Reference for the teleport_scoped_token Terraform resource
Report an Issue
Is this page helpful?
This page describes the supported values of the teleport_scoped_token resource of the Teleport Terraform provider.
Example Usage
# Teleport Scoped Token resource
# A scoped token with unlimited usage for provisioning nodes within a sub-scope.
resource "teleport_scoped_token" "example" {
version = "v1"
metadata = {
name = "example-node-token"
description = "Token for provisioning nodes in the /prod/us-east scope"
labels = {
env = "production22"
}
}
scope = "/prod"
spec = {
assigned_scope = "/prod/us-east"
roles = ["Node"]
join_method = "token"
usage_mode = "unlimited"
}
}
# A single-use scoped token that can only provision one resource.
resource "teleport_scoped_token" "single_use" {
version = "v1"
metadata = {
name = "example-single-use-token"
expires = "2026-12-31T00:00:00Z"
}
scope = "/staging"
spec = {
assigned_scope = "/staging/eu-west"
roles = ["Node"]
join_method = "token"
usage_mode = "single_use"
}
}
Schema
Required
metadata(Attributes) Metadata contains the resource metadata. (see below for nested schema)scope(String) Scope is the scope of the token resource.spec(Attributes) Spec is the token specification. (see below for nested schema)version(String) Version is the resource version.
Optional
sub_kind(String) SubKind is the resource sub-kind.
Nested Schema for metadata
Required:
name(String) name is an object name.
Optional:
description(String) description is object description.expires(String) expires is a global expiry time header can be set on any resource in the system.labels(Map of String) labels is a set of labels.
Nested Schema for spec
Required:
assigned_scope(String) The scope to which this token is assigned. Must be equivalent or descendent to the scope of the token itself.join_method(String) The joining method required in order to use this token. Supported joining methods for scoped tokens only include 'token'.roles(List of String) The list of roles associated with the token. They will be converted to metadata in the SSH and X509 certificates issued to the user of the token.usage_mode(String) The usage mode of the token. Can be "single_use" or "unlimited". Single use tokens can only be used to provision a single resource. Unlimited tokens can be be used to provision any number of resources until it expires.
Optional:
aws(Attributes) The AWS-specific configuration used with the "ec2" and "iam" join methods. (see below for nested schema)azure(Attributes) The Azure-specific configuration used with the "azure" join method. (see below for nested schema)azure_devops(Attributes) The Azure Devops-specific configuration used with the "azure_devops" join method. (see below for nested schema)gcp(Attributes) The GCP-specific configuration used with the "gcp" join method. (see below for nested schema)immutable_labels(Attributes) Immutable labels that should be applied to any resulting resources provisioned using this token. (see below for nested schema)oracle(Attributes) The Oracle-specific configuration used with the "oracle" join method. (see below for nested schema)
Nested Schema for spec.aws
Optional:
allow(Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see below for nested schema)iid_ttl(String) The TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. This should be a duration string such as "8h" or "6mo".integration(String) Integration name which provides credentials for validating join attempts. Currently only in use for validating the AWS Organization ID in the IAM Join method.
Nested Schema for spec.aws.allow
Optional:
aws_account(String) The AWS account ID.aws_arn(String) The ARN of the joining identity for use with the IAM join method. Supports wildcards "*" and "?".aws_organization_id(String) The organization ID that the joining AWS identity must belong to when using the IAM join method.aws_regions(List of String) List of AWS regions a node is allowed to join from when using the EC2 join method.aws_role(String) The ARN of the role the Auth Service will assume in order to call the EC2 API when using the EC2 join method.
Nested Schema for spec.azure
Optional:
allow(Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see below for nested schema)
Nested Schema for spec.azure.allow
Optional:
resource_groups(List of String) A list of Azure resource groups the node is allowed to join from.subscription(String) The Azure subscription.
Nested Schema for spec.azure_devops
Optional:
allow(Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see below for nested schema)organization_id(String) The UUID of the Azure DevOps organization that this join token will grant access to. This is used to identify the correct issuer verification of the ID token. This is a required field.
Nested Schema for spec.azure_devops.allow
Optional:
definition_id(String) The ID of the AZDO pipeline definition. Example:1Mapped from thedef_idclaim.pipeline_name(String) The name of the AZDO pipeline. Example:my-pipeline. Mapped out of thesubclaim.project_id(String) The ID of the AZDO pipeline. Example:271ef6f7-0000-0000-0000-4b54d9129990Mapped from theprj_idclaim.project_name(String) The name of the AZDO project. Example:my-project. Mapped out of thesubclaim.repository_ref(String) The reference of the repository the pipeline is using. Example:refs/heads/main. Mapped from therpo_refclaim.repository_uri(String) The URI of the repository the pipeline is using. Example:https://github.com/gravitational/teleport.git. Mapped from therpo_uriclaim.repository_version(String) The individual commit of the repository the pipeline is using. Example:e6b9eb29a288b27a3a82cc19c48b9d94b80aff36. Mapped from therpo_verclaim.sub(String) The subject string that roughly uniquely identifies the workload. Example:p://my-organization/my-project/my-pipelineMapped from thesubclaim.
Nested Schema for spec.gcp
Optional:
allow(Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see below for nested schema)
Nested Schema for spec.gcp.allow
Optional:
locations(List of String) A list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b").project_ids(List of String) A list of project IDs (e.g.<example-id-123456>).service_accounts(List of String) A list of service account emails (e.g.<project-number>[email protected]).
Nested Schema for spec.immutable_labels
Optional:
ssh(Map of String) Labels that should be applied to SSH nodes.
Nested Schema for spec.oracle
Optional:
allow(Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see below for nested schema)
Nested Schema for spec.oracle.allow
Optional:
instances(List of String) A list of the OCIDs of specific instances that are allowed to join. If empty, any instance matching the other fields in the rule is allowed. Limited to 100 instance OCIDs per rule.parent_compartments(List of String) A list of the OCIDs of compartments an instance is allowed to join from. Only direct parents are allowed, i.e. no nested compartments. If empty, any compartment is allowed.regions(List of String) A list of regions an instance is allowed to join from. Both full region names ("us-phoenix-1") and abbreviations ("phx") are allowed. If empty, any region is allowed.tenancy(String) The OCID of the instance's tenancy. Required.
Was this page helpful?