teleport icon indicating copy to clipboard operation
teleport copied to clipboard

Published 20 hours ago verified publisher icon gravitational

Auto Import tags from GCP into Teleport

Open TeleLos opened this issue 1 year ago • 6 comments

What would you like Teleport to do? We would like any labels on a GCP instance to be imported into Teleport.

What problem does this solve? This would allow customers to have additional labeling options for RBAC. Using the prefix "gcp" similar to how aws tags are displayed in Teleport would work for well for the customer.

If a workaround exists, please include it. Currently there is no work around.

TeleLos avatar Jan 17 '24 20:01 TeleLos

Pretty sure this was implemented last year in #28562.

@r0mant @atburke can you confirm?

zmb3 avatar Jan 17 '24 21:01 zmb3

No, importing tags was not part of #28562.

atburke avatar Jan 17 '24 21:01 atburke

As a workaround if the tags are retrievable via curl http://metadata.google.internal/computeMetadata/v1/instance/tags -H Metadata-Flavor:Google then they could be pulled individually or preset via a script.

stevenGravy avatar Jan 18 '24 16:01 stevenGravy

As a workaround if the tags are retrievable via curl http://metadata.google.internal/computeMetadata/v1/instance/tags -H Metadata-Flavor:Google then they could be pulled individually or preset via a script.

This does return labels of instances.

Does the Discovery service support a commands block, it is not documented in https://goteleport.com/docs/reference/config/#discovery-service

darend avatar Jan 18 '24 17:01 darend

As a workaround if the tags are retrievable via curl http://metadata.google.internal/computeMetadata/v1/instance/tags -H Metadata-Flavor:Google then they could be pulled individually or preset via a script.

This does return labels of instances.

Does the Discovery service support a commands block, it is not documented in https://goteleport.com/docs/reference/config/#discovery-service

As part of discovery you can set the install script so that would let you define the labeling, commands.

stevenGravy avatar Jan 18 '24 17:01 stevenGravy

After some testing we found:

  • The http://metadata.google.internal/computeMetadata/v1/instance/tags endpoint returns Network Tags (keys) and not Labels. You could mangle them into a Teleport label by making them appear as a key/value. Using these as Teleport labels for RBAC feels like a mismatch though
  • GCP does not appear to expose Instance Labels via the metadata API. You have to call the cloud API which requires auth. https://cloud.google.com/compute/docs/reference/rest/v1/instances/get

An approach that can work is setting the desired Teleport labels as custom metadata: https://cloud.google.com/compute/docs/metadata/setting-custom-metadata. The teleport install script can then be updated to fetch your custom labels using curl -m5 -sS -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/<custom_key>

darend avatar Jan 19 '24 18:01 darend