From ab03fbfbd181d10bed3aea07aabb88c5bc457bf9 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Wed, 22 Jan 2025 19:29:10 +0000 Subject: [PATCH] [v16] Add `wildcard-workload-identity-issuer` preset role (#51238) (#51346) * Add `wildcard-workload-identity-issuer` preset role (#51238) * Add `wildcard-workload-identity-issuer` preset role for UX * Fix TestPresets * CLA please update --- constants.go | 6 ++++++ lib/auth/init.go | 1 + lib/auth/init_test.go | 1 + lib/services/presets.go | 28 ++++++++++++++++++++++++++++ 4 files changed, 36 insertions(+) diff --git a/constants.go b/constants.go index 0e79fa1ac9b74..494abf90ab4e6 100644 --- a/constants.go +++ b/constants.go @@ -703,6 +703,12 @@ const ( // access to Okta resources. This will be used by the Okta requester role to // search for Okta resources. SystemOktaAccessRoleName = "okta-access" + + // PresetWildcardWorkloadIdentityIssuerRoleName is a name of a preset role + // that includes the permissions necessary to issue workload identity + // credentials using any workload_identity resource. This exists to simplify + // Day 0 UX experience with workload identity. + PresetWildcardWorkloadIdentityIssuerRoleName = "wildcard-workload-identity-issuer" ) var PresetRoles = []string{PresetEditorRoleName, PresetAccessRoleName, PresetAuditorRoleName} diff --git a/lib/auth/init.go b/lib/auth/init.go index 5ee2f77f96ebb..e6717cc48d941 100644 --- a/lib/auth/init.go +++ b/lib/auth/init.go @@ -989,6 +989,7 @@ func GetPresetRoles() []types.Role { services.NewSystemOktaAccessRole(), services.NewSystemOktaRequesterRole(), services.NewPresetTerraformProviderRole(), + services.NewPresetWildcardWorkloadIdentityIssuerRole(), } // Certain `New$FooRole()` functions will return a nil role if the diff --git a/lib/auth/init_test.go b/lib/auth/init_test.go index b315a012eb249..dc8c582047c69 100644 --- a/lib/auth/init_test.go +++ b/lib/auth/init_test.go @@ -536,6 +536,7 @@ func TestPresets(t *testing.T) { teleport.PresetAccessRoleName, teleport.PresetAuditorRoleName, teleport.PresetTerraformProviderRoleName, + teleport.PresetWildcardWorkloadIdentityIssuerRoleName, } t.Run("EmptyCluster", func(t *testing.T) { diff --git a/lib/services/presets.go b/lib/services/presets.go index d163128db9cb4..7799e6c45ce61 100644 --- a/lib/services/presets.go +++ b/lib/services/presets.go @@ -501,6 +501,34 @@ func NewPresetRequireTrustedDeviceRole() types.Role { } } +// NewPresetWildcardWorkloadIdentityIssuerRole returns a new pre-defined role +// for issuing workload identities. +func NewPresetWildcardWorkloadIdentityIssuerRole() types.Role { + role := &types.RoleV6{ + Kind: types.KindRole, + Version: types.V7, + Metadata: types.Metadata{ + Name: teleport.PresetWildcardWorkloadIdentityIssuerRoleName, + Namespace: apidefaults.Namespace, + Description: "Issue workload identities", + Labels: map[string]string{ + types.TeleportInternalResourceType: types.PresetResource, + }, + }, + Spec: types.RoleSpecV6{ + Allow: types.RoleConditions{ + WorkloadIdentityLabels: types.Labels{ + types.Wildcard: []string{types.Wildcard}, + }, + Rules: []types.Rule{ + types.NewRule(types.KindWorkloadIdentity, RO()), + }, + }, + }, + } + return role +} + // SystemOktaAccessRoleName is the name of the system role that allows // access to Okta resources. This will be used by the Okta requester role to // search for Okta resources.