Fork me on GitHub
Teleport

Machine ID CLI Reference

Improve

tbot start

Starts the Machine ID client tbot, fetching and writing certificates to disk at a set interval.

tbot start \ --data-dir=/var/lib/teleport/bot \ --destination-dir=/opt/machine-id \ --token=00000000000000000000000000000000 \ --join-method=token \ --ca-pin=sha256:1111111111111111111111111111111111111111111111111111111111111111 \ --auth-server=auth.example.com:3025
FlagDescription
-d/--debugEnable verbose logging to stderr.
-c/--configPath to a configuration file. Defaults to /etc/tbot.yaml if unspecified.
-a/--auth-serverAddress of the Teleport Auth Server (On-Prem installs) or Teleport Cloud tenant.
--tokenA bot join token, if attempting to onboard a new bot; used on first connect.
--ca-pinCA pin to validate the Teleport Auth Server; used on first connect.
--data-dirDirectory to store internal bot data. Access to this directory should be limited.
--destination-dirDirectory to write short-lived machine certificates.
--certificate-ttlTTL of short-lived machine certificates.
--renewal-intervalInterval at which short-lived certificates are renewed; must be less than the certificate TTL.
--join-methodMethod to use to join the cluster. Can be token or iam.
--oneshotIf set, quit after the first renewal.

tbot init

If you want to write certificates to disk as a different user than the Machine ID client, you can use tbot init to configure either file or POSIX ACLs permissions. This allows you to lock down access to Machine ID's short-lived certificates from other users or applications on the system.

FlagDescription
-d/--debugEnable verbose logging to stderr.
-c/--configPath to a configuration file. Defaults to /etc/tbot.yaml if unspecified.
--destination-dirDirectory to write short-lived machine certificates to.
--ownerDefines the Linux user:group owner of --destination-dir. Defaults to the Linux user running tbot if unspecified.
--bot-userEnables POSIX ACLs and defines the Linux user that can read/write short-lived certificates to --destination-dir.
--reader-userEnables POSIX ACLs and defines the Linux user that will read short-lived certificates from --destination-dir.
--init-dirIf using a config file and multiple destinations are configured, controls which destination dir to configure.
--cleanIf set, remove unexpected files and directories from the destination.

tbot init with file permissions

If running tbot as the Linux user root, use the following invocation of tbot init to initialize the short-lived certificate directory /opt/machine-id with owner jenkins:jenkins.

tbot init \ --destination-dir=/opt/machine-id \ --owner=jenkins:jenkins

tbot init with POSIX ACLs

If running tbot as the Linux user teleport, use the following invocation of tbot init to initialize the short-lived certificate directory /opt/machine-id with owner teleport:teleport but allow jenkins to read from /opt/machine-id.

tbot init \ --destination-dir=/opt/machine-id \ --bot-user=teleport \ --reader-user=jenkins