Machine ID Configuration Reference

This reference documents the various options that can be configured in the tbot configuration file. This configuration file offers more control than configuring tbot using CLI parameters alone.

To run tbot with a configuration file, specify the path with the -c flag:

tbot start -c ./tbot.yaml

In this reference, the term artifact refers an item that tbot writes to a destination as part of the process of generating an output. Examples of artifacts include configuration files, certificates, and cryptographic key material. Usually, artifacts are files, but this term is explicitly avoided because a destination isn't required to be a filesystem.

From Teleport 14, tbot supports the v2 configuration version.

version: v2 debug: true auth_server: "teleport.example.com:3025" proxy_server: "teleport.example.com:443" credential_ttl: "1h" renewal_interval: "20m" oneshot: false onboarding: token: "00000000000000000000000000000000" join_method: "token" ca_pins: - "sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678" - "sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678" ca_path: "/path/to/ca.pem" storage: type: directory path: /var/lib/teleport/bot outputs: - type: identity destination: type: directory path: /opt/machine-id services: - type: example

If no configuration file is provided, a simple configuration is used based on the provided CLI flags. Given the following sample CLI from tctl bots add ... :

tbot start \ --destination-dir=./tbot-user \ --token=00000000000000000000000000000000 \ --ca-pin=sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678 \ --proxy-server=example.teleport.sh:443

it uses a configuration equivalent to the following:

proxy_server: example.teleport.sh:443 onboarding: join_method: "token" token: "abcd123-insecure-do-not-use-this" ca_pins: - "sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678" storage: type: directory path: /var/lib/teleport/bot outputs: - type: identity destination: type: directory path: ./tbot-user

Outputs define what actions tbot should take when it runs. They describe the format of the certificates to be generated, the roles used to generate the certificates, and the destination where they should be written.

There are multiple types of output. Select the one that is most appropriate for your intended use-case.

The identity output can be used to authenticate:

SSH access to your Teleport servers, using tsh , openssh and tools like ansible.

, openssh and tools like ansible. Administrative actions against your cluster using tools like tsh or tctl .

or . Management of Teleport resources using the Teleport Terraform provider.

Access to the Teleport API using the Teleport Go SDK.

See the Getting Started guide to see the identity output used in context.

type: identity destination: type: directory path: /opt/machine-id roles: - editor credential_ttl: 30m renewal_interval: 15m

The application output is used to generate credentials that can be used to access applications that have been configured with Teleport.

See the Machine ID with Applications guide to see the application output used in context.

type: application app_name: grafana destination: type: directory path: /opt/machine-id roles: - editor credential_ttl: 30m renewal_interval: 15m

The database output is used to generate credentials that can be used to access databases that have been configured with Teleport.

See the Machine ID with Databases guide to see the database output used in context.

type: database service: my-postgres-server database: my-database username: my-user format: tls destination: type: directory path: /opt/machine-id roles: - editor credential_ttl: 30m renewal_interval: 15m

You can provide the following values to the format configuration field in the database output type:

format Description Unspecified Provides a certificate in tlscert , a private key in key and the CA in teleport-database-ca.crt . This is compatible with most clients and databases. mongo Provides mongo.crt and mongo.cas . This is designed to be used with MongoDB clients. cockroach Provides cockroach/node.key , cockroach/node.crt , and cockroach/ca.crt . This is designed to be used with CockroachDB clients. tls Provides tls.key , tls.crt , and tls.cas . This is for generic clients that require the specific file extensions.

The kubernetes output is used to generate credentials that can be used to access Kubernetes clusters that have been configured with Teleport.

It outputs a kubeconfig.yaml in the output destination, which can be used with kubectl .

