teleport icon indicating copy to clipboard operation
teleport copied to clipboard

Published 20 hours ago verified publisher icon gravitational

Use regional STS endpoints for IAM join method

Open nklaassen opened this issue 2 years ago • 0 comments

Fixes https://github.com/gravitational/teleport/issues/10415

Currently the IAM join method always uses the global STS endpoint sts.amazonaws.com as the target for sts:GetCallerIdentity requests. These requests are generated and signed on the Node which is joining the cluster, and the Auth server sends them to the actual endpoint to get the response and verify the identity of the Node.

The problem with always using the "global" endpoint, is that it knows nothing about IAM identities in China or GovCloud AWS partitions. Those will need to use the regional endpoint, such as sts.cn-northwest-1.amazonaws.com.cn. There are regional endpoints in the default partition as well, we just haven't been using those.

With this change, the joining Node will attempt to find its local region from its environment or the EC2 IMDS, and generate the signed sts:GetCallerIdentity request for that regional endpoint.

The Auth server must now send the request to the regional endpoint selected by the client. We need to be very careful that the client cannot trick us into using an attacker-controlled endpoint to attempt to verify the client's identity. To do this, we make sure that the AWS SDK resolves the exact same given endpoint for this region.

Backward Compatibility

The Auth server will always accept join request from Nodes on older versions which use the global STS endpoint, it is still supported.

Upgraded Nodes connecting to an older Auth server (if we release this in a minor, likely 10.2) will still work: they will fall back to using the global endpoint if there is any error trying to use the regional endpoint, which they would hit if the Auth server is on a version which does not yet support regional endpoints.

nklaassen avatar Aug 09 '22 02:08 nklaassen

friendly ping if you guys can review when you get a chance @gabrielcorado and @zmb3 it looks like the bot chose you for code review as well as docs review

nklaassen avatar Aug 12 '22 16:08 nklaassen

@nklaassen See the table below for backport results.

Branch Result
branch/v10 Create PR
branch/v8 Failed
branch/v9 Create PR

github-actions[bot] avatar Aug 29 '22 18:08 github-actions[bot]