Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify AWS account ID for external audit storage #46950

Merged
merged 1 commit into from
Oct 3, 2024
Merged

verify AWS account ID for external audit storage #46950

merged 1 commit into from
Oct 3, 2024

Conversation

GavinFrazar
Copy link
Contributor

@GavinFrazar GavinFrazar commented Sep 27, 2024
edited
Loading

Related issue:

Like the other integration commands, this PR adds an optional --aws-account-id flag to to teleport integration configure externalauditstorage.

If the flag is given, then sts get-caller-identity will be used to check that the expected account ID matches the account ID where the command is being run.
If the flag is not given, then the behavior is identical to before - use the account ID we get from the STS call.
Since the script our flows generate will make a bash -c $(curl ... that downloads the same teleport version as the proxy, there should not be compatibility issues.

The idea is to avoid accidentally running the command in the wrong AWS account, for example if you run it in cloudshell and forgot that you switched accounts prior.

I'll open an e PR to actually pass the account ID to the script generation endpoint via query param

@GavinFrazar GavinFrazar marked this pull request as ready for review September 30, 2024 21:09
@GavinFrazar GavinFrazar added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v16 labels Sep 30, 2024
@gravitational gravitational deleted a comment from github-actions bot Sep 30, 2024
@gravitational gravitational deleted a comment from github-actions bot Sep 30, 2024
@GavinFrazar GavinFrazar force-pushed the gavinfrazar/check-aws-account-in-external-audit-storage-command branch from 7670429 to c54d2ab Compare September 30, 2024 22:45
@GavinFrazar GavinFrazar force-pushed the gavinfrazar/check-aws-account-in-external-audit-storage-command branch from c54d2ab to b4fe1fc Compare September 30, 2024 23:02
@GavinFrazar
Copy link
Contributor Author

@tcsc @nklaassen

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from tcsc October 3, 2024 19:13
@GavinFrazar GavinFrazar added this pull request to the merge queue Oct 3, 2024
Merged via the queue into master with commit e6051f7 Oct 3, 2024
39 checks passed
@GavinFrazar GavinFrazar deleted the gavinfrazar/check-aws-account-in-external-audit-storage-command branch October 3, 2024 19:58
@public-teleport-github-review-bot
Copy link

@GavinFrazar See the table below for backport results.

Branch Result
branch/v16 Create PR

@GavinFrazar GavinFrazar mentioned this pull request Oct 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@nklaassen nklaassen nklaassen approved these changes

Assignees
No one assigned
Labels
backport/branch/v16 no-changelog Indicates that a PR does not require a changelog entry size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@GavinFrazar @marcoandredinis @nklaassen