Securing Infrastructure Access at Scale in Large Enterprises

Fork me on GitHub

Teleport

TeleportProvisionToken

This guide is a comprehensive reference to the fields in the TeleportProvisionToken resource, which you can apply after installing the Teleport Kubernetes operator.

resources.teleport.dev/v2

apiVersion: resources.teleport.dev/v2

Field	Type	Description
apiVersion	string	APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind	string	Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata	object
spec	object	ProvisionToken resource definition v2 from Teleport

spec

Field	Type	Description
allow	[]object	Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
aws_iid_ttl	string	AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token.
azure	object	Azure allows the configuration of options specific to the "azure" join method.
bot_name	string	BotName is the name of the bot this token grants access to, if any
circleci	object	CircleCI allows the configuration of options specific to the "circleci" join method.
gcp	object	GCP allows the configuration of options specific to the "gcp" join method.
github	object	GitHub allows the configuration of options specific to the "github" join method.
gitlab	object	GitLab allows the configuration of options specific to the "gitlab" join method.
join_method	string	JoinMethod is the joining method required in order to use this token. Supported joining methods include: azure, circleci, ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm
kubernetes	object	Kubernetes allows the configuration of options specific to the "kubernetes" join method.
roles	[]string	Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token
spacelift	object	Spacelift allows the configuration of options specific to the "spacelift" join method.
suggested_agent_matcher_labels	object	SuggestedAgentMatcherLabels is a set of labels to be used by agents to match on resources. When an agent uses this token, the agent should monitor resources that match those labels. For databases, this means adding the labels to `db_service.resources.labels`. Currently, only node-join scripts create a configuration according to the suggestion.
suggested_labels	object	SuggestedLabels is a set of labels that resources should set when using this token to enroll themselves in the cluster. Currently, only node-join scripts create a configuration according to the suggestion.
terraform_cloud	object	TerraformCloud allows the configuration of options specific to the "terraform_cloud" join method.
tpm	object	TPM allows the configuration of options specific to the "tpm" join method.

spec.allow items

Field	Type	Description
aws_account	string	AWSAccount is the AWS account ID.
aws_arn	string	AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?".
aws_regions	[]string	AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from.
aws_role	string	AWSRole is used for the EC2 join method and is the ARN of the AWS role that the Auth Service will assume in order to call the ec2 API.

spec.azure

Field	Type	Description
allow	[]object	Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

spec.azure.allow items

Field	Type	Description
resource_groups	[]string
subscription	string

spec.circleci

Field	Type	Description
allow	[]object	Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
organization_id	string

spec.circleci.allow items

Field	Type	Description
context_id	string
project_id	string

spec.gcp

Field	Type	Description
allow	[]object	Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

spec.gcp.allow items

Field	Type	Description
locations	[]string
project_ids	[]string
service_accounts	[]string

spec.github

Field	Type	Description
allow	[]object	Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
enterprise_server_host	string	EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service.
enterprise_slug	string	EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the `include_enterprise_slug` option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values.
static_jwks	string	StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Service.

spec.github.allow items

Field	Type	Description
actor	string
environment	string
ref	string
ref_type	string
repository	string
repository_owner	string
sub	string
workflow	string

spec.gitlab

Field	Type	Description
allow	[]object	Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
domain	string	Domain is the domain of your GitLab instance. This will default to `gitlab.com` - but can be set to the domain of your self-hosted GitLab e.g `gitlab.example.com`.

spec.gitlab.allow items

Field	Type	Description
ci_config_ref_uri	string
ci_config_sha	string
deployment_tier	string
environment	string
environment_protected	boolean
namespace_path	string
pipeline_source	string
project_path	string
project_visibility	string
ref	string
ref_protected	boolean
ref_type	string
sub	string
user_email	string
user_id	string
user_login	string

spec.kubernetes

Field	Type	Description
allow	[]object	Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
static_jwks	object	StaticJWKS is the configuration specific to the `static_jwks` type.
type	string	Type controls which behavior should be used for validating the Kubernetes Service Account token. Support values: - `in_cluster` - `static_jwks` If unset, this defaults to `in_cluster`.

spec.kubernetes.allow items

Field	Type	Description
service_account	string

spec.kubernetes.static_jwks

Field	Type	Description
jwks	string

spec.spacelift

Field	Type	Description
allow	[]object	Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
hostname	string	Hostname is the hostname of the Spacelift tenant that tokens will originate from. E.g `example.app.spacelift.io`

spec.spacelift.allow items

Field	Type	Description
caller_id	string
caller_type	string
scope	string
space_id	string

spec.terraform_cloud

Field	Type	Description
allow	[]object	Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
audience	string	Audience is the JWT audience as configured in the TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform Cloud. If unset, defaults to the Teleport cluster name. For example, if `TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo` is set in Terraform Cloud, this value should be `foo`. If the variable is set to match the cluster name, it does not need to be set here.
hostname	string	Hostname is the hostname of the Terraform Enterprise instance expected to issue JWTs allowed by this token. This may be unset for regular Terraform Cloud use, in which case it will be assumed to be `app.terraform.io`. Otherwise, it must both match the `iss` (issuer) field included in JWTs, and provide standard JWKS endpoints.

spec.terraform_cloud.allow items

Field	Type	Description
organization_id	string
organization_name	string
project_id	string
project_name	string
run_phase	string
workspace_id	string
workspace_name	string

spec.tpm

Field	Type	Description
allow	[]object	Allow is a list of Rules, the presented delegated identity must match one allow rule to permit joining.
ekcert_allowed_cas	[]string	EKCertAllowedCAs is a list of CA certificates that will be used to validate TPM EKCerts. When specified, joining TPMs must present an EKCert signed by one of the specified CAs. TPMs that do not present an EKCert will be not permitted to join. When unspecified, TPMs will be allowed to join with either an EKCert or an EKPubHash.

spec.tpm.allow items

Field	Type	Description
description	string
ek_certificate_serial	string
ek_public_hash	string