Advanced Identity Center Options
The Identity Center Integration can be configured to handle various advanced use cases that are not necessarily supported by the default installation flow. This guide describes these advanced options and use cases.
AWS authentication methods
The AWS IAM Identity Center integration needs AWS credentials to read Identity
Center resources and manage account assignments. Choose the credential source
that matches your Teleport deployment before running tctl plugins install awsic.
- Teleport Cloud
- Self-Hosted
Teleport Cloud clusters use an AWS OIDC integration to authenticate with AWS. Create the AWS OIDC integration first, then pass its name to the Identity Center installer:
$ tctl plugins install awsic \
--no-use-system-credentials \
--oidc-integration ${AWS_OIDC_INTEGRATION_NAME} \
...
Self-hosted clusters have two installation options: ambient system credentials and AWS OIDC.
Use ambient credentials when the Auth Service already runs with AWS credentials, such as an EC2 instance profile or another AWS SDK credential source, or when your Teleport Proxy Service endpoint is private.
Use AWS OIDC when AWS can reach your cluster's public Proxy Service endpoint and you want to manage AWS trust through a dedicated Teleport integration.
Ambient system credentials
The ambient credentials must be able to assume the IAM role used by the integration.
$ tctl plugins install awsic \
--use-system-credentials \
--assume-role-arn ${AWS_IAM_ROLE_ARN} \
...
AWS OIDC integration
Create the AWS OIDC integration first, then pass its name to the Identity Center installer.
$ tctl plugins install awsic \
--no-use-system-credentials \
--oidc-integration ${AWS_OIDC_INTEGRATION_NAME} \
...
Disabling Account Assignment role creation
By default, the AWS Identity Center integration will create a Teleport role for every possible combination of AWS Account and Permission Set managed by your AWS Identity Center instance. If your Identity Center controls a large number of AWS Accounts and/or Permission Sets, this may end up creating so many roles that it starts to affect Teleport's performance.
To avoid creating these Account Assignment roles, you can create the AWS IC
integration with this feature disabled by specifying --roles-sync-mode NONE
when creating the integration with tctl, for example:
Setting the Roles Sync Mode is only available when installing the Identity Center
integration via tctl.
Role Sync Mode NONE is only available during installation. The Roles Sync Mode
can be changed to ALL later, but you can't go back the other way.
Choose the installation command for your Teleport deployment:
- Teleport Cloud
- Self-Hosted
Teleport Cloud clusters authenticate with AWS through an AWS OIDC integration. Create the AWS OIDC integration first, then use this command.
$ tctl plugins install awsic \
--instance-arn ${IDENTITY_CENTER_INSTANCE_ARN} \
--instance-region ${IDENTITY_CENTER_INSTANCE_REGION} \
--no-use-system-credentials \
--oidc-integration ${AWS_OIDC_INTEGRATION_NAME} \
--scim-url ${IDENTITY_CENTER_SCIM_BASE_URL} \
--scim-token ${IDENTITY_CENTER_SCIM_BEARER_TOKEN} \
--access-list-default-owner ${TELEPORT_ACCESS_LIST_DEFAULT_OWNER} \
--roles-sync-mode NONE
Self-hosted clusters can use either ambient system credentials or AWS OIDC. For guidance choosing a credential source, see AWS authentication methods.
Ambient system credentials
This command uses the AWS credential provider chain available to the Auth
Service. The credentials must be able to assume the IAM role passed in
--assume-role-arn.
$ tctl plugins install awsic \
--instance-arn ${IDENTITY_CENTER_INSTANCE_ARN} \
--instance-region ${IDENTITY_CENTER_INSTANCE_REGION} \
--use-system-credentials \
--assume-role-arn ${AWS_IAM_ROLE_ARN} \
--scim-url ${IDENTITY_CENTER_SCIM_BASE_URL} \
--scim-token ${IDENTITY_CENTER_SCIM_BEARER_TOKEN} \
--access-list-default-owner ${TELEPORT_ACCESS_LIST_DEFAULT_OWNER} \
--roles-sync-mode NONE
AWS OIDC integration
This command uses the AWS OIDC integration named by --oidc-integration instead
of ambient AWS credentials. Create the AWS OIDC integration before running the
installer.
$ tctl plugins install awsic \
--instance-arn ${IDENTITY_CENTER_INSTANCE_ARN} \
--instance-region ${IDENTITY_CENTER_INSTANCE_REGION} \
--no-use-system-credentials \
--oidc-integration ${AWS_OIDC_INTEGRATION_NAME} \
--scim-url ${IDENTITY_CENTER_SCIM_BASE_URL} \
--scim-token ${IDENTITY_CENTER_SCIM_BEARER_TOKEN} \
--access-list-default-owner ${TELEPORT_ACCESS_LIST_DEFAULT_OWNER} \
--roles-sync-mode NONE
Roles Sync Modes
The Roles Sync Mode controls whether the IC integration will create Account
Assignment roles for each possible AWS Account Assignment. There are currently
two possible values: ALL (create roles for all possible Account Assignments)
and NONE (do not create roles for any possible Account Assignment).
The integration's Group Import process uses these Account Assignment roles to
provision access for the Access Lists it creates. In order to prevent the integration
from creating invalid Access Lists, setting the Roles Sync Mode to NONE also
requires that integration's Group Import filter contain a single exclude-all clause.
Teleport enforces this restriction, preventing the accidental creation of an invalid configuration.
Switching Roles Sync Modes
After installation you can switch the Roles Sync Mode from NONE to ALL using
tctl plugins edit.
$ tctl plugins edit awsic --roles-sync-mode ALL
Moving from Roles Sync Mode ALL to NONE may cause Teleport to potentially
delete in-use roles, so that transition is not allowed.
Currently the only way to move back to NONE is deleting and re-installing the integration.