teleport icon indicating copy to clipboard operation
teleport copied to clipboard
verified publisher icon gravitational

MFA for App Access - `tsh` for cloud apps

Open Joerger opened this issue 1 year ago • 0 comments

Adds MFA for Cloud App access support with:

  1. extended TTL mfa-verified certs for proxy requests
  2. Automatic certificate renewal
  3. Automatic local CA renewal

(2) and (3) are important for users with a low max_session_ttl setting, which is common in per-session MFA setups.

Many refactors were required to obtain feature parity with tsh proxy app and avoid duplicated logins and other accumulated cruft in the previous implementation.

TODO:

  • [x] Enable the reuse of 1-minute TTL certs for flows like tsh apps login awsconsole && tsh aws ... to avoid re-logins
  • [ ] Manual testing (before merging)
    • [x] AWS
    • [ ] Azure
    • [ ] GCP

Joerger avatar Apr 28 '24 23:04 Joerger