Session Tags for AWS OIDC integration

[taraspos]

What would you like Teleport to do?
I would like to be able to configure AWS IAM Session Tags when using AWS OIDC integration.
This can be achieved by adding custom JWT claims in the AWS OIDC token¹:

# lib/jwt/jwt.go

// awsOIDCCustomClaims defines the require claims for the JWT token used in AWS OIDC Integration.
type awsOIDCCustomClaims struct {
	jwt.Claims

	// OnBehalfOf identifies the user that is started the request.
	OnBehalfOf string `json:"obo,omitempty"`
+	// SessionTags allows setting AWS IAM Session Tags in OIDC token.
+	SessionTags AWSOIDCCustomClaimTags `json:"https://aws.amazon.com/tags,omitempty"`
}

+ // AWSOIDCCustomClaimTags represents "https://aws.amazon.com/tags" key of AWS IAM Session Tags in OIDC token.
+ // https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp
+ type AWSOIDCCustomClaimTags struct {
+	PrincipalTags     map[string][]string `json:"principal_tags,omitempty"`
+	TransitiveTagKeys []string            `json:"transitive_tag_keys,omitempty"`
+}

What problem does this solve?

Session Tagging is an important AWS IAM feature which enhances access security and would allow enabling the following (but not limited to) use-cases:

• ABAC with Session Tags (using Session Tags in policies)
• QuickSight Email propagation (would work together with #62673)
• Improved role chain security with transitive tags

If a workaround exists, please include it.
N/A

Related issues

• Support for Custom AWS Session Tags in sts:AssumeRole via Teleport #35145

Footnotes

1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp ↩