diff --git a/go.mod b/go.mod
index b87b5936b42fa..6224b9952c244 100644
--- a/go.mod
+++ b/go.mod
@@ -42,7 +42,7 @@ require (
github.com/aquasecurity/libbpfgo v0.5.1-libbpf-1.2
github.com/armon/go-radix v1.0.0
github.com/aws/aws-sdk-go v1.55.5
- github.com/aws/aws-sdk-go-v2 v1.32.2
+ github.com/aws/aws-sdk-go-v2 v1.32.3
github.com/aws/aws-sdk-go-v2/config v1.27.39
github.com/aws/aws-sdk-go-v2/credentials v1.17.37
github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.15.8
@@ -263,8 +263,8 @@ require (
github.com/apache/arrow/go/v15 v15.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5 // indirect
- github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 // indirect
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.18 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.33.0 // indirect
diff --git a/go.sum b/go.sum
index 3975430a8eb1b..11b2c7093bb18 100644
--- a/go.sum
+++ b/go.sum
@@ -835,8 +835,8 @@ github.com/aws/aws-sdk-go v1.49.12/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3Tj
github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
-github.com/aws/aws-sdk-go-v2 v1.32.2 h1:AkNLZEyYMLnx/Q/mSKkcMqwNFXMAvFto9bNsHqcTduI=
-github.com/aws/aws-sdk-go-v2 v1.32.2/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
+github.com/aws/aws-sdk-go-v2 v1.32.3 h1:T0dRlFBKcdaUPGNtkBSwHZxrtis8CQU17UpNBZYd0wk=
+github.com/aws/aws-sdk-go-v2 v1.32.3/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5 h1:xDAuZTn4IMm8o1LnBZvmrL8JA1io4o3YWNXgohbf20g=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5/go.mod h1:wYSv6iDS621sEFLfKvpPE2ugjTuGlAG7iROg0hLOkfc=
github.com/aws/aws-sdk-go-v2/config v1.18.25/go.mod h1:dZnYpD5wTW/dQF0rRNLVypB396zWCcPiBIvdvSWHEg4=
@@ -855,11 +855,11 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14/go.mod h1:7I0Ju7p9mCIdlrf
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.25 h1:HkpHeZMM39sGtMHVYG1buAg93vhj5d7F81y6G0OAbGc=
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.25/go.mod h1:j3Vz04ZjaWA6kygOsZRpmWe4CyGqfqq2u3unDTU0QGA=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 h1:UAsR3xA31QGf79WzpG/ixT9FZvQlh5HY1NRqSHBNOCk=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21/go.mod h1:JNr43NFf5L9YaG3eKTm7HQzls9J+A9YYcGI5Quh1r2Y=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22 h1:Jw50LwEkVjuVzE1NzkhNKkBf9cRN7MtE1F/b2cOKTUM=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22/go.mod h1:Y/SmAyPcOTmpeVaWSzSKiILfXTVJwrGmYZhcRbhWuEY=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 h1:6jZVETqmYCadGFvrYEQfC5fAQmlo80CeL5psbno6r0s=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21/go.mod h1:1SR0GbLlnN3QUmYaflZNiH1ql+1qrSiB2vwcJ+4UM60=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22 h1:981MHwBaRZM7+9QSR6XamDzF/o7ouUGxFzr+nVSIhrs=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22/go.mod h1:1RA1+aBEfn+CAB/Mh0MB6LsdCYCnjZm7tKXtnk499ZQ=
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34/go.mod h1:Etz2dj6UHYuw+Xw830KfzCfWGMzqvUTCjUj5b76GVDc=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
diff --git a/integrations/event-handler/go.mod b/integrations/event-handler/go.mod
index 0265236f2ffb6..213ce6d5aed1d 100644
--- a/integrations/event-handler/go.mod
+++ b/integrations/event-handler/go.mod
@@ -62,14 +62,14 @@ require (
github.com/armon/go-radix v1.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go v1.55.5 // indirect
- github.com/aws/aws-sdk-go-v2 v1.32.2 // indirect
+ github.com/aws/aws-sdk-go-v2 v1.32.3 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.39 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.37 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 // indirect
