Refresh the AWS app access guide #37857
Conversation
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
github-actions
bot
requested review from
kimlisa,
mdwn,
r0mant,
xinding33 and
zmb3
ptgott
added
backport/branch/v13
backport/branch/v14
backport/branch/v15
no-changelog
|
🤖 Vercel preview here: https://docs-nk7z1t24v-goteleport.vercel.app/docs/ver/preview |
ptgott
force-pushed
the
paul.gottschling/36458-aws
branch
from
8ff8992 to
465401f
Compare
|
🤖 Vercel preview here: https://docs-4ahlw3uc3-goteleport.vercel.app/docs/ver/preview |
ptgott
force-pushed
the
paul.gottschling/36458-aws
branch
from
465401f to
0934dc6
Compare
|
🤖 Vercel preview here: https://docs-58g74ul9t-goteleport.vercel.app/docs/ver/preview |
ptgott
force-pushed
the
paul.gottschling/36458-aws
branch
from
0934dc6 to
20b59fb
Compare
|
🤖 Vercel preview here: https://docs-1f2iberc7-goteleport.vercel.app/docs/ver/preview |
ptgott
force-pushed
the
paul.gottschling/36458-aws
branch
from
20b59fb to
f986ac6
Compare
|
🤖 Vercel preview here: https://docs-8x0mfdnwj-goteleport.vercel.app/docs/ver/preview |
ptgott
force-pushed
the
paul.gottschling/36458-aws
branch
from
f986ac6 to
7ddbd38
Compare
ptgott
force-pushed
the
paul.gottschling/36458-aws
branch
from
7ddbd38 to
6a44073
Compare
ptgott
force-pushed
the
paul.gottschling/36458-aws
branch
from
a43bd75 to
777e7cd
Compare
|
🤖 Vercel preview here: https://docs-o0f3ivo6k-goteleport.vercel.app/docs/ver/preview |
ptgott
force-pushed
the
paul.gottschling/36458-aws
branch
from
777e7cd to
3030c6e
Compare
|
🤖 Vercel preview here: https://docs-h8u55nteh-goteleport.vercel.app/docs/ver/preview |
ptgott
force-pushed
the
paul.gottschling/36458-aws
branch
from
3030c6e to
927eb60
Compare
|
🤖 Vercel preview here: https://docs-8hnp4e1vu-goteleport.vercel.app/docs/ver/preview |
| In this section, you will configure an AWS role to enable access to with the | ||
| Teleport Application Service. |
There was a problem hiding this comment.
| In this section, you will configure an AWS role to enable access to with the | |
| Teleport Application Service. | |
| In this section, you will configure an AWS role to enable access for the | |
| Teleport Application Service. |
There was a problem hiding this comment.
I agree that this sentence is unclear, but I'm not sure this rephrasing helps, since it sounds like only the Application Service requires this access. I've suggested adding more context to this paragraph.
| |`AssumeRole`|IAM policy|Allows the Application Service to assume other roles in order to proxy user requests to AWS.| | ||
| |`TeleportAWSAccess` (for EC2 deployments) |EC2 instance profile|Associates the `TeleportAWSAccess` role with your EC2 instance.| | ||
|
|
||
| ### Configure a role to enable access to |
There was a problem hiding this comment.
| ### Configure a role to enable access to | |
| ### Configure a role to enable access for Teleport Application Service |
There was a problem hiding this comment.
I've suggested "Configure a role for Teleport users to request", which I think makes more sense for this setup step. Otherwise, this section seems to overlap with the later section called, "Give the Teleport Application Service permissions to assume roles".
| this operation. (We will create the `TeleportAWSAccess` role later in Step | ||
| 1.) |
There was a problem hiding this comment.
don't think step 1 is accurate. i think you meant the next section, step 2?
| this operation. (We will create the `TeleportAWSAccess` role later in Step | |
| 1.) | |
| this operation. (We will create the `TeleportAWSAccess` role later in the next section) |
There was a problem hiding this comment.
