Remove 'Origin: aws-identity-center' that is crashing v16 agents (#50656

)
gravitational · Dec 31, 2024 · 658c931 · 658c931
1 parent 1f9949d
commit 658c931
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/lib/services/presets.go b/lib/services/presets.go
@@ -29,7 +29,6 @@ import (
 	"github.com/gravitational/teleport/api/constants"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	"github.com/gravitational/teleport/api/types"
-	"github.com/gravitational/teleport/api/types/common"
 	apiutils "github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/utils"
@@ -597,7 +596,11 @@ func NewSystemIdentityCenterAccessRole() types.Role {
 			Description: "Access AWS IAM Identity Center resources",
 			Labels: map[string]string{
 				types.TeleportInternalResourceType: types.SystemResource,
-				types.OriginLabel:                  common.OriginAWSIdentityCenter,
+				// OriginLabel should not be set to AWS Identity center because:
+				// - identity center is not the one owning this role, this role
+				//   is part of the Teleport system requirements
+				// - setting the label to a value not support in older agents
+				//   (v16) will cause them to crash.
 			},
 		},
 		Spec: types.RoleSpecV6{
@@ -688,6 +691,11 @@ func bootstrapRoleMetadataLabels() map[string]map[string]string {
 			types.TeleportInternalResourceType: types.SystemResource,
 			types.OriginLabel:                  types.OriginOkta,
 		},
+		// We unset the OriginLabel on the system AWS IC role because this value
+		// was not supported on v16 agents and this crashes them.
+		teleport.SystemIdentityCenterAccessRoleName: {
+			types.TeleportInternalResourceType: types.SystemResource,
+		},
 		// Group access, reviewer and requester are intentionally not added here as there may be
 		// existing customer defined roles that have these labels.
 	}