Update URI creation for Roles Anywhere integration in govcloud

[bmckenna805]

Summary

Noticed that RA defaults to a commercial URI which will not successfully launch a console in govcloud. This change updates the URI creation logic to use the correct URI when the parsed ARNs indicate a govcloud partition.
It will also handle the China ARN use case.

Tests

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[bmckenna805]

I have read the CLA Document and I hereby sign the CLA

[bmckenna805]

recheck

Issue: #64049

[marcoandredinis]

@bmckenna805 Thank you for the PR.

Can you please also add a test to the syncer? Probably in the TestRunAWSRolesAnywherProfileSyncer test

[marcoandredinis]

Also, did you test this? Would you mind adding a list of test scenarios you went through to the PR description?

[bmckenna805]

Also, did you test this? Would you mind adding a list of test scenarios you went through to the PR description?

I'll see what I can do. Your development guidelines are a little vague so I though you might have an internal test suite that would run. It won't run against my fork.

[marcoandredinis]

Unit tests for that method look good.
I'm looking for something more integrated, look at the TestRunAWSRolesAnywherProfileSyncer.

The other part is manual testing.
You would need to build teleport and run it in a real cluster.
I can help out with this part if needed

[bmckenna805]

More comprehensive Go tests have been added

[bmckenna805]

I'm working through getting it running locally on docker.

[marcoandredinis]

I'm fine with the automated tests.

We also have to provide a manual test plan on each PR.
You can run a local build of teleport and test that it shows the expected URL when you try to navigate to it.

I can help you what on this if needed 👍

[marcoandredinis]

Can you please also remove this file changes?
Let's keep the PR contents to the aws partition fix.

[bmckenna805]

@marcoandredinis Apologies. I was trying to bridge the gap between where the mac docs end (installing dependencies) and spinning up the dev environment starts. I'll go ahead and drop those commits.

[bmckenna805]

@marcoandredinis now that I've done that, I'm not seeing any success trying to run your 'make' build as outlined here: https://github.com/gravitational/teleport/blob/master/build.assets/README.md

[bmckenna805]

Going to try make build, but accurate instructions would be nice for how I can get a dev environment spun up locally to test this if its required.

[bmckenna805]

Yup, make build fails mid run. I've tried a few targets like the hot-reload target in https://github.com/gravitational/teleport/blob/master/README.md. I'm still trying but some form of help would be nice.

[marcoandredinis]

Have you enabled debug logging in the Auth Service?
Do you have valid AWS IAM Profiles in AWS right next to the Profile you are using for the profile sync? (same account, same region, enabled and with at least one IAM Role?)

[bmckenna805]

"2026-03-09T11:59:08.001-05:00 WARN [AUTH:1] AWS IAM Roles Anywhere Profile Syncer requires a Proxy which isn't available yet. It will retry again later. pid:25541.1 awsra/profile_syncer.go:246"

Looks like I can't just run the single instance.

edit: I spun up a proxy service as well. Waiting to see if the auth service detects it
edit2: success! I have my integration up and an app created. Testing

[marcoandredinis]

Yeah, you don't actually need the proxy service.
But we kind of need the cluster URL so that we can build the URL for the app login.

You need the following, and you can re-use your teleport.yaml where you are running the auth_service.

teleport:
# ...
auth_service:
# ...
proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:8080
  public_addr: localhost:8080

Something like this should work.

[bmckenna805]

Yep. I have a full function test and return good data with a TSH checked out AWS CLI profile. This proves my Roles Anywhere config is good and the integration is working properly.

When I try to launch the web console right now I'm getting a "Failed to parse URL: Failed to construct 'URL': Invalid URL" javascript error (I think). I'm digging into why.

[bmckenna805]

Edit: I think I see what I did wrong. Will test tomorrow US Central Time.