Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS OIDC Integration for VPN protected clusters #34610

Open
marcoandredinis opened this issue Nov 15, 2023 · 4 comments
Open

AWS OIDC Integration for VPN protected clusters #34610

marcoandredinis opened this issue Nov 15, 2023 · 4 comments
Assignees
@marcoandredinis
Labels
aws Used for AWS Related Issues. feature-request Used for new features in Teleport, improvements to current should be #enhancements

Comments

@marcoandredinis
Copy link
Contributor

marcoandredinis commented Nov 15, 2023
edited
Loading

What would you like Teleport to do?
Integrate with AWS when Teleport cluster is deployed without an Internet-public endpoint.
Eg, internal network protected by VPN

What problem does this solve?
Some deployments of Teleport are only accessible in an internal network.
In those cases, the AWS OIDC Integration is not completed because Amazon can't:

  • get for the endpoint's thumbprint
  • HTTP GET the openid configuration available at https://<proxy.example.com>/.well-known/openid-configuration
  • HTTP GET the public keys referenced above

If a workaround exists, please include it.
@marcoandredinis marcoandredinis added feature-request Used for new features in Teleport, improvements to current should be #enhancements aws Used for AWS Related Issues. labels Nov 15, 2023
@marcoandredinis marcoandredinis self-assigned this Mar 6, 2024
@marcoandredinis
Copy link
Contributor Author

Should be fixed by #38782

@marcoandredinis
Copy link
Contributor Author

Users should be able to set up the AWS OIDC Integration even if their cluster is not public facing.
To do this, when the script is generated, users must run it on a machine that has AWS Credentials and access to the teleport proxy endpoint (https/website).
Alternatively, users can fetch the script (run the curl https://... part), copy that script to CloudShell and then run it.

@Alex-Giaquinto
Copy link

@marcoandredinis I did this, but now when I try to enroll my EKS clusters, I am getting this error

rpc error: code = Unknown desc = operation error EKS: ListClusters, get identity: get credentials: failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, exceeded maximum number of attempts, 3, https response error StatusCode: 400, RequestID: xxx, InvalidIdentityToken: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements

Not sure what to do.

@marcoandredinis
Copy link
Contributor Author

marcoandredinis commented Aug 19, 2024
edited
Loading

When I wrote this comment we had another method for setting up the integration, which used S3 buckets.
However, that method was not easy to follow and caused a lot of issues.
Some time ago, AWS changed the primitives for setting up the OIDC IdP, which allowed us to simplify the integration
https://aws.amazon.com/about-aws/whats-new/2024/07/aws-identity-access-management-open-id-connect-identity-providers/

We decided to remove that method, and only provide the simpler one.

I'll re-open the issue because it also means we can't use the Integration in clusters which are not publicly accessible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcoandredinis marcoandredinis

Labels
aws Used for AWS Related Issues. feature-request Used for new features in Teleport, improvements to current should be #enhancements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcoandredinis @Alex-Giaquinto