app launcher dropdown shows aws roles that are not allowed for app

[GavinFrazar]

Expected behavior:

• the app launcher dropdown should only display usable (i.e. allowed by RBAC) aws roles for an app.

Current behavior:

• the app launcher shows all the available aws roles that a user has across their roleset, regardless of whether those roles are actually allowed by Teleport's RBAC.

For example, here I have an aws console app with this spec:

---
kind: app
version: v3
metadata:
  name: "app"
  description: "example"
  labels:
    env: "dev"
    host: "mbp"
spec:
  uri: "https://console.aws.amazon.com"
  public_addr: ""

My user has the preset access role, and these user traits:

  traits:
    aws_role_arns:
    - arn:aws:iam::999999999999:role/allowed_one
    - arn:aws:iam::999999999999:role/allowed_two

and my user also has the following role:

kind: role
version: v5
metadata:
  name: aws-dynamodb-access
spec:
  allow:
    app_labels:
      env: prod
    aws_role_arns:
    - arn:aws:iam::123456789012:role/ProdAdmin
  deny: {}

NOTE: the aws-dynamodb-access role's app_labels do not match the labels for my example app, therefore RBAC will not allow me to actually use the ProdAdmin aws IAM role.
So the only thing I should see in the launcher are the two allowed roles from my user traits.
However, I see all of them:

If I click on the ProdAdmin role in the launcher, access is denied and I get an unhelpful "Not found" page (we intentionally obscure access errors with "not found"):

This is poor UX and has tripped up at least one customer in a support ticket.

Bug details:

• Teleport version: master / v16.0.0-dev
• Recreation steps: see above example.

[zmb3]

FYI @marcoandredinis

[marcoandredinis]

The issue is that we extract the AWS Role ARN from the user's identity and use that list available roles for every app.

I'll try to understand what we did for the SSH logins (which I don't think suffer from this issue) and apply the same pattern here.