AWS OIDC Integration

This guide explains how to set up the Teleport AWS OIDC integration.

With the AWS OIDC integration you will no longer need to deploy Teleport agents in AWS manually for most use cases. The following features use an AWS OIDC integration to interact with AWS:

External Audit Storage

RDS Auto Discovery

EC2 Auto Discovery

Access Graph AWS Sync

It targets users who would prefer a more manual approach or to manage the integration with Infrastructure as Code tools.

As an alternative to this guide, you can use the Teleport Web UI (Access Management / Enroll New Integration).

Teleport is added as an OpenID Connect identity provider to establish trust with your AWS account and assume a configured IAM role in order to access AWS resources.

For this to work, the openid-configuration and public keys are automatically exposed in your cluster at:

curl https:// teleport.example.com /.well-known/openid-configuration

The integration requires no extra configuration or services to run.

Initially, no policy is added to the IAM role, but users are asked to add them the first time they are trying to use a given feature. For example, when setting up External Audit Storage, you will be asked to add the required policies to this IAM role.

AWS Resources created by the integration are tagged so that you can search and export them using the AWS Resource Groups / Tag Editor. The following tags are applied:

teleport.dev/cluster cluster-name teleport.dev/origin integration_awsoidc teleport.dev/integration my-integration

A running Teleport cluster.

AWS Account with permissions to create IAM Identity Providers and roles

To configure the integration you will need the following allow rules in one of your Teleport roles. These are available by default in the preset editor role:

kind: role version: v7 metadata: name: example spec: allow: rules: - resources: - integration verbs: - create - update - list - read - delete - use

Navigate to AWS IAM Identity Provider and configure the Identity Provider:

Provider type: OpenID Connect

Provider URL:

https:// teleport.example.com

Audience: discover.teleport

You should also add the following tags to help you track the resource in the future:

teleport.dev/cluster cluster-name teleport.dev/origin integration_awsoidc teleport.dev/integration my-integration

An IAM role must be created to assign the required policies to the integration iam-role .

This IAM role is created without any policy, as those are added depending on the feature you would like to use, for example when setting up Access Graph AWS Sync. However, it must be configured to allow the Identity Provider to assume it. To achieve this, add the following Trust Relationship:

{ "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "Principal" : { "Federated" : "arn:aws:iam:: aws-account-id :oidc-provider/ teleport.example.com " } , "Action" : "sts:AssumeRoleWithWebIdentity" , "Condition" : { "StringEquals" : { " teleport.example.com :aud" : "discover.teleport" } } } ] }

It is also required to add the following tags, which are used by Teleport to ensure it can change the IAM role when onboarding new features:

teleport.dev/cluster cluster-name teleport.dev/origin integration_awsoidc teleport.dev/integration my-integration

Create a file called awsoidc-integration.yaml with the following content:

kind: integration sub_kind: aws-oidc version: v1 metadata: name: my-integration spec: aws_oidc: role_arn: "arn:aws:iam:: aws-account-id :role/ iam-role "

Create the resource:

tctl create -f awsoidc-integration.yaml integration ' my-integration ' has been created

After the set up is complete, you can now use the "Enroll New Resource" flow in Teleport Web UI, or other integration dependent features.

Now that you have an integration, you can use the following features: