From fd0dfc7264baf43636808b87ce2cdd10684ac30f Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Fri, 21 Jun 2024 12:29:31 -0700 Subject: [PATCH] [v14] update discovery config references * add more explanation for discovery_group * document setup_access_for_arn for our EKS bootstrap --- .../pages/includes/discovery/discovery-config.yaml | 14 +++++++++++--- docs/pages/kubernetes-access/discovery.mdx | 6 ++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/docs/pages/includes/discovery/discovery-config.yaml b/docs/pages/includes/discovery/discovery-config.yaml index cf770f2db6d71..ac92f3ee8067b 100644 --- a/docs/pages/includes/discovery/discovery-config.yaml +++ b/docs/pages/includes/discovery/discovery-config.yaml @@ -1,10 +1,13 @@ discovery_service: enabled: "yes" # discovery_group is used to group discovered resources into different - # sets. This is useful when you have multiple Teleport Discovery services - # running in the same cluster but polling different cloud providers or cloud - # accounts. It prevents discovered services from colliding in Teleport when + # sets. This is required when you have multiple Teleport Discovery services + # running. It prevents discovered services from colliding in Teleport when # managing discovered resources. + # If two Discovery Services match the same resources, they must be in the + # same discovery group. + # If two Discovery Services match different resources, they must be in + # different discovery groups. discovery_group: "disc-group" # poll_interval is the cadence at which the discovery server will run each of its # discovery cycles. The default is 5m. @@ -51,6 +54,11 @@ discovery_service: # executed when installing teleport on matching nodes # Optional, defaults to: "TeleportDiscoveryInstaller". document_name: "TeleportDiscoveryInstaller" + # Optional role for which the Discovery Service should create the EKS access entry. + # If not set, the Discovery Service will attempt to create the access + # entry using its own identity. + # If used, the role must match the role configured for a Teleport Kubernetes Service. + setup_access_for_arn: arn:aws:iam::123456789012:role/kube-service-role # Matchers for discovering Azure-hosted resources. azure: # Azure resource types. Valid options are: diff --git a/docs/pages/kubernetes-access/discovery.mdx b/docs/pages/kubernetes-access/discovery.mdx index eb0d0b73c98c4..c7346c4856f3d 100644 --- a/docs/pages/kubernetes-access/discovery.mdx +++ b/docs/pages/kubernetes-access/discovery.mdx @@ -80,6 +80,12 @@ discovery_service: # Optional section: Defaults to "*":"*" tags: "env": "prod" + # AWS role to assume when discovering resources in the AWS Account. + # This value is an optional AWS role ARN to assume when polling EKS clusters + assume_role_arn: arn:aws:iam::123456789012:role/iam-discovery-role + # External ID is an optional value that should be set when accessing + # your AWS account from a third-party service (delegated access). + external_id: "example-external-id" # Matchers for discovering Azure-hosted resources. azure: # Azure resource types. Valid options are: