-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IAM join method support for tbot #10535
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I mentioned on Slack, I reviewed this to the best of my abilities even though I still need to catch up on tbot. I appreciate the PR description and the informative comments. Unfortunately, I wasn't able to properly test this PR as I don't have an AWS setup at the moment.
I see there are some failing tests related to tokens, but I'm giving an approval so that the progress on this PR isn't blocked once it gets reviewed by other people who are more familiar with this part of the codebase.
tool/tbot/main.go
Outdated
// If using the EC2 or IAM join method, repeatedly fetch new certs rather | ||
// than renewing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Repeatedly" here describes the overall logic, right? Like, for other join methods we repeatedly renew certs, but for EC2 and IAM we repeatedly fetch new certs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes that's right, I've updated the comment to try to make it a bit more clear. Thanks for reviewing!
This PR allows tbot to get its initial certs using the IAM join method instead of a secret token.
Normal bot tokens are deleted immediately after their first use, IAM tokens will not be deleted so that they can be re-used. IAM join tokens are really only useful if they can be re-used, otherwise they just have more overhead than a secret token.
The example usecase for the IAM method would be and admin who wants to "let any node in my AWS account join as this bot user".
The usage is as follows:
1. Create
bottoken.yaml
Use common IAM method fields from https://goteleport.com/docs/setup/guides/joining-nodes-aws/
Set
bot_name
to the bot resource name.2. Create the bot
3. Run the
tbot start
command output bytctl bots add
Run this on an ec2 instance with an attached IAM role, or test it in your terminal with valid AWS credentials