CheckAccountID is a helper func that check if the current caller account ID matches the expected account ID.

ConfigureAccessGraphSyncIAM sets up the roles required for Teleport to be able to pool AWS resources into Teleport.

ConfigureAWSAppAccess set ups the roles required for AWS App Access.

ConfigureDeployServiceIAM set ups the roles required for calling the DeployService action.

ConfigureEC2SSM creates the required resources in AWS to enable EC2 Auto Discover using script mode.

ConfigureEKSIAM sets up the roles required for enrolling EKS clusters into Teleport.

ConfigureExternalAuditStorage attaches an IAM policy with necessary permissions for the ExternalAuditStorage feature to an existing IAM role associated with an AWS OIDC integration.

ConfigureIdPIAM creates a new AWS IAM OIDC IdP, IAM role and optionally updates the role with the given policy preset.

ConfigureListDatabasesIAM set ups the policy required for accessing an RDS DB Instances and RDS DB Clusters.

CreateEC2ICE calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInstanceConnectEndpoint.html It creates an EC2 Instance Connect Endpoint using the provided Subnet and Security Group IDs.

DeployDatabaseService calls Amazon ECS APIs to deploy multiple Teleport DatabaseService.

# Resource tagging Created resources have the following set of tags: - teleport.dev/cluster: <clusterName> - teleport.dev/origin: aws-oidc-integration - teleport.dev/integration: <integrationName> If resources already exist, only resources with those tags will be updated.

ECSDatabaseServiceDashboardURL returns the ECS service dashboard URL for a deployed database service.

EnrollEKSClusters enrolls EKS clusters into Teleport by installing teleport-kube-agent chart on the clusters.

GenerateAWSOIDCToken generates a token to be used when executing an AWS OIDC Integration action.

ListDatabases calls the following AWS API: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.html https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html It returns a list of Databases and an optional NextToken that can be used to fetch the next page.

ListDeployedDatabaseServices calls the following AWS API: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ListServices.html https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeServices.html https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTaskDefinition.html It returns a list of ECS Services running Teleport Database Service and an optional NextToken that can be used to fetch the next page.

ListEC2 calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html It returns a list of EC2 Instances and an optional NextToken that can be used to fetch the next page Only Platform!=Windows and State=Running instances are returned.

ListEC2ICE calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceConnectEndpoints.html It returns a list of EC2 Instance Connect Endpoints and an optional NextToken that can be used to fetch the next page.

ListEKSClusters calls the following AWS API: https://docs.aws.amazon.com/eks/latest/APIReference/API_ListClusters.html - to list available EKS clusters https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeCluster.html - to get more detailed information about the each cluster in the list we received.

ListSecurityGroups calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html It returns a list of VPC Security Groups and an optional NextToken that can be used to fetch the next page.

ListSubnets calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSubnets.html It returns a list of VPC subnets and an optional NextToken that can be used to fetch the next page.

ListVPCs calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcs.html It returns a list of VPCs and an optional NextToken that can be used to fetch the next page.

NewAccessGraphIAMConfigureClient creates a new TAGIAMConfigureClient.

NewAWSAppAccessConfigureClient creates a new AWSAppAccessConfigureClient.

NewAWSCredentialsProvider creates an [aws.CredentialsProvider] using the provided Token, RoleARN and Region.

NewCreateEC2ICEClient creates a new CreateEC2ICEClient using a AWSClientRequest.

NewDeployServiceClient creates a new DeployServiceClient using a AWSClientRequest.

NewDeployServiceIAMConfigureClient creates a new DeployServiceIAMConfigureClient.

NewEC2SSMConfigureClient creates a new EC2SSMConfigureClient.

NewEICESendSSHPublicKeyClient creates a EICESendSSHPublicKeyClient using AWSClientRequest.

NewEKSIAMConfigureClient creates a new EKSIAMConfigureClient.

NewEnrollEKSClustersClient returns new client that can be used to enroll EKS clusters into Teleport.

NewIdPIAMConfigureClient creates a new IdPIAMConfigureClient.

NewListDatabasesClient creates a new ListDatabasesClient using a AWSClientRequest.

NewListDatabasesIAMConfigureClient creates a new ListDatabasesIAMConfigureClient.

NewListDeployedDatabaseServicesClient creates a new ListDeployedDatabaseServicesClient using an AWSClientRequest.

