Teleport
Machine ID Configuration Reference
Version preview- Older Versions
This reference documents the various options that can be configured in the tbot
configuration file. This configuration file offers more control than
configuring tbot
using CLI parameters alone.
To configure tbot
to use a configuration file, specify the path with the -c
flag:
tbot -c ./tbot.yaml
In this reference, the term artifact refers an item that tbot
writes to a
destination as part of the process of generating an output. Examples of
artifacts include configuration files, certificates, and cryptographic key
material. Usually, artifacts are files, but this term is explicitly avoided
because a destination isn't required to be a filesystem.
Configuration v2
From Teleport 14, tbot
supports the v2 configuration version.
# version specifies the version of the configuration file in use. `v2` is the
# most recent and should be used for all new bots. The rest of this example
# is in the `v2` schema.
version: v2
# debug enables verbose logging to stderr. If unspecified, this defaults to
# false.
debug: true
# auth_server specifies the address of the Auth Service instance that `tbot` should connect
# to. You should prefer specifying `proxy_server` to specify the Proxy Service
# address.
auth_server: "teleport.example.com:3025"
# proxy_server specifies the address of the Teleport Proxy Service that `tbot` should
# connect to.
# It is recommended to use the address of your Teleport Proxy Service, or, if using
# Teleport Cloud, the address of your Teleport Cloud instance.
proxy_server: "teleport.example.com:443" # or "example.teleport.sh:443" for Teleport Cloud
# certificate_ttl specifies how long certificates generated by `tbot` should
# live for. It should be a positive, numeric value with an `m` (for minutes) or
# `h` (for hours) suffix. By default, this value is `1h`.
certificate_ttl: "1h"
# renewal_interval specifies how often `tbot` should aim to renew the
# outputs it has generated. It should be a positive, numeric value with an
# `m` (for minutes) or `h` (for hours) suffix. The default value is `20m`.
# This value must be lower than `certificate_ttl`.
# This value is ignored when using `tbot` is running in one-shot mode.
renewal_interval: "20m"
# oneshot configures `tbot` to exit immediately after generating the outputs.
# The default value is `false`. A value of `true` is useful in ephemeral environments, like
# CI/CD.
oneshot: false
# onboarding is a group of configuration options that control how `tbot` will
# authenticate with the Teleport cluster.
onboarding:
# token specifies which join token, configured in the Teleport cluster,
# should be used to join the Teleport cluster.
#
# This can also be an absolute path to a file containing the value you wish
# to be used.
# File path example:
# token: /var/lib/teleport/tokenjoin
token: "00000000000000000000000000000000"
# join_method must be the join method associated with the specified token
# above. This setting should match the value output when creating the bot using
# `tctl`.
#
# Support values include:
# - `token`
# - `azure`
# - `gcp`
# - `circleci`
# - `github`
# - `gitlab`
# - `iam`
# - `ec2`
# - `kubernetes`
# - `spacelift`
join_method: "token"
# ca_pins are used to validate the identity of the Teleport Auth Service on
# first connect. This should not be specified when using Teleport Cloud or
# connecting through a Teleport Proxy.
ca_pins:
- "sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678"
- "sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678"
# ca_path is used to specify where a CA file can be found that can be used to
# validate the identity of the Teleport Auth Service on first connect.
# This should not be specified when using Teleport Cloud or connecting through a
# Teleport Proxy. The ca_pins option should be preferred over ca_path.
ca_path: "/path/to/ca.pem"
# storage specifies the destination that `tbot` should use to store its
# internal state. This state is sensitive, and you should ensure that the
# destination you specify here can only be accessed by `tbot`.
#
# If unspecified, storage is set to a directory destination with a path
# of `/var/lib/teleport/bot`.
#
# See the full list of supported destinations and their configuration options
# under the Destinations section of this reference page.
storage:
type: directory
path: /var/lib/teleport/bot
# outputs specifies what artifacts `tbot` should generate and renew when it
# runs.
#
# See the full list of supported outputs and their configuration options
# under the Outputs section of this reference page.
outputs:
- type: identity
destination:
type: directory
path: /opt/machine-id
# services specify which `tbot` sub-services should be enabled and how they
# should be configured.
#
# See the full list of supported services and their configuration options
# under the Services section of this reference page.
services:
- type: example
If no configuration file is provided, a simple configuration is used based
on the provided CLI flags. Given the following sample CLI from
tctl bots add ...
:
tbot start \ --destination-dir=./tbot-user \ --token=00000000000000000000000000000000 \ --ca-pin=sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678 \ --proxy-server=example.teleport.sh:443
it uses a configuration equivalent to the following:
proxy_server: example.teleport.sh:443
onboarding:
join_method: "token"
token: "abcd123-insecure-do-not-use-this"
ca_pins:
- "sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678"
storage:
type: directory
path: /var/lib/teleport/bot
outputs:
- type: identity
destination:
type: directory
path: ./tbot-user
Outputs
Outputs define what actions tbot
should take when it runs. They describe
the format of the certificates to be generated, the roles used to generate the certificates, and the
destination where they should be written.
There are multiple types of output. Select the one that is most appropriate for your intended use-case.
identity
The identity
output can be used to authenticate:
- SSH access to your Teleport servers, using
tsh
, openssh and tools like ansible. - Administrative actions against your cluster using tools like
tsh
ortctl
. - Management of Teleport resources using the Teleport Terraform provider.
- Access to the Teleport API using the Teleport Go SDK.
See the Getting Started guide to see the identity
output used in context.
# type specifies the type of the output. For the identity output, this will
# always be `identity`.
type: identity
# The following configuration fields are available across most output types.
# destination specifies where the output should write any generated artifacts
# such as certificates and configuration files.
#
# See the full list of supported destinations and their configuration options
# under the Destinations section of this reference page.
destination:
type: directory
path: /opt/machine-id
# roles specifies the roles that should be included in the certificates generated
# by the output. These roles must be roles that the bot has been granted
# permission to impersonate.
#
# if no roles are specified, all roles the bot is allowed to impersonate are used.
roles:
- editor
application
The application
output is used to generate credentials that can be used to
access applications that have been configured with Teleport.
See the Machine ID with Application Access guide
to see the application
output used in context.
# type specifies the type of the output. For the application output, this will
# always be `application`.
type: application
# app_name specifies the application name, as configured in your Teleport
# cluster, that `tbot` should generate credentials for.
# This field must be specified.
app_name: grafana
# The following configuration fields are available across most output types.
# destination specifies where the output should write any generated artifacts
# such as certificates and configuration files.
#
# See the full list of supported destinations and their configuration options
# under the Destinations section of this reference page.
destination:
type: directory
path: /opt/machine-id
# roles specifies the roles that should be included in the certificates generated
# by the output. These roles must be roles that the bot has been granted
# permission to impersonate.
#
# if no roles are specified, all roles the bot is allowed to impersonate are used.
roles:
- editor
database
The database
output is used to generate credentials that can be used to
access databases that have been configured with Teleport.
See the Machine ID with Database Access guide
to see the database
output used in context.
# type specifies the type of the output. For the database output, this will
# always be `database`.
type: database
# service is the name of the database server, as configured in Teleport, that
# the output should generate credentials for. This field must be specified.
service: my-postgres-server
# database is the name of the specific database on the specified database
# server to generate credentials for. This field doesn't need to be specified
# for database types that don't support multiple individual databases.
database: my-database
# username is the name of the user on the specified database server to
# generate credentials for. This field doesn't need to be specified
# for database types that don't have users.
username: my-user
# format specifies the format to use for output artifacts. If
# unspecified, a default format is used. See the table titled "Supported
# formats" below for the full list of supported values.
format: tls
# The following configuration fields are available across most output types.
# destination specifies where the output should write any generated artifacts
# such as certificates and configuration files.
#
# See the full list of supported destinations and their configuration options
# under the Destinations section of this reference page.
destination:
type: directory
path: /opt/machine-id
# roles specifies the roles that should be included in the certificates generated
# by the output. These roles must be roles that the bot has been granted
# permission to impersonate.
#
# if no roles are specified, all roles the bot is allowed to impersonate are used.
roles:
- editor
Supported formats
You can provide the following values to the format
configuration field in
the database
output type:
format | Description |
---|---|
Unspecified | Provides a certificate in tlscert , a private key in key and the CA in teleport-database-ca.crt . This is compatible with most clients and databases. |
mongo | Provides mongo.crt and mongo.cas . This is designed to be used with MongoDB clients. |
cockroach | Provides cockroach/node.key , cockroach/node.crt , and cockroach/ca.crt . This is designed to be used with CockroachDB clients. |
tls | Provides tls.key , tls.crt , and tls.cas . This is for generic clients that require the specific file extensions. |
kubernetes
The kubernetes
output is used to generate credentials that can be used to
access Kubernetes clusters that have been configured with Teleport.
