+
+- `account` (String)
+- `permission_set` (String)
+
+
 ### Nested Schema for `spec.allow.db_permissions`
 
 Optional:
@@ -265,6 +274,7 @@ Optional:
 
 Optional:
 
+- `account_assignments` (Attributes List) AccountAssignments holds the list of account assignments affected by this condition. (see [below for nested schema](#nested-schema-for-specdenyaccount_assignments))
 - `app_labels` (Map of List of String) AppLabels is a map of labels used as part of the RBAC system.
 - `app_labels_expression` (String) AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
 - `aws_role_arns` (List of String) AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
@@ -304,6 +314,14 @@ Optional:
 - `windows_desktop_labels_expression` (String) WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
 - `windows_desktop_logins` (List of String) WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
 
+### Nested Schema for `spec.deny.account_assignments`
+
+Optional:
+
+- `account` (String)
+- `permission_set` (String)
+
+
 ### Nested Schema for `spec.deny.db_permissions`
 
 Optional:

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml

@@ -35,6 +35,17 @@ spec:
               allow:
                 description: Allow is the set of conditions evaluated to grant access.
                 properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
                   app_labels:
                     additionalProperties:
                       x-kubernetes-preserve-unknown-fields: true
@@ -561,6 +572,17 @@ spec:
                 description: Deny is the set of conditions evaluated to deny access.
                   Deny takes priority over allow.
                 properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
                   app_labels:
                     additionalProperties:
                       x-kubernetes-preserve-unknown-fields: true
@@ -1366,6 +1388,17 @@ spec:
               allow:
                 description: Allow is the set of conditions evaluated to grant access.
                 properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
                   app_labels:
                     additionalProperties:
                       x-kubernetes-preserve-unknown-fields: true
@@ -1892,6 +1925,17 @@ spec:
                 description: Deny is the set of conditions evaluated to deny access.
                   Deny takes priority over allow.
                 properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
                   app_labels:
                     additionalProperties:
                       x-kubernetes-preserve-unknown-fields: true

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml

@@ -38,6 +38,17 @@ spec:
               allow:
                 description: Allow is the set of conditions evaluated to grant access.
                 properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
                   app_labels:
                     additionalProperties:
                       x-kubernetes-preserve-unknown-fields: true
@@ -564,6 +575,17 @@ spec:
                 description: Deny is the set of conditions evaluated to deny access.
                   Deny takes priority over allow.
                 properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
                   app_labels:
                     additionalProperties:
                       x-kubernetes-preserve-unknown-fields: true