Skip to content

IAM Provision Token: allow joins by AWS Organization (proto) #62022

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
marcoandredinis wants to merge 1 commit into
base: master
Choose a base branch
from
Open

IAM Provision Token: allow joins by AWS Organization (proto) #62022

marcoandredinis wants to merge 1 commit into from

Conversation

@marcoandredinis
Copy link
Contributor

@marcoandredinis marcoandredinis commented Dec 5, 2025

Some users have hundreds of AWS Accounts and add/remove them with high frequency.

In order to allow them to set a single IAM Join Token which allows any node to join the cluster as long as it is part of an account which belongs to an Organization, the IAM Join Token is changed so that we are able to filter which AWS Organizations can join the cluster.

@marcoandredinis marcoandredinis added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v18 labels Dec 5, 2025
@github-actions
Copy link

github-actions bot commented Dec 5, 2025
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
marco/provisiontoken_iam_org_proto HEAD 1 ✅SUCCEED marco-provisiontoken-iam-org-proto 2025-12-05 15:00:43

hugoShaka
hugoShaka approved these changes Dec 5, 2025
View reviewed changes
api/proto/teleport/legacy/types/types.proto
Comment on lines +1493 to +1494
// AWSOrganizationID is used for the IAM join method, the AWS identity of joining nodes
// must belong to this organization.
Copy link
Contributor

@hugoShaka hugoShaka Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can you add a "Not implemented yet." In the godoc if you are planning to backport this now? You can disregard this comment if you're planning to backport all PRs at the same time.

This will prevent the field from landing in the resource reference and people trying to use it while it has no effect.

Similarly, when you're done backporting the feature to v18, it would be nice to add "Requires version 18.x.y" to the godoc.

Copy link
Contributor Author

@marcoandredinis marcoandredinis Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll skip for now and only add the released in/requires version as I'm closing to merge the PR in v18

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bernardjkim bernardjkim bernardjkim approved these changes

@hugoShaka hugoShaka hugoShaka approved these changes

Assignees

No one assigned

Labels

backport/branch/v18 documentation helm no-changelog Indicates that a PR does not require a changelog entry size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@marcoandredinis @bernardjkim @hugoShaka