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.25 // indirect
- github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 // indirect
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.18 // indirect
github.com/aws/aws-sdk-go-v2/service/athena v1.46.2 // indirect
diff --git a/integrations/event-handler/go.sum b/integrations/event-handler/go.sum
index f7d9d02875a0a..11878ca66bbbf 100644
--- a/integrations/event-handler/go.sum
+++ b/integrations/event-handler/go.sum
@@ -717,8 +717,8 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
-github.com/aws/aws-sdk-go-v2 v1.32.2 h1:AkNLZEyYMLnx/Q/mSKkcMqwNFXMAvFto9bNsHqcTduI=
-github.com/aws/aws-sdk-go-v2 v1.32.2/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
+github.com/aws/aws-sdk-go-v2 v1.32.3 h1:T0dRlFBKcdaUPGNtkBSwHZxrtis8CQU17UpNBZYd0wk=
+github.com/aws/aws-sdk-go-v2 v1.32.3/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5 h1:xDAuZTn4IMm8o1LnBZvmrL8JA1io4o3YWNXgohbf20g=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5/go.mod h1:wYSv6iDS621sEFLfKvpPE2ugjTuGlAG7iROg0hLOkfc=
github.com/aws/aws-sdk-go-v2/config v1.27.39 h1:FCylu78eTGzW1ynHcongXK9YHtoXD5AiiUqq3YfJYjU=
@@ -729,10 +729,10 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 h1:C/d03NAmh8C4BZXhuRNboF
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14/go.mod h1:7I0Ju7p9mCIdlrfS+JCgqcYD0VXz/N4yozsox+0o078=
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.25 h1:HkpHeZMM39sGtMHVYG1buAg93vhj5d7F81y6G0OAbGc=
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.25/go.mod h1:j3Vz04ZjaWA6kygOsZRpmWe4CyGqfqq2u3unDTU0QGA=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 h1:UAsR3xA31QGf79WzpG/ixT9FZvQlh5HY1NRqSHBNOCk=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21/go.mod h1:JNr43NFf5L9YaG3eKTm7HQzls9J+A9YYcGI5Quh1r2Y=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 h1:6jZVETqmYCadGFvrYEQfC5fAQmlo80CeL5psbno6r0s=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21/go.mod h1:1SR0GbLlnN3QUmYaflZNiH1ql+1qrSiB2vwcJ+4UM60=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22 h1:Jw50LwEkVjuVzE1NzkhNKkBf9cRN7MtE1F/b2cOKTUM=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22/go.mod h1:Y/SmAyPcOTmpeVaWSzSKiILfXTVJwrGmYZhcRbhWuEY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22 h1:981MHwBaRZM7+9QSR6XamDzF/o7ouUGxFzr+nVSIhrs=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22/go.mod h1:1RA1+aBEfn+CAB/Mh0MB6LsdCYCnjZm7tKXtnk499ZQ=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.18 h1:OWYvKL53l1rbsUmW7bQyJVsYU/Ii3bbAAQIIFNbM0Tk=
diff --git a/integrations/terraform/go.mod b/integrations/terraform/go.mod
index 030b29ba08341..04add85a4a5c5 100644
--- a/integrations/terraform/go.mod
+++ b/integrations/terraform/go.mod
@@ -76,14 +76,14 @@ require (
github.com/armon/go-radix v1.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go v1.55.5 // indirect
- github.com/aws/aws-sdk-go-v2 v1.32.2 // indirect
+ github.com/aws/aws-sdk-go-v2 v1.32.3 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.39 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.37 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 // indirect
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.25 // indirect
- github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 // indirect
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.18 // indirect
github.com/aws/aws-sdk-go-v2/service/athena v1.46.2 // indirect
diff --git a/integrations/terraform/go.sum b/integrations/terraform/go.sum
index 95ef579188b65..303d44d2800a0 100644
--- a/integrations/terraform/go.sum
+++ b/integrations/terraform/go.sum
@@ -774,8 +774,8 @@ github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3A
