-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DeployService: auto upsert IAM Join Token #28537
Conversation
89567fd
to
cc3c2e3
Compare
24eac22
to
7a8dc4d
Compare
7a8dc4d
to
82a3366
Compare
82a3366
to
f29d218
Compare
When using the DeployService, the deployed services (database service only for now) will join the Teleport Cluster using the IAM Join Method. In order to do so, we require an IAM Token that allows the AWS Account ID and ARN of the assumed-role. Instead of asking the user to create it, we do it for them. This PR creates or updates the IAM Join Token.
f29d218
to
04d7338
Compare
} | ||
|
||
token, err := clt.GetToken(ctx, req.tokenName) | ||
switch { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO in this case switch makes the flow very weird. My proposal
if trace.IsNotFound(err) {
token = ....
err = nil
}
if err != nil {
return trace.Wrap(err)
}
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a bit complex because it has the fallthrough
down below
I could switch to a plain if
condition.
Given that you approve, I'll merge as is
But feel free to comment again and I'll try to simplify this part
@marcoandredinis See the table below for backport results.
|
* DeployService: auto upsert IAM Join Token When using the DeployService, the deployed services (database service only for now) will join the Teleport Cluster using the IAM Join Method. In order to do so, we require an IAM Token that allows the AWS Account ID and ARN of the assumed-role. Instead of asking the user to create it, we do it for them. This PR creates or updates the IAM Join Token. * AccountID is optional when calling DeployService * dry code when upserting the token
When using the DeployService, the deployed services (database service only for now) will join the Teleport Cluster using the IAM Join Method.
In order to do so, we require an IAM Token that allows the AWS Account ID and ARN of the assumed-role.
Instead of asking the user to create it, we do it for them.
This PR creates or updates the IAM Join Token.
Token created before deploying the service: