Fork me on GitHub
Teleport

Machine ID Configuration Reference

Improve

The following snippet shows full YAML configuration of the Machine ID client tbot which by default is loaded from /etc/tbot.yaml.

# Debug enables verbose logging to stderr.
debug: true

# Address of the Teleport Auth Server (on-prem installs) or Teleport Cloud tenant.
auth_server: "auth.example.com:3025" # or "example.teleport.sh:443" for Teleport Cloud

# TTL of short-lived machine certificates.
certificate_ttl: "5m"

# Interval at which short-lived certificates are renewed; must be less than
# the certificate TTL.
renewal_interval: "1m"

# If set, quit after the first renewal.
oneshot: true

# Onboarding values are only used on first connect.
onboarding:
    # Cluster join method. Can be "token" or "iam".
    join_method: "token"

    # Token used to join the cluster. (only required for join_method: token)
    token: "00000000000000000000000000000000"

    # CA Path used to validate the identity of the Teleport Auth Server on first connect.
    ca_path: "/path/to/ca.pem"

    # CA Pins used to validate the identity of the Teleport Auth Server on first connect.
    ca_pins:
    - "sha256:1111111111111111111111111111111111111111111111111111111111111111"
    - "sha256:2222222222222222222222222222222222222222222222222222222222222222"

# Storage defines where Machine ID internal data is stored.
storage:
    # Directory to store internal bot data. Access to this directory should be
    # limited.
    directory: /var/lib/teleport/bot
    
    # Alternatively, internal data can be stored in memory. "directory" and
    # "memory" are mutually exclusive.
    memory: true

# Destinations specifies where short-lived certificates are stored.
destinations:
    # Directory specifies where short-lived certificates are stored.
    - directory: /opt/machine-id
        # Configure symlink attack prevention. Requires Linux 5.6+.
        # Possible values:
        #   * try-secure (default): Attempt to securely read and write certificates
        #     without symlinks, but fall back (with a warning) to insecure read
        #     and write if the host doesn't support this.
        #   * secure: Attempt to securely read and write certificates, with a hard error
        #     if unsupported.
        #   * insecure: Quietly allow symlinks in paths.
        symlinks: try-secure
        
        # Configure ACL use. Requires Linux with a file system that supports ACLs.
        # Possible values:
        #   * try (default on Linux): Attempt to use ACLs, warn at runtime if ACLs
        #     are configured but invalid.
        #   * off (default on non-Linux): Do not attempt to use ACLs.
        #   * required: Always use ACLs, produce a hard error at runtime if ACLs
        #     are invalid.
        acls: try
        
        # One of more roles to grant to the bot. It must have been granted (at
        # least) these roles with `tctl bots add --roles=...`
        # By default, all possible roles are included.
        
        # Subset of roles allowed during creation via `tctl bots add --roles=...`. Can
        # be used to write short-lived certificates with different roles to
        # different directories.
        roles: [a, b, c]
        
        # Which types of certificates to generate. `[ssh]` is the default.
        kinds: [ssh, tls]
        
        # A list of configuration templates to generate and write to the
        # destination directory.
        configs:
            # ssh_client generates known_hosts and an ssh_config that can be
            # included. We can ensure the correct certificate kinds are generated
            # while generating the config templates.
            - ssh_client
            
            # Alternatively, proxy port can be set on ssh_client to override the
            # defaults. Useful for Telport Cloud.
            - ssh_client:
                proxy_port: 443
0