NewListEC2Client creates a new ListEC2Client using a AWSClientRequest.

NewListEC2ICEClient creates a new ListEC2ICEClient using a AWSClientRequest.

NewListEKSClustersClient creates a new ListEKSClusters client using AWSClientRequest.

NewListSecurityGroupsClient creates a new ListSecurityGroupsClient using a AWSClientRequest.

NewListSubnetsClient creates a new ListSubnetsClient using an AWSClientRequest.

NewListVPCsClient creates a new ListVPCsClient using an AWSClientRequest.

NewOpenTunnelEC2Client creates a OpenTunnelEC2Client using AWSClientRequest.

NewPingClient creates a new PingClient using an AWSClientRequest.

NewSessionV1 creates a new AWS Session for the region using the integration as source of credentials.

OpenTunnelEC2 creates a tunnel to an ec2 instance using its private IP.

Ping does a health check for an integration.

SendSSHPublicKeyToEC2 sends an SSH Public Key to a target EC2 Instance.

ThumbprintIdP returns the thumbprint as required by AWS when adding an OIDC Identity Provider.

UpdateDeployService updates all the AWS OIDC deployed services with the specified version tag.

ValidatePolicyPreset validates if a given policy preset is supported or not.

DatabaseServiceDeploymentMode is a deployment configuration for Deploying a Database Service.

PolicyPresetAWSIdentityCenter specifies poicy required for the AWS identity center integration.

PolicyPresetUnspecified specifies no preset policy to apply.

DeploymentModes has all the available deployment modes.

ErrAWSOIDCInvalidPolicyPreset is issued if provided policy preset value is not supported.

AccessGraphAWSIAMConfigureRequest is a request to configure the required Policies to use the TAG AWS Sync.

AWSAppAccessConfigureRequest is a request to configure the required Policies to use AWS App Access.

AWSClientRequest contains the required fields to set up an AWS service client.

CIDR has a CIDR (IP Range) and a description for the value.

ConfigureIAMListDatabasesRequest is a request to configure the required Policy to use the List Databases action.

CreateEC2ICERequest contains the required fields to create an AWS EC2 Instance Connect Endpoint.

CreateEC2ICEResponse contains the newly created EC2 Instance Connect Endpoint name.

DefaultConfigureExternalAuditStorageClient wraps an iam and sts client to implement ConfigureExternalAuditStorageClient.

DeployDatabaseServiceRequest contains the required fields to deploy multiple Teleport Databases Services.

DeployDatabaseServiceRequestDeployment identifies the required fields to deploy a DatabaseService.

DeployDatabaseServiceResponse contains the ARNs of the Amazon resources used to deploy the Teleport Service.

DeployedDatabaseService contains a database service that was deployed to Amazon ECS.

DeployServiceIAMConfigureRequest is a request to configure the DeployService action required Roles.

DeployServiceRequest contains the required fields to deploy a Teleport Service.

DeployServiceResponse contains the ARNs of the Amazon resources used to deploy the Teleport Service.

EC2ICEEndpoint contains the information for a single Endpoint to be created.

EC2InstanceConnectEndpoint is the Teleport representation of an EC2 Instance Connect Endpoint.

EC2SSMIAMConfigureRequest is a request to configure the required Policies to use the EC2 Auto Discover with SSM.

EKSCluster represents a cluster in AWS EKS.

EKSIAMConfigureRequest is a request to configure the required Policies to use the EKS.

EnrollEKSClusterResponse contains result for enrollment .

EnrollEKSClusterResult contains result for a single EKS cluster enrollment, if it was successful 'Error' will be nil otherwise it will contain an error happened during enrollment.

EnrollEKSClustersRequest contains the required fields to enroll EKS cluster to Teleport.

GenerateAWSOIDCTokenRequest contains the required elements to generate an AWS OIDC Token (JWT).

GroupIDRule is a security group rule that refers to another security group by ID and has a description.

IdPIAMConfigureRequest represents a request to configure AWS OIDC integration.

ListDatabasesRequest contains the required fields to list AWS Databases.

ListDatabasesResponse contains a page of AWS Databases.

ListDeployedDatabaseServicesRequest contains the required fields to list the deployed database services in Amazon ECS.

ListDeployedDatabaseServicesResponse contains a page of Deployed Database Services.

ListEC2ICERequest contains the required fields to list AWS EC2 Instance Connect Endpoints.