See the Machine ID with Kubernetes Clusters guide to see the kubernetes output used in context.

type: kubernetes kubernetes_cluster: my-cluster destination: type: directory path: /opt/machine-id roles: - editor credential_ttl: 30m renewal_interval: 15m

The kubernetes/v2 output type can be used to access many Kubernetes clusters as individual contexts within the same kubeconfig.yaml .

type: kubernetes/v2 selectors: - name: foo - labels: env: dev destination: type: directory path: /opt/machine-id credential_ttl: 30m renewal_interval: 15m

Each Kubernetes cluster matching a selector will result in a new context in the generated kubeconfig.yaml . This can be consumed like so:

kubectl --kubeconfig /opt/machine-id/kubeconfig.yaml --context=example.teleport.sh-foo get pods

The context name is [Teleport cluster name]-[Kubernetes cluster name] , so the command above runs kubectl get pods on the foo cluster.

If clusters are added or removed over time, the kubeconfig.yaml will be updated at the bot's normal renewal interval. You can trigger an early renewal by restarting tbot , or signaling it with pkill -usr1 tbot .

The ssh_host output is used to generate the artifacts required to configure an OpenSSH server with Teleport in order to allow Teleport users to connect to it.

The output generates the following artifacts:

ssh_host-cert.pub : an SSH certificate signed by the Teleport host certificate authority.

: an SSH certificate signed by the Teleport host certificate authority. ssh_host : the private key associated with the SSH host certificate.

: the private key associated with the SSH host certificate. ssh_host-user-ca.pub : an export of the Teleport user certificate authority in an OpenSSH compatible format.

type: ssh_host principals: - host.example.com destination: type: directory path: /opt/machine-id roles: - editor credential_ttl: 30m renewal_interval: 15m

The workload-identity-x509 output is used to issue an X509 workload identity credential and write this to a configured destination.

The output generates the following artifacts:

svid.pem : the X509 SVID.

: the X509 SVID. svid.key : the private key associated with the X509 SVID.

: the private key associated with the X509 SVID. bundle.pem : the X509 bundle that contains the trust domain CAs.

See Workload Identity introduction for more information on Workload Identity functionality.

type: workload-identity-x509 selector: name: foo labels: app: [ foo , bar ] destination: type: directory path: /opt/machine-id roles: - editor credential_ttl: 30m renewal_interval: 15m

The workload-identity-jwt output is used to issue a JWT workload identity credential and write this to a configured destination.

The JWT workload identity credential is compatible with the SPIFFE JWT SVID specification.

The output generates the following artifacts:

jwt_svid : the JWT SVID.

See Workload Identity introduction for more information on Workload Identity functionality.

type: workload-identity-jwt audiences: - example.com - foo.example.com selector: name: foo labels: app: [ foo , bar ] destination: type: directory path: /opt/machine-id roles: - editor credential_ttl: 30m renewal_interval: 15m

warning The use of this service has been deprecated as part of the introduction of the new Workload Identity configuration experience. You can replace the use of this output with the new workload-identity-x509 or workload-identity-jwt service. For further information, see the new Workload Identity configuration experience and how to migrate.

The spiffe-svid output is used to generate a SPIFFE X509 SVID and write this to a configured destination.

The output generates the following artifacts:

svid.pem : the X509 SVID.

: the X509 SVID. svid.key : the private key associated with the X509 SVID.

: the private key associated with the X509 SVID. bundle.pem : the X509 bundle that contains the trust domain CAs.

An artifact will also be generated for each entry within the jwts list. This will be named according to file_name . This artifact will contain only the JWT-SVID with the audience specified in audience .

See Workload Identity for more information on how to use SPIFFE SVIDs.

type: spiffe-svid svid: path: /svc/foo sans: dns: - foo.svc.example.com ip: - 10.0 .0 .1 jwts: - audience: https://example.com file_name: example-jwt destination: type: directory path: /opt/machine-id roles: - editor credential_ttl: 30m renewal_interval: 15m

Services are configurable long-lived components that run within tbot . Unlike Outputs, they may not necessarily generate artifacts. Typically, services provide supporting functionality for machine to machine access, for example, opening tunnels or providing APIs.

The workload-identity-api services opens a listener that provides a local workload identity API, intended to serve workload identity credentials (e.g X509/JWT SPIFFE SVIDs) to workloads running on the same host.

For more information about this, see the Workload Identity API and Workload Attestation reference

warning The use of this service has been deprecated as part of the introduction of the new Workload Identity configuration experience. You can replace the use of this service with the new workload-identity-api service. For further information, see the new Workload Identity configuration experience and how to migrate.

The spiffe-workload-api service opens a listener for a service that implements the SPIFFE Workload API. This service is used to provide SPIFFE SVIDs to workloads.

See Workload Identity for more information on the SPIFFE Workload API.

type: spiffe-workload-api listen: unix:///opt/machine-id/workload.sock attestors: kubernetes: enabled: true kubelet: read_only_port: 10255 secure_port: 10250 token_path: "/var/run/secrets/kubernetes.io/serviceaccount/token" ca_path: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" skip_verify: true anonymous: false svids: - path: /svc/foo hint: my-hint sans: dns: - foo.svc.example.com ip: - 10.0 .0 .1 rules: - unix: uid: 1000 pid: 1234 gid: 50

The spiffe-workload-api service endpoint also implements the Envoy SDS API. This allows it to act as a source of certificates and certificate authorities for the Envoy proxy.

As a forward proxy, Envoy can be used to attach an X.509 SVID to an outgoing connection from a workload that is not SPIFFE-enabled.

As a reverse proxy, Envoy can be used to terminate mTLS connections from SPIFFE-enabled clients. Envoy can validate that the client has presented a valid X.509 SVID and perform enforcement of authorization policies based on the SPIFFE ID contained within the SVID.

When acting as a reverse proxy for certain protocols, Envoy can be configured to attach a header indicating the identity of the client to a request before forwarding it to the service. This can then be used by the service to make authorization decisions based on the client's identity.

When configuring Envoy to use the SDS API exposed by the spiffe-workload-api service, three additional special names can be used to aid configuration:

default : tbot will return the default SVID for the workload.

: will return the default SVID for the workload. ROOTCA : tbot will return the trust bundle for the trust domain that the workload is a member of.

: will return the trust bundle for the trust domain that the workload is a member of. ALL : tbot will return the trust bundle for the trust domain that the workload is a member of, as well as the trust bundles of any trust domain that the trust domain is federated with.

The following is an example Envoy configuration that sources a certificate and trust bundle from the spiffe-workload-api service listening on unix:///opt/machine-id/workload.sock . It requires that a connecting client presents a valid SPIFFE SVID and forwards this information to the backend service in the x-forwarded-client-cert header.

node: id: "my-envoy-proxy" cluster: "my-cluster" static_resources: listeners: - name: test_listener enable_reuse_port: false address: socket_address: address: 0.0 .0 .0 port_value: 8080 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type" : type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager common_http_protocol_options: idle_timeout: 1s forward_client_cert_details: sanitize_set set_current_client_cert_details: uri: true stat_prefix: ingress_http route_config: name: local_route virtual_hosts: - name: my_service domains: [ "*" ] routes: - match: prefix: "/" route: cluster: my_service http_filters: - name: envoy.filters.http.router typed_config: "@type" : type.googleapis.com/envoy.extensions.filters.http.router.v3.Router transport_socket: name: envoy.transport_sockets.tls typed_config: "@type" : type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificate_sds_secret_configs: - name: "default" sds_config: resource_api_version: V3 api_config_source: api_type: GRPC transport_api_version: V3 grpc_services: envoy_grpc: cluster_name: tbot_agent combined_validation_context: default_validation_context: match_typed_subject_alt_names: [] validation_context_sds_secret_config: name: "ALL" sds_config: resource_api_version: V3 api_config_source: api_type: GRPC transport_api_version: V3 grpc_services: envoy_grpc: cluster_name: tbot_agent clusters: - name: my_service type: strict_dns load_assignment: cluster_name: my_service endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0 .0 .1 port_value: 8090 - name: tbot_agent http2_protocol_options: {} load_assignment: cluster_name: tbot_agent endpoints: - lb_endpoints: - endpoint: address: pipe: path: /opt/machine-id/workload.sock

The database-tunnel service opens a listener for a service that tunnels connections to a database server.

