Fix RBAC permissions for the Teleport Slack plugin
What
Fix RBAC permissions for the Teleport Slack plugin.
Why
Should fix this:
❯ k -n teleport-cluster-staging logs teleport-staging-slack-8cf8949c6-tc9gh
INFO Starting Teleport Access Slack Plugin 15.4.0: teleport-slack/main.go:93
INFO Access list monitor is running accesslist/app.go:121
ERRO Watcher event loop failed error:[
ERROR REPORT:
Original Error: *interceptors.RemoteError access denied to perform action "read" on "access_monitoring_rule"
Stack Trace:
/go/src/github.com/gravitational/teleport/api/client/streamwatcher.go:86 github.com/gravitational/teleport/api/client.(*streamWatcher).receiveEvents
/opt/go/src/runtime/asm_amd64.s:1650 runtime.goexit
User Message: access denied to perform action "read" on "access_monitoring_rule"] watcherjob/watcherjob.go:129
INFO Access list monitor is finished accesslist/app.go:137
ERRO Plugin is not ready common/app.go:160
ERRO Terminating with fatal error [1]... error:[
ERROR REPORT:
Original Error: *interceptors.RemoteError access denied to perform action "list" on "access_monitoring_rule", access denied to perform action "read" on "access_monitoring_rule"
Stack Trace:
/go/src/github.com/gravitational/teleport/api/client/accessmonitoringrules/access_monitoring_rules_client.go:122 github.com/gravitational/teleport/api/client/accessmonitoringrules.(*Client).ListAccessMonitoringRulesWithFilter
/go/src/github.com/gravitational/teleport/integrations/access/common/config.go:63 github.com/gravitational/teleport/integrations/access/common.(*wrappedClient).ListAccessMonitoringRulesWithFilter
/go/src/github.com/gravitational/teleport/integrations/access/accessrequest/app.go:604 github.com/gravitational/teleport/integrations/access/accessrequest.(*App).getAllAccessMonitoringRules
/go/src/github.com/gravitational/teleport/integrations/access/accessrequest/app.go:583 github.com/gravitational/teleport/integrations/access/accessrequest.(*App).initAccessMonitoringRulesCache
/go/src/github.com/gravitational/teleport/integrations/access/accessrequest/app.go:148 github.com/gravitational/teleport/integrations/access/accessrequest.(*App).run
/go/src/github.com/gravitational/teleport/integrations/lib/process.go:234 github.com/gravitational/teleport/integrations/access/slack.Bot.SupportedApps.NewApp.NewServiceJob.func1
/go/src/github.com/gravitational/teleport/integrations/lib/process.go:255 github.com/gravitational/teleport/integrations/lib.(*serviceJob).DoJob
/go/src/github.com/gravitational/teleport/integrations/lib/process.go:101 github.com/gravitational/teleport/integrations/lib.NewProcess.func2.1
/opt/go/src/runtime/asm_amd64.s:1650 runtime.goexit
User Message: access denied to perform action "list" on "access_monitoring_rule", access denied to perform action "read" on "access_monitoring_rule"] lib/bail.go:32
Also updates permissions based on the documentation: https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-slack/#step-38-create-a-user-and-role-for-the-plugin
Edited by Pierre Guinoiseau