Fork me on GitHub
Teleport

Joining Nodes via AWS EC2 Identity Document

Improve

This guide will explain how to use the EC2 join method to configure Teleport nodes and Proxies to join your Teleport cluster without sharing any secrets when they are running in AWS.

The EC2 join method is not available in Teleport Cloud. Teleport Cloud customers can use the IAM join method or secret tokens.

The EC2 join method is available in self-hosted versions of Teleport 7.3+. It is available to any Teleport node or Proxy running on an EC2 instance. Only one Teleport node or Proxy per EC2 instance may use the EC2 join method.

IAM credentials with ec2:DescribeInstances permissions are required on your Teleport Auth Service. No IAM credentials are required on the nodes or Proxies.

There are two other AWS join methods available depending on your use case.

The IAM join method is available in self-hosted editions of Teleport 8.3+. It is available to any Teleport node or Proxy running anywhere with access to IAM credentials, such as an EC2 instance with an attached IAM role. No specific permissions or IAM policy is required: an IAM role with no attached policies is sufficient. No IAM credentials are required on the Teleport Auth Service.

You can also configure nodes running in AWS to join a cluster via secret tokens, which is useful when you don't want to rely on AWS-specific APIs. Read more in the following guide: Adding nodes to the cluster

Prerequisites

  • A running Teleport cluster. For details on how to set this up, see Getting Started on a Linux Server.

  • The tctl admin tool version >= 9.2.4.

    tctl version

    Teleport v9.2.4 go1.17

    See Installation for details.

  • An AWS EC2 instance to act as a Teleport node, with the Teleport binary installed.

  • A running Teleport cluster. For details on setting this up, see our Enterprise getting started guide.

  • The tctl admin tool version >= 9.2.4, which you can download by visiting the customer portal.

    tctl version

    Teleport v9.2.4 go1.17

  • An AWS EC2 instance to act as a Teleport node, with the Teleport binary installed.

To connect to Teleport, log in to your cluster using tsh, then use tctl remotely:

tsh login --proxy=teleport.example.com [email protected]
tctl status

Cluster teleport.example.com

Version 9.2.4

CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

You can run subsequent tctl commands in this guide on your local machine.

For full privileges, you can also run tctl commands on your Auth Service host.

To connect to Teleport, log in to your cluster using tsh, then use tctl remotely:

tsh login --proxy=myinstance.teleport.sh [email protected]
tctl status

Cluster myinstance.teleport.sh

Version 9.2.4

CA pin sha256:sha-hash-here

You must run subsequent tctl commands in this guide on your local machine.

Step 1/4. Set up AWS IAM credentials

The Teleport Auth Service needs permission to call ec2:DescribeInstances in order to check that the EC2 instances attempting to join your cluster are legitimate and currently running.

Step 1.1. Create the IAM policy

Create the following AWS IAM policy named teleport-DescribeInstances-policy in your account:

{
   "Version": "2012-10-17",
   "Statement": [
	   {
		   "Effect": "Allow",
		   "Action": "ec2:DescribeInstances",
		   "Resource": "*"
	   }
   ]
}

Step 1.2. Attach the IAM policy

If your Teleport Auth Server is running on an EC2 instance and already has an attached "IAM role for Amazon EC2", add the above teleport-DescribeInstances-policy to the existing role. If the instance does not already have an attached role, create an IAM role with the above policy and attach it to your EC2 instance running the Teleport Auth Server.

If you are running your Teleport Auth Server outside of AWS you can attach the teleport-DescribeInstances-policy directly to an IAM user which Teleport will use to authenticate.

You can provide the IAM credentials to Teleport through a shared configuration file or environment variables. See Specifying Credentials for details.

Step 2/4. Create the AWS node joining token

Configure your Teleport Auth Server with a special dynamic token which will allow nodes from your AWS account to join your Teleport cluster.

Under the hood, nodes will prove that they are running in your AWS account by sending a signed EC2 Instance Identity Document which matches an allow rule configured in your AWS node joining token.

