What

Teleport should have a way to assume an IAM role before running AWS operations. I'm mainly thinking of this in the context of database access, but it may also be useful for DynamoDB backend/event storage and S3 session recording.

How

Provide a way to specify a role ARN in Teleport's config, then internally tell the AWS SDK to assume this role for all calls to AWS APIs.

Why

Granting an instance or service a very limited IAM role which only has the ability to assume other more privileged roles for a short period of time is a common and recommended method for enforcing the principle of least privilege in AWS. If Teleport supports this out of the box it will make it easier to deploy in AWS and is likely to increase adoption.

Workaround

I haven't tried, but writing a custom profile to ~/.aws/credentials to assume the role using an EC2 instance profile may work, if the AWS Go SDK supports this method. It may also be possible to work around it using an EnvironmentFile with a systemd unit or something similar to force Teleport to assume a role when it starts.