ListEC2ICEResponse contains a page of AWS EC2 Instances as Teleport Servers.

ListEC2Request contains the required fields to list AWS EC2 Instances.

ListEC2Response contains a page of AWS EC2 Instances as Teleport Servers.

ListEKSClustersRequest contains the required fields to list AWS EKS Clusters.

ListEKSClustersResponse contains a page of AWS EKS Clusters.

ListSecurityGroupsRequest contains the required fields to list VPC Security Groups.

ListSecurityGroupsResponse contains a page of SecurityGroups.

ListSubnetsRequest contains the required fields to list AWS VPC subnets.

ListSubnetsResponse contains a page of subnets.

ListVPCsRequest contains the required fields to list AWS VPCs.

ListVPCsResponse contains a page of VPCs.

OpenTunnelEC2Request contains the required fields to open a tunnel to an EC2 instance.

OpenTunnelEC2Response contains the response for creating a Tunnel to an EC2 Instance.

PingResponse contains the response for the integration.

SecurityGroup is the Teleport representation of an EC2 Instance Connect Endpoint.

SecurityGroupRule is a SecurityGroup role.

SendSSHPublicKeyToEC2Request contains the required fields to request the upload of an SSH Public Key.

Subnet is the Teleport representation of an AWS VPC subnet.

UpdateServiceRequest contains the required fields to update a Teleport Service.

VPC is the Teleport representation of an AWS VPC.

AccessGraphIAMConfigureClient describes the required methods to create the IAM Policies required for enrolling Access Graph AWS Sync into Teleport.

AWSAppAccessConfigureClient describes the required methods to create the IAM Policies required for AWS App Access.

Cache is the subset of the cached resources that the AWS OIDC Token Generation queries.

CallerIdentityGetter is a subset of [sts.Client] that can be used to information about the caller identity.

ConfigureExternalAuditStorageClient is an interface for the AWS client methods used by ConfigureExternalAuditStorage.

CreateEC2ICE describes the required methods to List EC2 Instances using a 3rd Party API.

DeployServiceClient describes the required methods to Deploy a Teleport Service.

DeployServiceIAMConfigureClient describes the required methods to create the IAM Roles/Policies required for the DeployService action.

EC2SSMConfigureClient describes the required methods to create the IAM Policies and SSM Document required for installing Teleport in EC2 instances.

EICESendSSHPublicKeyClient describes the required methods to send an SSH Public Key to an EC2 Instance.

EKSIAMConfigureClient describes the required methods to create the IAM Policies required for enrolling EKS clusters into Teleport.

EnrollEKSClusterClient defines functions required for EKS cluster enrollment.

IdPIAMConfigureClient describes the required methods to create the AWS OIDC IdP and a Role that trusts that identity provider.

IntegrationTokenGenerator is an interface that indicates which APIs are required to generate an Integration Token.

KeyStoreManager defines methods to get signers using the server's keystore.

ListDatabasesClient describes the required methods to List Databases (Instances and Clusters) using a 3rd Party API.

ListDatabasesIAMConfigureClient describes the required methods to create the IAM Policies required for Listing Databases.

ListDeployedDatabaseServicesClient describes the required methods to list AWS VPCs.

ListEC2Client describes the required methods to List EC2 Instances using a 3rd Party API.

ListEC2ICEClient describes the required methods to List EC2 Instances using a 3rd Party API.

ListEKSClustersClient describes the required methods to List EKS clusters using a 3rd Party API.

ListSecurityGroupsClient describes the required methods to List Security Groups a 3rd Party API.

ListSubnetsClient describes the required methods to list AWS VPC subnets.

ListVPCsClient describes the required methods to list AWS VPCs.

OpenTunnelEC2Client describes the required methods to Open a Tunnel to an EC2 Instance using EC2 Instance Connect Endpoint.

PingClient describes the required methods to list AWS VPCs.

TokenService defines the required methods to upsert the Provision Token used by the Deploy Service.

IdentityGetter returns AWS identity of the caller.

IdentityToken is an implementation of [stscreds.IdentityTokenRetriever] for returning a static token.

IntegrationTokenFetcher handles dynamic token generation using a callback function.

PolicyPreset defines a preset policy type for the AWS IAM role created by the Teleport AWS OIDC integration.

TokenCreator creates join token on the auth server.