verify AWS account ID for external audit storage #46950
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related issue:
Like the other integration commands, this PR adds an optional
--aws-account-id
flag to toteleport integration configure externalauditstorage
.If the flag is given, then
sts get-caller-identity
will be used to check that the expected account ID matches the account ID where the command is being run.If the flag is not given, then the behavior is identical to before - use the account ID we get from the STS call.
Since the script our flows generate will make a
bash -c $(curl ...
that downloads the same teleport version as the proxy, there should not be compatibility issues.The idea is to avoid accidentally running the command in the wrong AWS account, for example if you run it in cloudshell and forgot that you switched accounts prior.
I'll open an
e
PR to actually pass the account ID to the script generation endpoint via query param