Create the following token.yaml with an allow rule specifying your AWS account and the AWS regions in which your EC2 instances will run.

# token.yaml
kind: token
version: v2
metadata:
  # the token name is not a secret because instances must prove that they are
  # running in your AWS account to use this token
  name: ec2-token
  # set a long expiry time, the default for tokens is only 30 minutes
  expires: "3000-01-01T00:00:00Z"
spec:
  # use the minimal set of roles required
  roles: [Node]

  # set the join method allowed for this token
  join_method: ec2

  # aws_iid_ttl is the amount of time after the EC2 instance is launched during
  # which it should be allowed to join the cluster. Use a short TTL to decrease
  # the risk of stolen EC2 Instance Identity Documents being used to join your
  # cluster.
  #
  # When launching your first node using the EC2 join method, you may need to
  # temporarily configure a higher `aws_iid_ttl` value so that you have time
  # to get Teleport set up and configured. This feature works best once Teleport
  # is configured in an EC2 AMI to start automatically on launch.
  aws_iid_ttl: 5m

  allow:
  - aws_account: "111111111111" # your AWS account ID
    aws_regions: # use the minimal set of AWS regions required
    - us-west-1
    - us-west-2

Run tctl create token.yaml to create the token.

Step 3/4. Configure your nodes

The EC2 join method can be used for Teleport services running SSH, Proxy, Kubernetes, Application, or Database roles. The service should be run directly on an AWS EC2 instance and must have network access to the AWS EC2 IMDSv2 (enabled by default for most EC2 instances).

Configure your Teleport node with a custom teleport.yaml file. Use the join_params section with token_name matching your token created in Step 2 and method: ec2 as shown in the following example config:

# /etc/teleport.yaml
teleport:
  join_params:
    token_name: ec2-token
    method: ec2
  auth_servers:
  - https://teleport.example.com:443
ssh_service:
  enabled: yes
auth_service:
  enabled: no
proxy_service:
  enabled: no

Step 4/4. Launch your Teleport node

Start Teleport on the node and confirm that it is able to connect to and join your cluster. You're all set!

Configuring the EC2 join method for Multiple AWS Accounts

In order for Teleport nodes to join from EC2 instances in AWS accounts other than the account in which your Teleport Auth Server is running, Teleport must have permissions to assume an IAM role in each of those accounts and call ec2:DescribeInstances in the foreign account.

In each AWS account where your EC2 instances will be running:

  1. Create the teleport-DescribeInstances-policy from Step 1.1.

  2. Create an IAM role teleport-DescribeInstances-role that can be assumed from the account where your Teleport Auth Server is running.

    Go to the AWS IAM Console, select Create Role, and for "Select type of trusted entity", select "Another AWS account" and enter the AWS Account ID of the account where your Teleport Auth Server is running.

    Attach the teleport-DescribeInstances-policy to the role.

In the AWS account where your Teleport Auth Server is running:

  1. Create an IAM policy named teleport-AssumeRole-policy with an AssumeRole statement for each foreign account:
{
   "Version": "2012-10-17",
   "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::222222222222:role/teleport-DescribeInstances-role"
        },
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::333333333333:role/teleport-DescribeInstances-role"
        }
   ]
}
  1. Attach this teleport-AssumeRole-policy to the IAM role your Teleport auth server has credentials for, see Step 1.2.

When creating the AWS node joining token, include an allow rule for each foreign account and specify the AWS ARN for the foreign teleport-DescribeInstances-role.

# token.yaml
kind: token
version: v2
metadata:
  name: ec2-multiaccount-token
  expires: "3000-01-01T00:00:00Z"
spec:
  roles: [Node]
  aws_iid_ttl: 5m
  allow:
  - aws_account: "222222222222"
    aws_regions:
    - us-west-1
    - us-west-2
    aws_role: "arn:aws:iam::222222222222:role/teleport-DescribeInstances-role"
  - aws_account: "333333333333"
    aws_regions:
    - us-west-1
    - us-west-2
    aws_role: "arn:aws:iam::333333333333:role/teleport-DescribeInstances-role"