Comments (1)
With @Joerger we discussed the following approaches:
Use the user's local ~/.tsh
profile and MFA
This approach removes the use of impersonation, Terraform would run as the user.
The user would get prompted for MFA when running Terraform.
This approach offers a simple setup flow (no additional user, role, bot, just use your rights) and a strong security posture (MFA for admin security properties are preserved).
This approach requires the user to have the appropriate rights. This was already the case indirectly with the previous impersonation approach. This means users potentially have higher standing privileges by default, although most users applying Terraform code are very likely already editors/
Use impersonated certificates + user MFA
This approach is a port of the current impersonation approach, but with "MFA for admin" support.
This implies:
- adding support for requesting the impersionator MFA during impersonated actions.
- adding TF provider support for prompting MFA (similar to the 1st approach)
Allow the user to sign certs bypassing from "MFA for admin"
This would make the old approach functional again. However, this would remove most security benefits brought by "MFA for Admin"
Allow Terraform to run MachineID natively
This would partially address the UX issue. The user would pass a bot token to Terraform, and Terraform would do the MachineID dance to get Bot certs, without the need for tbot
.
This improves the UX locally, but also in the CI: you can pass to Terraform a GHA token and let it get the certs automatically.
However this doesn't address the security aspect of having long-lived/renewable admin certificates not subject to MFA on every admin laptop.
from teleport.
Related Issues (20)
- Make SAML SP RBAC granular
- Add support for MFA Challenge requirements for SSO users
- User cannot use or log out of web UI after enabling `pin_source_ip`
- Kubernetes Discover wizard is not able to validate connectivity when IP pinning is enabled
- AWS Console guide results in error
- Automatic node install wizard is not able to validate connectivity when IP pinning is enabled
- Simplify common configuration for k8s app auto-discovery
- Configurable `public_addr` for auto-discovered apps
- List possible values of `tctl get` HOT 1
- Ensure download URLs and package names are consistent across the docs
- Email Access Request Plugin Support for Teleport Enterprise Cloud HOT 1
- Use JoinScript for DiscoveryService for self-hosted Discovery wizard
- Discover Wizard: use an already existing DiscoveryService instead of asking user to run one
- Event Exporter guides for Machine ID configure RBAC incorrectly
- Provide a delegated joining method for OCI HOT 1
- `regexp.replace` Fails with Curly Brackets in Teleport Role Interpolation HOT 2
- Usage report event (T2006I) is missing session ID HOT 2
- Allow configurable teleport package repo name HOT 2
- SSO user's Teleport MFA can only be reset after they login
- helm chart not considering place kube cluster domain HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from teleport.