The tunnel authenticates connections for the client, meaning that any application which can connect to the listener will be able to connect to the database as the specified user. For this reason, we heavily recommend using the Unix socket listener type and configuring the permissions of the socket to ensure that only the intended applications can connect.

type: database-tunnel listen: tcp://127.0.0.1:25432 service: postgres-docker database: postgres username: postgres

The application-tunnel service opens a listener that tunnels connections to an application in Teleport. It supports both HTTP and TCP applications. This is useful for applications which cannot be configured to use client certificates, when using TCP application or where using a L7 load-balancer in front of your Teleport proxies.

The tunnel authenticates connections for the client, meaning that any client that connects to the listener will be able to access the application. For this reason, ensure that the listener is only accessible by the intended clients by using the Unix socket listener or binding to 127.0.0.1 .

type: application-tunnel listen: tcp://127.0.0.1:8084 app_name: my-application

The ssh-multiplexer service opens a listener for a high-performance local SSH multiplexer. This is designed for use-cases which create a large number of SSH connections using Teleport, for example, Ansible.

This differs to using identity output for SSH in a few ways:

The tbot instance running the ssh-multiplexer service must be running on the same host as the SSH client.

instance running the service must be running on the same host as the SSH client. The ssh-multiplexer service is designed to be a long-running background service and cannot be used in one-shot mode. It must be running in order for SSH connections to be established and to continue running.

service is designed to be a long-running background service and cannot be used in one-shot mode. It must be running in order for SSH connections to be established and to continue running. Resource consumption is significantly reduced by multiplexing SSH connections through a fewer number of upstream connections to the Teleport Proxy Service.

Additionally, the ssh-multiplexer opens a socket that implements the SSH agent protocol. This allows the SSH client to authenticate without writing the sensitive private key to disk.

By default, the ssh-multiplexer service outputs an ssh_config which uses tbot itself as the ProxyCommand. You can further reduce the resource consumption of SSH connections by installing and specifying the fdpass-teleport binary.

type: ssh-multiplexer destination: type: directory path: /foo enable_resumption: true proxy_command: - /usr/local/bin/fdpass-teleport proxy_templates_path: /etc/my-proxy-templates.yaml

Once configured, tbot will create the following artifacts in the specified destination:

ssh_config : an SSH configuration file that will configure OpenSSH to use the multiplexer and agent.

: an SSH configuration file that will configure OpenSSH to use the multiplexer and agent. known_hosts : the known hosts file that will be used by OpenSSH to validate a server's identity.

: the known hosts file that will be used by OpenSSH to validate a server's identity. v1.sock : the Unix socket that the multiplexer listens on.

: the Unix socket that the multiplexer listens on. agent.sock : the Unix socket that the SSH agent listens on.

To use the SSH multiplexer programmatically, your SSH client library will need to support one of two things:

The ability to use a ProxyCommand with FDPass. If so, you can use the ssh_config file generated by tbot to configure the SSH client.

file generated by to configure the SSH client. The ability to accept an open socket to use as the connection to the SSH server. You will then need to manually connect to the socket and send the multiplexer request.

The v1.sock Unix Domain Socket implements the V1 Teleport SSH multiplexer protocol. The client must first send a short request message to indicate the desired target host and port, terminated with a null byte. The multiplexer will then begin to forward traffic to the target host and port. The client can then make an SSH connection.