It outputs a kubeconfig.yaml
in the output destination, which can be used
with kubectl
.
See the Machine ID with Kubernetes Access guide
to see the kubernetes
output used in context.
# type specifies the type of the output. For the kubernetes output, this will
# always be `kubernetes`.
type: kubernetes
# kubernetes_cluster is the name of the Kubernetes cluster, as configured in
# Teleport, that the output should generate credentials and a kubeconfig for.
# This field must be specified.
kubernetes_cluster: my-cluster
# The following configuration fields are available across most output types.
# destination specifies where the output should write any generated artifacts
# such as certificates and configuration files.
#
# See the full list of supported destinations and their configuration options
# under the Destinations section of this reference page.
destination:
type: directory
path: /opt/machine-id
# roles specifies the roles that should be included in the certificates generated
# by the output. These roles must be roles that the bot has been granted
# permission to impersonate.
#
# if no roles are specified, all roles the bot is allowed to impersonate are used.
roles:
- editor
ssh_host
The ssh_host
output is used to generate the artifacts required to configure
an OpenSSH server with Teleport in order to allow Teleport users to connect to
it.
The output generates the following artifacts:
ssh_host-cert.pub
: an SSH certificate signed by the Teleport host certificate authority.ssh_host
: the private key associated with the SSH host certificate.ssh_host-user-ca.pub
: an export of the Teleport user certificate authority in an OpenSSH compatible format.
# type specifies the type of the output. For the ssh host output, this will
# always be `ssh_host`.
type: ssh_host
# principals is the list of host names to include in the host certificates.
# These names should match the names that clients use to connect to the host.
principals:
- host.example.com
# The following configuration fields are available across most output types.
# destination specifies where the output should write any generated artifacts
# such as certificates and configuration files.
#
# See the full list of supported destinations and their configuration options
# under the Destinations section of this reference page.
destination:
type: directory
path: /opt/machine-id
# roles specifies the roles that should be included in the certificates generated
# by the output. These roles must be roles that the bot has been granted
# permission to impersonate.
#
# if no roles are specified, all roles the bot is allowed to impersonate are used.
roles:
- editor
spiffe-svid
The spiffe-svid
output is used to generate a SPIFFE X509 SVID and write this
to a configured destination.
The output generates the following artifacts:
svid.pem
: the X509 SVID.svid.key
: the private key associated with the X509 SVID.bundle.pem
: the X509 bundle that contains the trust domain CAs.
See Workload Identity for more information on how to use SPIFFE SVIDs.
# type specifies the type of the output. For the SPIFFE SVID output, this will
# always be `spiffe-svid`.
type: spiffe-svid
# svid specifies the properties of the SPIFFE SVID that should be requested.
svid:
# path specifies what the path element should be requested for the SPIFFE ID.
path: /svc/foo
# sans specifies optional Subject Alternative Names (SANs) to include in the
# generated X509 SVID. If omitted, no SANs are included.
sans:
# dns specifies the DNS SANs. If omitted, no DNS SANs are included.
dns:
- foo.svc.example.com
# ip specifies the IP SANs. If omitted, no IP SANs are included.
ip:
- 10.0.0.1
# The following configuration fields are available across most output types.
# destination specifies where the output should write any generated artifacts
# such as certificates and configuration files.
#
# See the full list of supported destinations and their configuration options
# under the Destinations section of this reference page.
destination:
type: directory
path: /opt/machine-id
# roles specifies the roles that should be included in the certificates generated
# by the output. These roles must be roles that the bot has been granted
# permission to impersonate.
#
# if no roles are specified, all roles the bot is allowed to impersonate are used.
roles:
- editor
Services
Services are configurable long-lived components that run within tbot
. Unlike
Outputs, they may not necessarily generate artifacts. Typically, services
provide supporting functionality for machine to machine access, for example,
opening tunnels or providing APIs.
spiffe-workload-api
The spiffe-workload-api
service opens a listener for a service that implements
the SPIFFE Workload API. This service is used to provide SPIFFE SVIDs to
workloads.
See Workload Identity for more information on the SPIFFE Workload API.
