AWS OIDC Integration for VPN protected clusters

[marcoandredinis]

What would you like Teleport to do?
Integrate with AWS when Teleport cluster is deployed without an Internet-public endpoint.
Eg, internal network protected by VPN

What problem does this solve?
Some deployments of Teleport are only accessible in an internal network.
In those cases, the AWS OIDC Integration is not completed because Amazon can't:

• get for the endpoint's thumbprint
• HTTP GET the openid configuration available at https://<proxy.example.com>/.well-known/openid-configuration
• HTTP GET the public keys referenced above

If a workaround exists, please include it.

[marcoandredinis]

Should be fixed by #38782

[marcoandredinis]

Users should be able to set up the AWS OIDC Integration even if their cluster is not public facing.
To do this, when the script is generated, users must run it on a machine that has AWS Credentials and access to the teleport proxy endpoint (https/website).
Alternatively, users can fetch the script (run the curl https://... part), copy that script to CloudShell and then run it.

[Alex-Giaquinto]

@marcoandredinis I did this, but now when I try to enroll my EKS clusters, I am getting this error

rpc error: code = Unknown desc = operation error EKS: ListClusters, get identity: get credentials: failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, exceeded maximum number of attempts, 3, https response error StatusCode: 400, RequestID: xxx, InvalidIdentityToken: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements

Not sure what to do.

[marcoandredinis]

When I wrote this comment we had another method for setting up the integration, which used S3 buckets.
However, that method was not easy to follow and caused a lot of issues.
Some time ago, AWS changed the primitives for setting up the OIDC IdP, which allowed us to simplify the integration
https://aws.amazon.com/about-aws/whats-new/2024/07/aws-identity-access-management-open-id-connect-identity-providers/

We decided to remove that method, and only provide the simpler one.

I'll re-open the issue because it also means we can't use the Integration in clusters which are not publicly accessible.

[D3CK3R]

Are there any news on this issue?

[marcoandredinis]

There's no updates on this.
I'll keep asking internally but, so far, the sentiment is that we are unlikely to revert this change.

The best I can give is the docs version when we had this working.
It should still work for a couple of versions because we try to not break existing customers.
However, this is not recommended and might stop working on a future release (a changelog note will be included when we do so).

https://docs-ayi2ddc7g-goteleport.vercel.app/docs/management/guides/awsoidc-integration/

Please bear in mind that this is a temporary link and might disappear soon.
If it does, then the only way to read it is to use the versioned markdown file
https://github.com/gravitational/teleport/blob/8525347113afd370c0869f3fc885e7f0b543f8bc/docs/pages/management/guides/awsoidc-integration.mdx