Example in Python (Paramiko)" close import os import paramiko import socket host = "ubuntu.example.teleport.sh" username = "root" port = 3022 directory_destination = "/opt/machine-id" sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock.connect(os.path.join(directory_destination, "v1.sock" )) sock.sendall( f" {host} : {port} \x00" .encode( "utf-8" )) os.environ[ "SSH_AUTH_SOCK" ] = os.path.join(directory_destination, "agent.sock" ) ssh_config = paramiko.SSHConfig() with open (os.path.join(directory_destination, "ssh_config" )) as f: ssh_config.parse(f) ssh_client = paramiko.SSHClient() ssh_client.set_missing_host_key_policy(paramiko.WarningPolicy()) ssh_client.connect( hostname=host, port=port, username=username, sock=sock ) stdin, stdout, stderr = ssh_client.exec_command( "hostname" ) print (stdout.read().decode())

Example in Go" close package main import ( "fmt" "net" "path/filepath" "golang.org/x/crypto/ssh" "golang.org/x/crypto/ssh/agent" "golang.org/x/crypto/ssh/knownhosts" ) func main () { host := "ubuntu.example.teleport.sh" username := "root" directoryDestination := "/opt/machine-id" agentConn, err := net.Dial( "unix" , filepath.Join(directoryDestination, "agent.sock" ), ) if err != nil { panic (err) } defer agentConn.Close() agentClient := agent.NewClient(agentConn) hostKeyCallback, err := knownhosts.New( filepath.Join(directoryDestination, "known_hosts" ), ) if err != nil { panic (err) } sshConfig := &ssh.ClientConfig{ Auth: []ssh.AuthMethod{ ssh.PublicKeysCallback(agentClient.Signers), }, User: username, HostKeyCallback: hostKeyCallback, } conn, err := net.Dial( "unix" , filepath.Join(directoryDestination, "v1.sock" ), ) if err != nil { panic (err) } defer conn.Close() _, err = fmt.Fprint(conn, fmt.Sprintf( "%s:0\x00" , host)) if err != nil { panic (err) } sshConn, sshChan, sshReq, err := ssh.NewClientConn( conn, fmt.Sprintf( "%s:22" , host), sshConfig, ) if err != nil { panic (err) } sshClient := ssh.NewClient(sshConn, sshChan, sshReq) defer sshClient.Close() sshSess, err := sshClient.NewSession() if err != nil { panic (err) } defer sshSess.Close() out, err := sshSess.CombinedOutput( "hostname" ) if err != nil { panic (err) } fmt.Println( string (out)) }

A destination is somewhere that tbot can read and write artifacts.

Destinations are used in two places in the tbot configuration:

Specifying where tbot should store its internal state.

should store its internal state. Specifying where an output should write its generated artifacts.

Destinations come in multiple types. Usually, the directory type is the most appropriate.

The directory destination type stores artifacts as files in a specified directory.

type: directory path: /opt/machine-id symlinks: try-secure acls: try readers: - user: teleport - user: 123 - group: teleport - group: 456

The memory destination type stores artifacts in the process memory. When the process exits, nothing is persisted. This destination type is most suitable for ephemeral environments, but can also be used for testing.

Configuration:

type: memory

The kubernetes_secret destination type stores artifacts in a Kubernetes secret. This allows them to be mounted into other containers deployed in Kubernetes.

Prerequisites:

tbot must be running in Kubernetes with at most one replica. If using a deployment , then the Recreate strategy must be used to ensure only one instance exists at any time. This is because multiple tbot agents configured with the same secret will compete to write to the secret and it may be left in an inconsistent state or the tbot agents may fail to write.

must be running in Kubernetes with at most one replica. If using a , then the strategy must be used to ensure only one instance exists at any time. This is because multiple agents configured with the same secret will compete to write to the secret and it may be left in an inconsistent state or the agents may fail to write. The tbot pod must be configured with a service account that allows it to read and write from the configured secret.

pod must be configured with a service account that allows it to read and write from the configured secret. The POD_NAMESPACE environment variable must be configured with the name of the namespace that tbot is running in. This is best achieved with the Downward API.

There is no requirement that the secret already exists, one will be created if it does not exist. If a secret already exists, tbot will overwrite any other keys within the secret.

Configuration:

type: kubernetes_secret name: my-secret

The bot resource is used to manage Machine ID Bots. It is used to configure the access that is granted to a Bot.

kind: bot version: v1 metadata: name: robot spec: roles: - editor traits: - name: logins values: - root