# type specifies the type of the service. For the SPIFFE Workload API service,
# this will always be `spiffe-workload-api`.
type: spiffe-workload-api
# listen specifies the address that the service should listen on.
#
# Two types of listener are supported:
# - TCP: `tcp://<address>:<port>`
# - Unix socket: `unix:///<path>`
listen: unix:///opt/machine-id/workload.sock
# svids specifies the SPIFFE SVIDs that the Workload API should provide.
svids:
# path specifies what the path element should be requested for the SPIFFE
# ID.
- path: /svc/foo
# hint is a free-form string which can be used to help workloads determine
# which SVID to select when multiple are available. If omitted, no hint is
# included.
hint: my-hint
# sans specifies optional Subject Alternative Names (SANs) to include in the
# generated X509 SVID. If omitted, no SANs are included.
sans:
# dns specifies the DNS SANs. If omitted, no DNS SANs are included.
dns:
- foo.svc.example.com
# ip specifies the IP SANs. If omitted, no IP SANs are included.
ip:
- 10.0.0.1
# rules specifies a list of workload attestation rules. At least one of
# these rules must be satisfied by the workload in order for it to receive
# this SVID.
#
# If no rules are specified, the SVID will be issued to all workloads that
# connect to this service.
rules:
# unix is a group of workload attestation criteria that are available
# when the workload is running on the same host, and is connected to
# the Workload API using a Unix socket.
#
# If any of the criteria in this group are specified, then workloads
# that do not connect using a Unix socket will not receive this SVID.
- unix:
# uid is the ID of the user that the workload process must be running
# as to receive this SVID.
#
# If unspecified, the UID is not checked.
uid: 1000
# pid is the ID that the workload process must have to receive this
# SVID.
#
# If unspecified, the PID is not checked.
pid: 1234
# gid is the ID of the primary group that the workload process must be
# running as to receive this SVID.
#
# If unspecified, the GID is not checked.
gid: 50
database-tunnel
The database-tunnel
service opens a listener for a service that tunnels
connections to a database server.
The tunnel authenticates connections for the client, meaning that any application which can connect to the listener will be able to connect to the database as the specified user. For this reason, we heavily recommend using the Unix socket listener type and configuring the permissions of the socket to ensure that only the intended applications can connect.
# type specifies the type of the service. For the database tunnel service, this
# will always be `database-tunnel`.
type: database-tunnel
# listen specifies the address that the service should listen on.
#
# Two types of listener are supported:
# - TCP: `tcp://<address>:<port>`
# - Unix socket: `unix:///<path>`
listen: tcp://127.0.0.1:25432
# service is the name of the database server, as configured in Teleport, that
# the service should open a tunnel to.
service: postgres-docker
# database is the name of the specific database on the specified database
# service.
database: postgres
# username is the name of the user on the specified database server to open a
# tunnel for.
username: postgres
ssh-multiplexer
The ssh-multiplexer
service opens a listener for a high-performance local
SSH multiplexer. This is designed for use-cases which create a large number
of SSH connections using Teleport, for example, Ansible.
This differs to using identity
output for SSH in a few ways:
- The
tbot
instance running thessh-multiplexer
service must be running on the same host as the SSH client. - The
ssh-multiplexer
service is designed to be a long-running background service and cannot be used in one-shot mode. It must be running in order for SSH connections to be established and to continue running. - Resource consumption is significantly reduced by multiplexing SSH connections through a fewer number of upstream connections to the Teleport Proxy Service.
Additionally, the ssh-multiplexer
opens a socket that implements the SSH
agent protocol. This allows the SSH client to authenticate without writing the
sensitive private key to disk.
By default, the ssh-multiplexer
service outputs an ssh_config
which uses
tbot
itself as the ProxyCommand. You can further reduce the resource
consumption of SSH connections by installing and specifying the
fdpass-teleport
binary.
