No More Backdoors: Know Who Has Access to What, Right Now
Jun 13
Virtual
Register Today
Teleport logoTry For Free
Fork me on GitHub

Teleport

Machine ID with Application Access

This version of the guide uses the v2 tbot configuration. This version is only supported by Teleport 14 and beyond. Change the selected version of the documentation to view the guide for previous Teleport versions.

Teleport protects and controls access to HTTP and TCP applications. Machine ID can be used to grant machines secure, short-lived access to these applications.

In this guide, you will configure tbot to produce credentials that can be used to access an application enrolled in your Teleport cluster.

Prerequisites

  • A running Teleport cluster version 15.3.7 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl admin tool and tsh client tool.

    On Teleport Enterprise, you must use the Enterprise version of tctl, which you can download from your Teleport account workspace. Otherwise, visit Installation for instructions on downloading tctl and tsh for Teleport Community Edition.

  • If you have not already connected your application to Teleport, follow the Application Access Getting Started Guide.
  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines. For example:
    tsh login --proxy=teleport.example.com --user=[email protected]
    tctl status

    Cluster teleport.example.com

    Version 15.3.7

    CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.
  • tbot must already be installed and configured on the machine that will access applications. For more information, see the deployment guides.

Step 1/3. Configure RBAC

First, Teleport should be configured to allow the credentials produced by tbot to be used to connect to an Application. This is done by creating a role that grants the necessary permissions and then assigning this role to a Bot.

Create a file called role.yaml with the following content:

kind: role
version: v6
metadata:
  name: example-role
spec:
  allow:
    # Grants access to all applications.
    app_labels:
      '*': '*'

Replace example-role with a descriptive name related to your use case.

This grants access to all applications. In production environments you should modify these labels to grant access to only the applications that the machine will need access to.

Use tctl create -f ./role.yaml to create the role.

Now, use tctl bots update to add the role to the Bot. Replace example with the name of the Bot you created in the deployment guide and example-role with the name of the role you just created:

$ tctl bots update example --add-roles example-role

Step 2/3. Configure an application tbot output

Now, tbot needs to be configured with an output to produce the credentials needed to access applications in your infrastructure. To do this, the application output type is used.

The application you want the credentials to have access to must be specified using the app_name field. In this example, the debug application (dumper) will be used.

Outputs must be configured with a destination. In this example, the directory destination will be used. This will write artifacts to a specified directory on disk. Ensure that this directory can be written to by the Linux user that tbot runs as, and that it can be read by the Linux user that will be accessing applications.

Modify your tbot configuration to add an application output:

outputs:
- type: application
  # specify the name of the application you wish the credentials to grant
  # access to.
  app_name: dumper
  destination:
    type: directory
    # For this guide, /opt/machine-id is used as the destination directory.
    # You may wish to customize this. Multiple outputs cannot share the same
    # destination.
    path: /opt/machine-id

Ensure you replace dumper with the name of the application you registered in Teleport.

If operating tbot as a background service, restart it. If running tbot in one-shot mode, it must be executed before you attempt to use the credentials.

Step 3/3. Connect to your web application with the Machine ID identity

Once tbot has been run, credentials will be output to the directory specified in the destination. Using the example of /opt/machine-id:

  • /opt/machine-id/tlscert: the client TLS certificate
  • /opt/machine-id/key: the TLS certificate's private key

You may use these credentials with any client application that supports them.

The Teleport Proxy makes apps available via subdomains of its public web address. Given the debug application named dumper and a Teleport Proxy at https://example.teleport.sh:443, the app may be accessed at https://dumper.example.teleport.sh:443.

For example, to access the application using curl:

curl \ --cert /opt/machine-id/tlscert \ --key /opt/machine-id/key \ https://dumper.example.teleport.sh/

No CA certificate needs to be specified so long as your Teleport Proxy is configured with a valid wildcard CA from Let's Encrypt or another public certificate authority.

Note that if the certificates are invalid or otherwise misconfigured, clients will be redirected to the Teleport login page when attempting to access the app.

Authenticated tunnel

For cases where the client you wish to use to connect to the application does not support client certificates, it is possible to open an authenticated tunnel. This will listen on a local port and automatically attach the credentials, meaning that the client itself does not need to support them.

To open an authenticated tunnel to the dumper application on port 1234, run:

tbot proxy --destination-dir=/opt/machine-id --proxy=example.teleport.sh:443 app --port=1234 dumper

Whilst this command is running, you can connect to the app at http://localhost:1234:

curl http://localhost:1234/

The tunnel listens only on the loopback interface, meaning that this port cannot be used from other hosts. Care should still be taken though, as any process running on that host will be able to connect to the application without authentication through this port.

Troubleshooting

Client application requires certificates with standard extensions

If your automated service requires TLS certificates with a specific file extension, you may also enable the specific_tls_naming option for the output:

outputs:
- type: application
  destination:
    type: directory
    path: /opt/machine-id
  app_name: grafana-example
  specific_tls_naming: true

This will generate tls.crt and tls.key inside /opt/machine-id with identical content to the certificate files listed above.

Clients are redirected to the Teleport login page

As with human users, scripted clients will be redirected to the Teleport login page when attempting to access an app through the Teleport Proxy Service without valid credentials.

Ensure the bot's certificates have not expired and that the client application has been configured to use both the client certificate and key.

Next steps

  • Review the Access Controls Reference to learn about restricting which Applications and other Teleport resources your bot may access.
  • Configure JWTs for your Application to remove the need for additional login credentials.
  • Read the configuration reference to explore all the available configuration options.