Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM join method support for tbot #10535

Merged
merged 8 commits into from
Mar 1, 2022
Merged

IAM join method support for tbot #10535

merged 8 commits into from
Mar 1, 2022

Conversation

nklaassen
Copy link
Contributor

@nklaassen nklaassen commented Feb 23, 2022
edited
Loading

This PR allows tbot to get its initial certs using the IAM join method instead of a secret token.

Normal bot tokens are deleted immediately after their first use, IAM tokens will not be deleted so that they can be re-used. IAM join tokens are really only useful if they can be re-used, otherwise they just have more overhead than a secret token.

The example usecase for the IAM method would be and admin who wants to "let any node in my AWS account join as this bot user".

The usage is as follows:

1. Create bottoken.yaml

Use common IAM method fields from https://goteleport.com/docs/setup/guides/joining-nodes-aws/

Set bot_name to the bot resource name.

# bottoken.yaml
kind: token
version: v2
metadata:
  name: bot-token
  expires: "3000-01-01T00:00:00Z"
spec:
  roles: [Bot]
  bot_name: "bot-ci"
  join_method: iam
  allow:
  - aws_account: "111111111111"
    aws_arn: "arn:aws:sts::111111111111:assumed-role/ci-iam-role/i-*"

2. Create the bot

$ tctl bots add ci --roles access --token bot-token
The bot token: bot-token
This token will expire in 153722867 minutes.

Run this on the new bot node to join the cluster:

> tbot start \
   --destination-dir=./tbot-user \
   --token=bot-token \
   --ca-pin=sha256:d9dc7398e003c378e80c2fbbc6eeac7a9b0c7f7ad3384de167f87d43ccaf0a5e \
   --auth-server=10.0.0.9:3025 \
   --join-method=iam

Please note:

  - This invitation token will expire in 153722867 minutes
  - 10.0.0.9:3025 must be reachable from the new node

3. Run the tbot start command output by tctl bots add

Run this on an ec2 instance with an attached IAM role, or test it in your terminal with valid AWS credentials

@github-actions github-actions bot added the tctl tctl - Teleport admin tool label Feb 23, 2022
ravicious
ravicious approved these changes Feb 25, 2022
View reviewed changes
Copy link
Member

@ravicious ravicious left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I mentioned on Slack, I reviewed this to the best of my abilities even though I still need to catch up on tbot. I appreciate the PR description and the informative comments. Unfortunately, I wasn't able to properly test this PR as I don't have an AWS setup at the moment.

I see there are some failing tests related to tokens, but I'm giving an approval so that the progress on this PR isn't blocked once it gets reviewed by other people who are more familiar with this part of the codebase.

tool/tbot/main.go Outdated
Comment on lines 286 to 287
// If using the EC2 or IAM join method, repeatedly fetch new certs rather
// than renewing.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Repeatedly" here describes the overall logic, right? Like, for other join methods we repeatedly renew certs, but for EC2 and IAM we repeatedly fetch new certs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes that's right, I've updated the comment to try to make it a bit more clear. Thanks for reviewing!

@nklaassen nklaassen enabled auto-merge (squash) February 28, 2022 22:22
@nklaassen nklaassen merged commit 6e16ad6 into master Mar 1, 2022
@nklaassen nklaassen deleted the nklaassen/tbot-aws-join branch March 1, 2022 00:35
nklaassen added a commit that referenced this pull request Mar 1, 2022
@nklaassen
IAM join method support for tbot (#10535)
c2ffe2d
@nklaassen nklaassen mentioned this pull request Mar 1, 2022
Merged
nklaassen added a commit that referenced this pull request Mar 2, 2022
@nklaassen
IAM join method support for tbot (#10535) (#10685)
60089d2
@webvictim webvictim mentioned this pull request Apr 19, 2022
Closed
@webvictim webvictim mentioned this pull request Jun 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ravicious ravicious ravicious approved these changes

@timothyb89 timothyb89 timothyb89 approved these changes

@fspmarshall fspmarshall Awaiting requested review from fspmarshall

Assignees
No one assigned
Labels
tctl tctl - Teleport admin tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nklaassen @ravicious @timothyb89