# type specifies the type of the service. For the SSH multiplexer
type: ssh-multiplexer
# destination specifies where the tunnel should be opened and any artifacts
# should be written. It must be of type `directory`.
destination:
type: directory
path: /foo
# enable_resumption specifies whether the multiplexer should negotiate
# session resumption. This allows SSH connections to survive network
# interruptions. It does increase the memory resources used per connection.
#
# If unspecified, this defaults to true.
enable_resumption: true
# proxy_command specifies the command that should be used as the ProxyCommand
# in the generated SSH configuration.
#
# If unspecified, the ProxyCommand will be the currently running binary of tbot
# itself.
proxy_command:
- /usr/local/bin/fdpass-teleport
# proxy_templates_path specifies a path to a proxy templates configuration file
# which should be used when resolving the Teleport node to connect to. This
# file must be accessible by the long-lived tbot process running the
# ssh-multiplexer.
#
# If unspecified, proxy templates will not be used.
proxy_templates_path: /etc/my-proxy-templates.yaml
Once configured, tbot
will create the following artifacts in the specified
destination:
ssh_config
: an SSH configuration file that will configure OpenSSH to use the multiplexer and agent.known_hosts
: the known hosts file that will be used by OpenSSH to validate a server's identity.v1.sock
: the Unix socket that the multiplexer listens on.agent.sock
: the Unix socket that the SSH agent listens on.
Destinations
A destination is somewhere that tbot
can read and write artifacts.
Destinations are used in two places in the tbot
configuration:
- Specifying where
tbot
should store its internal state. - Specifying where an output should write its generated artifacts.
Destinations come in multiple types. Usually, the directory
type is the most
appropriate.
directory
The directory
destination type stores artifacts as files in a specified
directory.
# type specifies the type of the destination. For the directory destination,
# this will always be `directory`.
type: directory
# path specifies the path to the directory that this destination should write
# to. This directory should already exist, or `tbot init` should be used to
# create it with the correct permissions.
path: /opt/machine-id
# symlinks configures the behaviour of symlink attack prevention.
# Requires Linux 5.6+.
# Supported values:
# * try-secure (default): Attempt to securely read and write certificates
# without symlinks, but fall back (with a warning) to insecure read
# and write if the host doesn't support this.
# * secure: Attempt to securely read and write certificates, with a hard error
# if unsupported.
# * insecure: Quietly allow symlinks in paths.
symlinks: try-secure
# acls configures whether Linux Access Control List (ACL) setup should occur for
# this destination.
# Requires Linux with a file system that supports ACLs.
# Supported values:
# * try (default on Linux): Attempt to use ACLs, warn at runtime if ACLs
# are configured but invalid.
# * off (default on non-Linux): Do not attempt to use ACLs.
# * required: Always use ACLs, produce a hard error at runtime if ACLs
# are invalid.
acls: try
memory
The memory
destination type stores artifacts in the process memory. When
the process exits, nothing is persisted. This destination type
is most suitable for ephemeral environments, but can also be used for testing.
Configuration:
# type specifies the type of the destination. For the memory destination, this
# will always be `memory`.
type: memory
kubernetes_secret
The kubernetes_secret
destination type stores artifacts in a Kubernetes
secret. This allows them to be mounted into other containers deployed in
Kubernetes.
Prerequisites:
tbot
must be running in Kubernetes with at most one replica. If using adeployment
, then theRecreate
strategy must be used to ensure only one instance exists at any time. This is because multipletbot
agents configured with the same secret will compete to write to the secret and it may be left in an inconsistent state or thetbot
agents may fail to write.- The
tbot
pod must be configured with a service account that allows it to read and write from the configured secret. - The
POD_NAMESPACE
environment variable must be configured with the name of the namespace thattbot
is running in. This is best achieved with the Downward API.
There is no requirement that the secret already exists, one will be created
if it does not exist. If a secret already exists, tbot
will overwrite any
other keys within the secret.
Configuration:
# type specifies the type of the destination. For the kubernetes_secret
# destination, this will always be `kubernetes_secret`.
type: kubernetes_secret
# name specifies the name of the Kubernetes Secret to write the artifacts to.
# This must be in the same namespace that `tbot` is running in.
name: my-secret
Bot resource
The bot
resource is used to manage Machine ID Bots. It is used to configure
the access that is granted to a Bot.
kind: bot
version: v1
metadata:
# name is a unique identifier for the bot in the cluster.
name: robot
spec:
# roles is a list of roles that the bot should be able to generate credentials
# for.
roles:
- editor
# traits controls the traits applied to the Bot user. These are fed into the
# role templating system and can be used to grant a specific Bot access to
# specific resources without the creation of a new role.
traits:
- name: logins
values:
- root
You can apply a file containing YAML that defines a bot
resource using
tctl create -f ./bot.yaml
.