Teleport AWS integration now stores OIDC configuration in S3

[r0mant]

What happened?

Teleport registers itself as an Amazon IAM Identity Provider to use AWS APIs.

When validating API requests coming from Teleport, AWS fetches the public key using the Identity Provider URL available at https://<teleport-proxy>/.well-known/jwks-oidc. In addition, AWS validates the thumbprint which is calculated based on the endpoint certificate. It uses the top intermediate CA that signed the certificate.

Teleport Cloud uses Let's Encrypt to issue certificates. Recently, Let’s Encrypt changed their chain of trust, leading to a thumbprint's change. As such, certificates signed after Feb 8th, 2024 will have a new thumbprint which is not trusted by AWS, unless users add the new thumbprint.

What we’ve done to address this

Teleport AWS OIDC integration setup now stores the public key and OIDC provider configuration in a public S3 location. When fetching OIDC metadata from S3, AWS bypasses thumbprint validation so signing CA changes will not be affecting the integration going forward.

Impact

Without this configuration change, the following features will stop working after certificate renewal:

• External audit storage
• Enrolling new resources that use the integration
• Accessing EC2 instances that were added using the integration
• Auto-discovery / auto-enrollment configurations that use the integration

Teleport will log the following error message in its logs: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint.

Actions

Update AWS OIDC Integration configuration on your Teleport cluster by following the steps below:

• Navigate to Access Management/Integrations page in Teleport web UI.
• Check the AWS integration’s Status field:
  • If the status is "Integration needs updating", follow the instructions to setup S3 bucket that will contain Teleport’s OIDC provider configuration.
  • If you don't have an Integration or its status is "Running", you can disregard this email.

If having public buckets is not allowed in your AWS Account you can temporarily add the following thumbprint to ensure the integrations keeps working.

• Navigate to https://console.aws.amazon.com/iam/home#/identity_providers
• Select the Teleport Provider (eg, tenant.teleport.sh)
• Click on Manage in the Thumbprint section and add the following one: a053375bfe84e8b748782c7cee15827a6af5a405

Please note that Let's Encrypt is changing their CAs (https://letsencrypt.org/2024/03/19/new-intermediate-certificates) and this can break as soon as a new certificate is generated.
The above only applies to Teleport Cloud clusters and self-hosted that use the Let's Encrypt for generating certificates.