github.com/aws/aws-sdk-go v1.25.3/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
-github.com/aws/aws-sdk-go-v2 v1.32.2 h1:AkNLZEyYMLnx/Q/mSKkcMqwNFXMAvFto9bNsHqcTduI=
-github.com/aws/aws-sdk-go-v2 v1.32.2/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
+github.com/aws/aws-sdk-go-v2 v1.32.3 h1:T0dRlFBKcdaUPGNtkBSwHZxrtis8CQU17UpNBZYd0wk=
+github.com/aws/aws-sdk-go-v2 v1.32.3/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5 h1:xDAuZTn4IMm8o1LnBZvmrL8JA1io4o3YWNXgohbf20g=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5/go.mod h1:wYSv6iDS621sEFLfKvpPE2ugjTuGlAG7iROg0hLOkfc=
github.com/aws/aws-sdk-go-v2/config v1.27.39 h1:FCylu78eTGzW1ynHcongXK9YHtoXD5AiiUqq3YfJYjU=
@@ -790,10 +790,10 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 h1:C/d03NAmh8C4BZXhuRNboF
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14/go.mod h1:7I0Ju7p9mCIdlrfS+JCgqcYD0VXz/N4yozsox+0o078=
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.25 h1:HkpHeZMM39sGtMHVYG1buAg93vhj5d7F81y6G0OAbGc=
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.25/go.mod h1:j3Vz04ZjaWA6kygOsZRpmWe4CyGqfqq2u3unDTU0QGA=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 h1:UAsR3xA31QGf79WzpG/ixT9FZvQlh5HY1NRqSHBNOCk=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21/go.mod h1:JNr43NFf5L9YaG3eKTm7HQzls9J+A9YYcGI5Quh1r2Y=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 h1:6jZVETqmYCadGFvrYEQfC5fAQmlo80CeL5psbno6r0s=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21/go.mod h1:1SR0GbLlnN3QUmYaflZNiH1ql+1qrSiB2vwcJ+4UM60=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22 h1:Jw50LwEkVjuVzE1NzkhNKkBf9cRN7MtE1F/b2cOKTUM=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22/go.mod h1:Y/SmAyPcOTmpeVaWSzSKiILfXTVJwrGmYZhcRbhWuEY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22 h1:981MHwBaRZM7+9QSR6XamDzF/o7ouUGxFzr+nVSIhrs=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22/go.mod h1:1RA1+aBEfn+CAB/Mh0MB6LsdCYCnjZm7tKXtnk499ZQ=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.18 h1:OWYvKL53l1rbsUmW7bQyJVsYU/Ii3bbAAQIIFNbM0Tk=
diff --git a/lib/integrations/awsoidc/credentialscache.go b/lib/integrations/awsoidc/credprovider/credentialscache.go
similarity index 99%
rename from lib/integrations/awsoidc/credentialscache.go
rename to lib/integrations/awsoidc/credprovider/credentialscache.go
index 1d1ddffe3bf1c..bf333b657dd2d 100644
--- a/lib/integrations/awsoidc/credentialscache.go
+++ b/lib/integrations/awsoidc/credprovider/credentialscache.go
@@ -14,7 +14,7 @@
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see .
-package awsoidc
+package credprovider
import (
"context"
diff --git a/lib/integrations/awsoidc/credentialscache_test.go b/lib/integrations/awsoidc/credprovider/credentialscache_test.go
similarity index 99%
rename from lib/integrations/awsoidc/credentialscache_test.go
rename to lib/integrations/awsoidc/credprovider/credentialscache_test.go
index cc997758f70be..169c99e626a7c 100644
--- a/lib/integrations/awsoidc/credentialscache_test.go
+++ b/lib/integrations/awsoidc/credprovider/credentialscache_test.go
@@ -14,7 +14,7 @@
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see .
-package awsoidc
+package credprovider
import (
"context"
diff --git a/lib/integrations/awsoidc/credprovider/integration_config_provider.go b/lib/integrations/awsoidc/credprovider/integration_config_provider.go
new file mode 100644
index 0000000000000..a98ba7a2b55ff
--- /dev/null
+++ b/lib/integrations/awsoidc/credprovider/integration_config_provider.go
@@ -0,0 +1,158 @@
+// Teleport
+// Copyright (C) 2024 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see .
