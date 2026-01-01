Version: 18.x

This page describes the supported values of the teleport_scoped_token resource of the Teleport Terraform provider.

resource "teleport_scoped_token" "example" { version = "v1" metadata = { name = "example-node-token" description = "Token for provisioning nodes in the /prod/us-east scope" labels = { env = "production22" } } scope = "/prod" spec = { assigned_scope = "/prod/us-east" roles = [ "Node" ] join_method = "token" usage_mode = "unlimited" } } resource "teleport_scoped_token" "single_use" { version = "v1" metadata = { name = "example-single-use-token" expires = "2026-12-31T00:00:00Z" } scope = "/staging" spec = { assigned_scope = "/staging/eu-west" roles = [ "Node" ] join_method = "token" usage_mode = "single_use" } }

metadata (Attributes) Metadata contains the resource metadata. (see below for nested schema)

scope (String) Scope is the scope of the token resource.

spec (Attributes) Spec is the token specification. (see below for nested schema)

version (String) Version is the resource version.

sub_kind (String) SubKind is the resource sub-kind.

Required:

name (String) name is an object name.

Optional:

description (String) description is object description.

expires (String) expires is a global expiry time header can be set on any resource in the system.

labels (Map of String) labels is a set of labels.

Required:

assigned_scope (String) The scope to which this token is assigned. Must be equivalent or descendent to the scope of the token itself.

join_method (String) The joining method required in order to use this token. Supported joining methods for scoped tokens only include 'token'.

roles (List of String) The list of roles associated with the token. They will be converted to metadata in the SSH and X509 certificates issued to the user of the token.

usage_mode (String) The usage mode of the token. Can be "single_use" or "unlimited". Single use tokens can only be used to provision a single resource. Unlimited tokens can be be used to provision any number of resources until it expires.

Optional:

Optional:

allow (Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see below for nested schema)

iid_ttl (String) The TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. This should be a duration string such as "8h" or "6mo".

integration (String) Integration name which provides credentials for validating join attempts. Currently only in use for validating the AWS Organization ID in the IAM Join method.

Optional:

aws_account (String) The AWS account ID.

aws_arn (String) The ARN of the joining identity for use with the IAM join method. Supports wildcards "*" and "?".

aws_organization_id (String) The organization ID that the joining AWS identity must belong to when using the IAM join method.

aws_regions (List of String) List of AWS regions a node is allowed to join from when using the EC2 join method.

aws_role (String) The ARN of the role the Auth Service will assume in order to call the EC2 API when using the EC2 join method.

Optional:

allow (Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see below for nested schema)

Optional:

resource_groups (List of String) A list of Azure resource groups the node is allowed to join from.

(List of String) A list of Azure resource groups the node is allowed to join from. subscription (String) The Azure subscription.

Optional:

allow (Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see below for nested schema)

(Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see below for nested schema) organization_id (String) The UUID of the Azure DevOps organization that this join token will grant access to. This is used to identify the correct issuer verification of the ID token. This is a required field.

Optional:

definition_id (String) The ID of the AZDO pipeline definition. Example: 1 Mapped from the def_id claim.

pipeline_name (String) The name of the AZDO pipeline. Example: my-pipeline . Mapped out of the sub claim.

project_id (String) The ID of the AZDO pipeline. Example: 271ef6f7-0000-0000-0000-4b54d9129990 Mapped from the prj_id claim.

project_name (String) The name of the AZDO project. Example: my-project . Mapped out of the sub claim.

repository_ref (String) The reference of the repository the pipeline is using. Example: refs/heads/main . Mapped from the rpo_ref claim.

repository_uri (String) The URI of the repository the pipeline is using. Example: https://github.com/gravitational/teleport.git . Mapped from the rpo_uri claim.

repository_version (String) The individual commit of the repository the pipeline is using. Example: e6b9eb29a288b27a3a82cc19c48b9d94b80aff36 . Mapped from the rpo_ver claim.

sub (String) The subject string that roughly uniquely identifies the workload. Example: p://my-organization/my-project/my-pipeline Mapped from the sub claim.

Optional:

allow (Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see below for nested schema)

Optional:

locations (List of String) A list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b").

project_ids (List of String) A list of project IDs (e.g. <example-id-123456> ).

service_accounts (List of String) A list of service account emails (e.g. <project-number>[email protected] ).

Optional:

ssh (Map of String) Labels that should be applied to SSH nodes.

Optional:

allow (Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see below for nested schema)

Optional:

instances (List of String) A list of the OCIDs of specific instances that are allowed to join. If empty, any instance matching the other fields in the rule is allowed. Limited to 100 instance OCIDs per rule.

(List of String) A list of the OCIDs of specific instances that are allowed to join. If empty, any instance matching the other fields in the rule is allowed. Limited to 100 instance OCIDs per rule. parent_compartments (List of String) A list of the OCIDs of compartments an instance is allowed to join from. Only direct parents are allowed, i.e. no nested compartments. If empty, any compartment is allowed.

(List of String) A list of the OCIDs of compartments an instance is allowed to join from. Only direct parents are allowed, i.e. no nested compartments. If empty, any compartment is allowed. regions (List of String) A list of regions an instance is allowed to join from. Both full region names ("us-phoenix-1") and abbreviations ("phx") are allowed. If empty, any region is allowed.

(List of String) A list of regions an instance is allowed to join from. Both full region names ("us-phoenix-1") and abbreviations ("phx") are allowed. If empty, any region is allowed. tenancy (String) The OCID of the instance's tenancy. Required.