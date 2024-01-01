Labels
Cloud resources such as AWS EC2 instances, EKS clusters, RDS databases and similar resources in Azure and Google Cloud enrolled in a Teleport cluster during auto-discovery get a set of default labels applied to them which can then be used in RBAC.
AWS
EC2 instances
See the AWS EC2 auto-discovery guide.
|Label
|Description
teleport.dev/account-id
|AWS account ID where the the EC2 instance is running
teleport.dev/instance-id
|AWS EC2 instance ID
Databases
See the AWS Databases auto-discovery guide.
|Label
|Description
account-id
|ID of the AWS account the resource resides in.
endpoint-type
|Type of the endpoint. See
endpoint-type for more details.
engine-version
|Database engine version, if available.
engine
|Amazon RDS: engine type of the RDS instance.
Amazon RDS Proxy: engine family of the proxy.
namespace
|Amazon Redshift Serverless namespace name.
region
|AWS region.
vpc-id
|ID of the Amazon VPC the resource resides in, if available.
workgroup
|Amazon Redshift Serverless workgroup name.
teleport.dev/cloud
|Always
AWS.
teleport.dev/discovery-type
|Specifies the type of resource matched by the Teleport Discovery Service, e.g. "rds", "redshift", etc.
teleport.dev/origin
|Always
cloud.
teleport.internal/discovered-name
|Original Database name.
teleport.internal/discovery-config-name
|Name of the discovery config name. Absent when using matchers defined in Discovery Service configuration.
teleport.internal/discovery-group-name
|The name of the discovery group present in the Discovery Service configuration
teleport.internal/discovery-integration-name
|Integration name used to fetch the Database. Absent when using ambient credentials.
Kubernetes clusters
See the AWS EKS auto-discovery guide.
|Label
|Description
account-id
|ID of the AWS account the resource resides in.
region
|AWS region.
teleport.dev/cloud
|Always
AWS.
teleport.dev/discovery-type
|Always
eks.
teleport.dev/origin
|Always
cloud.
teleport.internal/aws-arn
|Contains the AWS ARN for the resource.
teleport.internal/discovered-name
|Original EKS Cluster name.
teleport.internal/discovery-config-name
|Name of the discovery config name. Absent when using matchers defined in Discovery Service configuration.
teleport.internal/discovery-group-name
|The name of the discovery group present in the Discovery Service configuration
teleport.internal/discovery-integration-name
|Integration name used to fetch the Kubernetes cluster. Absent when using ambient credentials.
Azure
VMs
See the Azure VM auto-discovery guide.
|Label
|Description
teleport.internal/region
|Azure region where the VM is running
teleport.internal/resource-group
|Azure resource group the VM belongs to
teleport.internal/subscription-id
|Azure subscription ID where the VM is running
teleport.internal/vm-id
|Azure VM ID
Databases
See the Azure Databases auto-discovery guide.
|Label
|Description
endpoint-type
|For Azure Redis Enterprise, one of
EnterpriseCluster,
OSSCluster.
engine-version
|Database engine version, if available.
engine
|Resource type of the resource ID.
region
|Azure location.
replication-role
|The replication role of an Azure DB Flexible server, e.g. "Source" or "Replica".
resource-group
|Azure resource group.
source-server
|The source server for replica Azure DB Flexible servers. This is the source (primary) database resource name.
subscription-id
|Azure subscription ID.
teleport.dev/cloud
|Always
Azure.
teleport.dev/discovery-type
|Specifies the type of resource matched by the Teleport Discovery Service, e.g. "mysql", "postgres", etc.
teleport.dev/origin
|Always
cloud.
teleport.internal/discovered-name
|Original Database name.
teleport.internal/discovery-config-name
|Name of the discovery config name. Absent when using matchers defined in Discovery Service configuration.
teleport.internal/discovery-group-name
|The name of the discovery group present in the Discovery Service configuration
Kubernetes clusters
See the Azure AKS auto-discovery guide.
|Label
|Description
region
|Azure location.
resource-group
|Azure resource group.
subscription-id
|Azure subscription ID.
teleport.dev/cloud
|Always
Azure.
teleport.dev/discovery-type
|Always
aks.
teleport.dev/origin
|Always
cloud.
teleport.internal/discovered-name
|Original AKS Cluster name.
teleport.internal/discovery-config-name
|Name of the discovery config name. Absent when using matchers defined in Discovery Service configuration.
teleport.internal/discovery-group-name
|The name of the discovery group present in the Discovery Service configuration
Google Cloud
VMs
See the GCP VM auto-discovery guide.
|Label
|Description
teleport.dev/project-id
|GCP project ID the VM is running in
teleport.internal/name
|GCP VM name
teleport.internal/project-id
|GCP project ID the VM is running in
teleport.internal/zone
|GCP zone where the VM is running
Kubernetes clusters
See the Azure AKS auto-discovery guide.
|Label
|Description
location
|GCP location where the GKE is running in.
project-id
|GCP project ID where the GKE is running in.
teleport.dev/cloud
|Always
GCP.
teleport.dev/discovery-type
|Always
gke.
teleport.dev/origin
|Always
cloud.
teleport.internal/discovered-name
|Original GKE Cluster name.
teleport.internal/discovery-config-name
|Name of the discovery config name. Absent when using matchers defined in Discovery Service configuration.
teleport.internal/discovery-group-name
|The name of the discovery group present in the Discovery Service configuration