Sign In

Sign in to Teleport

Teleport Cloud LoginLogin to your Teleport AccountDashboard LoginLegacy Login & Teleport Enterprise Downloads
Get Started
Fork me on GitHub

Teleport

Sync EC2 Tags and Teleport Node Labels

Version 13.x
Improve

When running on an AWS EC2 instance, Teleport will automatically detect and import EC2 tags as Teleport labels for SSH nodes, Applications, Databases, and Kubernetes clusters. Labels created this way will have the aws/ prefix. When the Teleport process starts, it fetches all tags from the instance metadata service and adds them as labels. The process will update the tags every hour, so newly created or deleted tags will be reflected in the labels.

If the tag TeleportHostname (case-sensitive) is present, its value will override the node's hostname.

$ tsh ls
Node Name            Address        Labels                                                                                                                  
-------------------- -------------- ----------------------------------------------------------------------------------------------------------------------- 
fakehost.example.com 127.0.0.1:3022 env=example,hostname=ip-172-31-53-70,aws/Name=atburke-dev,aws/TagKey=TagValue,aws/TeleportHostname=fakehost.example.com

For services that manage multiple resources (such as the Database Service), each resource will receive the same labels from EC2.

Prerequisites

  • A running Teleport cluster. For details on how to set this up, see one of our Getting Started guides.

  • The tctl admin tool and tsh client tool version >= 13.0.3.

    tctl version
    Teleport v13.0.3 go1.20
    tsh version
    Teleport v13.0.3 go1.20

    See Installation for details.

  • A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise Getting Started guide.

  • The Enterprise tctl admin tool and tsh client tool version >= 13.0.3, which you can download by visiting your Teleport account.

    tctl version
    Teleport Enterprise v13.0.3 go1.20
    tsh version
    Teleport v13.0.3 go1.20
Cloud is not available for Teleport v.
Please use the latest version of Teleport Enterprise documentation.
  • One Teleport Node running on an Amazon EC2 instance. See Adding Nodes for how to set up a Teleport Node.

Enable tags in instance metadata

To allow Teleport to import EC2 tags, tags must be enabled in the instance metadata. This can be done via the AWS console or the AWS CLI. See the AWS documentation for more details.

Note

Only instances that are running on the Nitro system will update their tags while running. All other instance types must be restarted to update tags.

AWS EC2 Console

To launch a new instance with instance metadata tags enabled:

  1. Open Advanced Options at the bottom of the page.
  2. Ensure that Metadata accessible is not disabled.
  3. Enable Allow tags in metadata.
Advanced Options
Advanced Options

To modify an existing instance to enable instance metadata tags:

  1. From the instance summary, go to Actions > Instance Settings > Allow tags in instance metadata.
  2. Enable Allow.
Instance Settings
Instance Settings
 Allow Tags
Allow Tags

AWS CLI

To modify the instance at launch:

aws ec2 run-instances \    --image-id <image-id> \    --instance-type <instance-type> \    --metadata-options "InstanceMetadataTags=enabled"
    ...

To modify a running instance:

aws ec2 modify-instance-metadata-options \    --instance-id i-123456789example \    --instance-metadata-tags enabled
Have a suggestion or can’t find something?
IMPROVE THE DOCS