+
+package credprovider
+
+import (
+ "context"
+ "log/slog"
+
+ "github.com/aws/aws-sdk-go-v2/aws"
+ "github.com/aws/aws-sdk-go-v2/aws/arn"
+ awsConfig "github.com/aws/aws-sdk-go-v2/config"
+ "github.com/aws/aws-sdk-go-v2/credentials/stscreds"
+ "github.com/aws/aws-sdk-go-v2/service/sts"
+ "github.com/gravitational/trace"
+ "github.com/jonboulle/clockwork"
+
+ "github.com/gravitational/teleport"
+ "github.com/gravitational/teleport/api/types"
+ "github.com/gravitational/teleport/lib/modules"
+)
+
+// CreateAWSConfigForIntegration returns a new AWS credentials provider that
+// uses the AWS OIDC integration to generate temporary credentials.
+// The provider will periodically refresh the credentials before they expire.
+func CreateAWSConfigForIntegration(ctx context.Context, config Config) (*aws.Config, error) {
+ if err := config.checkAndSetDefaults(); err != nil {
+ return nil, trace.Wrap(err)
+ }
+ cacheAWSConfig, err := newAWSConfig(ctx, config.Region)
+ if err != nil {
+ return nil, trace.Wrap(err)
+ }
+ if config.STSClient == nil {
+ config.STSClient = sts.NewFromConfig(*cacheAWSConfig)
+ }
+ credCache, err := newAWSCredCache(ctx, config, config.STSClient)
+ if err != nil {
+ return nil, trace.Wrap(err)
+ }
+ go credCache.Run(ctx)
+ credCache.WaitForFirstCredsOrErr(ctx)
+
+ awsCfg, err := newAWSConfig(ctx, config.Region, awsConfig.WithCredentialsProvider(credCache))
+ if err != nil {
+ return nil, trace.Wrap(err)
+ }
+ return awsCfg, nil
+}
+
+// Config is a configuration struct for creating a new
+// AWS credentials provider that uses the AWS OIDC integration to generate
+// temporary credentials.
+type Config struct {
+ // Region is the AWS region to use for the STS client.
+ Region string
+ // IntegrationName is the name of the AWS OIDC integration to use.
+ IntegrationName string
+ // IntegrationGetter is used to fetch the AWS OIDC integration.
+ IntegrationGetter integrationGetter
+ // AWSOIDCTokenGenerator is used to generate OIDC tokens for the AWS integration.
+ AWSOIDCTokenGenerator tokenGenerator
+ // STSClient is the AWS Security Token Service client.
+ STSClient stscreds.AssumeRoleWithWebIdentityAPIClient
+ // Logger is the logger to use for logging.
+ Logger *slog.Logger
+ // Clock is the clock to use for timekeeping.
+ Clock clockwork.Clock
+}
+
+type integrationGetter interface {
+ // GetIntegration returns an integration by name from the backend.
+ GetIntegration(ctx context.Context, name string) (types.Integration, error)
+}
+
+type tokenGenerator interface {
+ // GenerateAWSOIDCToken generates an OIDC token for the given integration.
+ // The token is used to authenticate to AWS via OIDC.
