Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Display available allowed logins for leaf AWS Console Apps in the root Web UI #44611

Merged
merged 1 commit into from
Jul 25, 2024
Merged

Display available allowed logins for leaf AWS Console Apps in the root Web UI #44611

merged 1 commit into from
Jul 25, 2024

Conversation

gabrielcorado
Copy link
Contributor

@gabrielcorado gabrielcorado commented Jul 25, 2024
edited
Loading

Related to https://github.com/gravitational/customer-sensitive-requests/issues/303 and #44410.

This change follows the same solution used by SSH logins (introduced by #39579), where allowed logins (AWS ARN roles) are returned by the auth server (through enriched resources) instead of by the API.

Given this change, we must also keep the root AWS role ARNs on the remote access info. Otherwise, the enriched resource will only contain the leaf cluster roles.

As a result, the roles shown in the Web UI will include AWS role ARNs from the user, root cluster roles, and leaf cluster roles.

changelog: Correctly display available allowed logins of leaf AWS Console Apps in the root cluster Web UI

@gravitational gravitational deleted a comment from github-actions bot Jul 25, 2024
@rosstimothy
Copy link
Contributor

I think in order for #44410 to be closed we need to address tsh app login as well. It is pulling AWS ARN information from the root certificate when logging into an app in a leaf cluster.

@flyinghermit flyinghermit removed their request for review July 25, 2024 13:10
greedy52
greedy52 approved these changes Jul 25, 2024
View reviewed changes
Copy link
Contributor

@greedy52 greedy52 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and worked great (for WebUI). We might want to do a separate fix for GCP and Azure which function similar way.

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from espadolini July 25, 2024 14:24
@gabrielcorado gabrielcorado added this pull request to the merge queue Jul 25, 2024
@greedy52 greedy52 removed this pull request from the merge queue due to a manual request Jul 25, 2024
@greedy52 greedy52 added this pull request to the merge queue Jul 25, 2024
Merged via the queue into master with commit 2db4bc0 Jul 25, 2024
42 of 43 checks passed
@greedy52 greedy52 deleted the gabrielcorado/list-leaf-aws-console-roles branch July 25, 2024 15:10
This was referenced Aug 1, 2024
Merged
Merged
@zmb3 zmb3 mentioned this pull request Aug 5, 2024
Closed
@gabrielcorado gabrielcorado mentioned this pull request Sep 20, 2024
Open
@joaoubaldo joaoubaldo mentioned this pull request Dec 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

@greedy52 greedy52 greedy52 approved these changes

Assignees
No one assigned
Labels
size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gabrielcorado @rosstimothy @greedy52