The role creation happens in the section, "Give the Teleport Application Service permissions to assume roles", which is later in step 1. If this is causing confusion, though, I'll change the wording to "later in this guide".
| } | ||
| ``` | ||
|
|
||
| In the configuration we show in this guide, the Teleport Application Service |
There was a problem hiding this comment.
sorry i'm new to this stuff, what configuration are you referring to?
There was a problem hiding this comment.
"Configuration" should be "setup", referring to everything the reader will have accomplished by the time they finish the guide.
|
|
||
| 1. Use the following command to start a local HTTPS proxy server, which forwards | ||
| AWS API traffic to the Teleport Application Service. Leave the terminal where | ||
| you run the command open since it runs in the foreground: |
There was a problem hiding this comment.
| you run the command open since it runs in the foreground: | |
| you ran the command open since it runs in the foreground: |
There was a problem hiding this comment.
Suggested a clearer wording since "run" and "ran" can be ambiguous in this paragraph.
public-teleport-github-review-bot
bot
removed request for
r0mant,
mdwn,
zmb3 and
xinding33
Issues closed: -------------- Add a statement of benefits, a brief architecture overview, more troubleshooting information, and a summary of IAM resources created in this guide. Closes #10853 Add troubleshooting re: trust relationships and checking logs. Closes #17880 Add more explicit trust relationship guidance and uses CLI examples instead of console screenshots. Closes #34167 Add more context re: the trust relationship instructions. Closes #11797 Add instructions that a user can follow to deploy the Application Service on EKS. Closes #24373 Other changes to make the guide easier to follow: ------------------------------------------------- - Only show one IAM role. Remove the `ExamplePowerUser` role for simplicity. - Use the `aws` CLI for creating IAM resources. This is faster to follow than the current approach, takes up less page real estate, and doesn't require screenshots. Using the CLI also makes the trust relationship instructions more explicit. - Move external links to a "Further reading" section so readers can get through the guide more quickly. - Remove the video, since it's long out of date. - Reduce the number of steps: Convert steps into H3s in order to make it easier to form a mental model of the guide and make the step count less intimidating. - Add EC2 instance profile instructions. - Add a quick boto3 python example for `tsh proxy aws`
- Say "EKS" instead of just "Kubernetes" in the prerequisites. - Edit the trust policy for the `ExampleReadOnlyAccess` role in the cross-account use case to include an external ID and require a specific role for the principal.
- Fix unclear subsection intro sentence. - Fix a potentially confusing reference to Step 1. - Fix an unclear use of "configuration". - Clarify a heading. - Minor clarity/accuracy improvements. - Use a Var component for the Proxy Service address in the Linux server config file snippet.
ptgott
force-pushed
the
paul.gottschling/36458-aws
branch
from
09e8c7e to
3a38c7f
Compare
|
🤖 Vercel preview here: https://docs-5wgb5ghv5-goteleport.vercel.app/docs/ver/preview |
|
🤖 Vercel preview here: https://docs-nt0592c6q-goteleport.vercel.app/docs/ver/preview |
Closes #36458 (tracking issue)
Other issues closed:
Add a statement of benefits, a brief architecture overview, more troubleshooting information, and a summary of IAM resources created in this guide.
Closes #10853
Add troubleshooting re: trust relationships and
checking logs.
Closes #17880
Add more explicit trust relationship guidance and uses CLI examples instead of console screenshots.
Closes #34167
Add more context re: the trust relationship
instructions.
Closes #11797
Add instructions that a user can follow to deploy the Application Service on EKS.
Closes #24373
Other changes to make the guide easier to follow:
ExamplePowerUserrole for simplicity.awsCLI for creating IAM resources. This is faster to follow than the current approach, takes up less page real estate, and doesn't require screenshots. Using the CLI also makes the trust relationship instructions more explicit.tsh proxy aws