Remove 'Origin: aws-identity-center' that is crashing v16 agents (#50658

) Co-authored-by: hugoShaka <[email protected]>
gravitational · Jan 2, 2025 · e41a07c · e41a07c
1 parent d583114
commit e41a07c
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/lib/services/presets.go b/lib/services/presets.go
@@ -28,7 +28,6 @@ import (
 	"github.com/gravitational/teleport/api/constants"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	"github.com/gravitational/teleport/api/types"
-	"github.com/gravitational/teleport/api/types/common"
 	apiutils "github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/utils"
@@ -596,7 +595,11 @@ func NewSystemIdentityCenterAccessRole() types.Role {
 			Description: "Access AWS IAM Identity Center resources",
 			Labels: map[string]string{
 				types.TeleportInternalResourceType: types.SystemResource,
-				types.OriginLabel:                  common.OriginAWSIdentityCenter,
+				// OriginLabel should not be set to AWS Identity center because:
+				// - identity center is not the one owning this role, this role
+				//   is part of the Teleport system requirements
+				// - setting the label to a value not support in older agents
+				//   (v16) will cause them to crash.
 			},
 		},
 		Spec: types.RoleSpecV6{
@@ -687,6 +690,11 @@ func bootstrapRoleMetadataLabels() map[string]map[string]string {
 			types.TeleportInternalResourceType: types.SystemResource,
 			types.OriginLabel:                  types.OriginOkta,
 		},
+		// We unset the OriginLabel on the system AWS IC role because this value
+		// was not supported on v16 agents and this crashes them.
+		teleport.SystemIdentityCenterAccessRoleName: {
+			types.TeleportInternalResourceType: types.SystemResource,
+		},
 		// Group access, reviewer and requester are intentionally not added here as there may be
 		// existing customer defined roles that have these labels.
 	}