Creates built-in role for AWS Identity Center integration

gravitational · Oct 22, 2024 · 5c9bd8f · 5c9bd8f
1 parent a2e406e
commit 5c9bd8f
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 0 deletions.
diff --git a/api/types/common/constants.go b/api/types/common/constants.go
@@ -58,6 +58,10 @@ const (
 	// via a SCIM service
 	OriginSCIM = "scim"
 
+	// OriginAWSIdentityCenter is an Origin value indicating that a resource was
+	// provisioned via the Identity Center integration
+	OriginAWSIdentityCenter = "aws_identity_center"
+
 	// OriginIntegrationAWSOIDC is an origin value indicating that the resource was
 	// created from the AWS OIDC Integration.
 	OriginIntegrationAWSOIDC = "integration_awsoidc"
@@ -82,4 +86,5 @@ var OriginValues = []string{
 	OriginSCIM,
 	OriginDiscoveryKubernetes,
 	OriginEntraID,
+	OriginAWSIdentityCenter,
 }
diff --git a/api/types/system_role.go b/api/types/system_role.go
@@ -81,6 +81,10 @@ const (
 	// RoleAccessGraphPlugin is a role for Access Graph plugins to access
 	// Teleport's internal API and access graph.
 	RoleAccessGraphPlugin SystemRole = "AccessGraphPlugin"
+
+	// RoleAWSIdentityCenter is the role used by the AWS Identity Center integration
+	// when manipulating Teleport resources.
+	RoleAWSIdentityCenter SystemRole = "AWS-IdentityCenter"
 )
 
 // roleMappings maps a set of allowed lowercase system role names
@@ -108,6 +112,7 @@ var roleMappings = map[string]SystemRole{
 	"okta":              RoleOkta,
 	"mdm":               RoleMDM,
 	"accessgraphplugin": RoleAccessGraphPlugin,
+	"aws_ic":            RoleAWSIdentityCenter,
 }
 
 func normalizedSystemRole(s string) SystemRole {

diff --git a/lib/auth/auth.go b/lib/auth/auth.go
@@ -7380,6 +7380,7 @@ func DefaultDNSNamesForRole(role types.SystemRole) []string {
 		types.RoleDatabase,
 		types.RoleWindowsDesktop,
 		types.RoleOkta,
+		types.RoleAWSIdentityCenter,
 	) {
 		return []string{
 			"*." + constants.APIDomain,

diff --git a/lib/authz/permissions.go b/lib/authz/permissions.go
@@ -40,6 +40,7 @@ import (
 	mfav1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/mfa/v1"
 	"github.com/gravitational/teleport/api/mfa"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/types/common"
 	apievents "github.com/gravitational/teleport/api/types/events"
 	"github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/api/utils/keys"
@@ -1276,6 +1277,54 @@ func definitionForBuiltinRole(clusterName string, recConfig readonly.SessionReco
 				},
 			})
 
+	case types.RoleAWSIdentityCenter:
+		return services.RoleFromSpec(
+			role.String(),
+			types.RoleSpecV6{
+				Allow: types.RoleConditions{
+					Namespaces:  []string{types.Wildcard},
+					AppLabels:   types.Labels{types.Wildcard: []string{types.Wildcard}},
+					GroupLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
+					Rules: []types.Rule{
+						types.NewRule(types.KindIntegration, services.RO()),
+						types.NewRule(types.KindClusterName, services.RO()),
+						types.NewRule(types.KindCertAuthority, services.ReadNoSecrets()),
+						types.NewRule(types.KindSemaphore, services.RW()),
+						types.NewRule(types.KindEvent, services.RW()),
+						types.NewRule(types.KindAppServer, services.RW()),
+						types.NewRule(types.KindClusterNetworkingConfig, services.RO()),
+						types.NewRule(types.KindUser, services.RW()),
+						types.NewRule(types.KindUserGroup, services.RW()),
+						types.NewRule(types.KindProxy, services.RO()),
+						types.NewRule(types.KindClusterAuthPreference, services.RO()),
+						types.NewRule(types.KindRole, services.RO()),
+						types.NewRule(types.KindLock, services.RW()),
+						types.NewRule(types.KindSAML, services.ReadNoSecrets()),
+						// AWS can manage access lists and roles it creates.
+						{
+							Resources: []string{types.KindRole},
+							Verbs:     services.RW(),
+							Where: builder.Equals(
+								builder.Identifier(`resource.metadata.labels["`+types.OriginLabel+`"]`),
+								builder.String(common.OriginAWSIdentityCenter),
+							).String(),
+						},
+						types.NewRule(types.KindAccessList, services.RO()),
+						{
+							Resources: []string{types.KindAccessList},
+							Verbs:     services.RW(),
+							Where: builder.Equals(
+								builder.Identifier(`resource.metadata.labels["`+types.OriginLabel+`"]`),
+								builder.String(common.OriginAWSIdentityCenter),
+							).String(),
+						},
+						types.NewRule(types.KindAccessListMember, services.RO()),
+						types.NewRule(types.KindProvisioningPrincipalState, services.RW()),
+						types.NewRule(types.KindIdentityCenterPrincipalAssignment, services.RW()),
+						types.NewRule(types.KindAccessRequest, services.RO()),
+					},
+				},
+			})
 	}
 
 	return nil, trace.NotFound("builtin role %q is not recognized", role.String())