+ GenerateAWSOIDCToken(ctx context.Context, integration string) (string, error)
+}
+
+func (c *Config) checkAndSetDefaults() error {
+ if c.Region == "" {
+ return trace.BadParameter("missing region")
+ }
+ if c.IntegrationName == "" {
+ return trace.BadParameter("missing integration name")
+ }
+ if c.IntegrationGetter == nil {
+ return trace.BadParameter("missing integration getter")
+ }
+ if c.AWSOIDCTokenGenerator == nil {
+ return trace.BadParameter("missing token generator")
+ }
+ if c.Logger == nil {
+ c.Logger = slog.Default().With(teleport.ComponentKey, "AWS_OIDC_CONFIG_PROVIDER")
+ }
+ if c.Clock == nil {
+ c.Clock = clockwork.NewRealClock()
+ }
+ return nil
+}
+
+func newAWSCredCache(ctx context.Context, cfg Config, stsClient stscreds.AssumeRoleWithWebIdentityAPIClient) (*CredentialsCache, error) {
+ integration, err := cfg.IntegrationGetter.GetIntegration(ctx, cfg.IntegrationName)
+ if err != nil {
+ return nil, trace.Wrap(err)
+ }
+ roleARN, err := arn.Parse(integration.GetAWSOIDCIntegrationSpec().RoleARN)
+ if err != nil {
+ return nil, trace.Wrap(err)
+ }
+
+ credCache, err := NewCredentialsCache(
+ CredentialsCacheOptions{
+ Log: cfg.Logger,
+ Clock: cfg.Clock,
+ STSClient: stsClient,
+ RoleARN: roleARN,
+ Integration: cfg.IntegrationName,
+ },
+ )
+ if err != nil {
+ return nil, trace.Wrap(err, "creating OIDC credentials cache")
+ }
+ credCache.SetGenerateOIDCTokenFn(cfg.AWSOIDCTokenGenerator.GenerateAWSOIDCToken)
+ return credCache, nil
+}
+
+func newAWSConfig(ctx context.Context, awsRegion string, options ...func(*awsConfig.LoadOptions) error) (*aws.Config, error) {
+ var useFIPS aws.FIPSEndpointState
+ if modules.GetModules().IsBoringBinary() {
+ useFIPS = aws.FIPSEndpointStateEnabled
+ }
+ options = append(options,
+ awsConfig.WithRegion(awsRegion),
+ awsConfig.WithUseFIPSEndpoint(useFIPS),
+ awsConfig.WithRetryMaxAttempts(10),
+ )
+ cfg, err := awsConfig.LoadDefaultConfig(ctx, options...)
+ if err != nil {
+ return nil, trace.Wrap(err)
+ }
+ return &cfg, nil
+}
diff --git a/lib/integrations/externalauditstorage/configurator.go b/lib/integrations/externalauditstorage/configurator.go
index 66cea204a57cc..96c16c9dde133 100644
--- a/lib/integrations/externalauditstorage/configurator.go
+++ b/lib/integrations/externalauditstorage/configurator.go
@@ -34,7 +34,7 @@ import (
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/api/types/externalauditstorage"
"github.com/gravitational/teleport/entitlements"
- "github.com/gravitational/teleport/lib/integrations/awsoidc"
+ "github.com/gravitational/teleport/lib/integrations/awsoidc/credprovider"
"github.com/gravitational/teleport/lib/modules"
"github.com/gravitational/teleport/lib/services"
)
@@ -84,7 +84,7 @@ type Configurator struct {
spec *externalauditstorage.ExternalAuditStorageSpec
isUsed bool
- credentialsCache *awsoidc.CredentialsCache
+ credentialsCache *credprovider.CredentialsCache
}
// Options holds options for the Configurator.
@@ -213,7 +213,7 @@ func newConfigurator(ctx context.Context, spec *externalauditstorage.ExternalAud
return nil, trace.Wrap(err)
}
- credentialsCache, err := awsoidc.NewCredentialsCache(awsoidc.CredentialsCacheOptions{
+ credentialsCache, err := credprovider.NewCredentialsCache(credprovider.CredentialsCacheOptions{
Integration: oidcIntegrationName,
RoleARN: awsRoleARN,
STSClient: options.stsClient,
@@ -252,7 +252,7 @@ func (c *Configurator) GetSpec() *externalauditstorage.ExternalAuditStorageSpec
}
// SetGenerateOIDCTokenFn sets the source of OIDC tokens for this Configurator.
-func (c *Configurator) SetGenerateOIDCTokenFn(fn awsoidc.GenerateOIDCTokenFn) {
+func (c *Configurator) SetGenerateOIDCTokenFn(fn credprovider.GenerateOIDCTokenFn) {
c.credentialsCache.SetGenerateOIDCTokenFn(fn)
}
@@ -282,7 +282,7 @@ func (p *Configurator) WaitForFirstCredentials(ctx context.Context) {
// v1Adapter wraps the credentialsCache to implement
// [credentials.ProviderWithContext] used by aws-sdk-go (v1).
type v1Adapter struct {
- cc *awsoidc.CredentialsCache
+ cc *credprovider.CredentialsCache
}
var _ credentials.ProviderWithContext = (*v1Adapter)(nil)