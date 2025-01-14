Deploying Machine ID on AWS
This guide explains how to deploy Machine ID on Amazon Web Services by running
the
tbot binary and joining it to your Teleport cluster.
On AWS, virtual machines can be assigned an IAM role, which they can assume in
order to request a signed document that includes information about the machine.
The Teleport
iam join method instructs the Machine ID bot to request this
signed document from AWS using the assigned identity and send it to the Teleport
Auth Service for verification. This allows the bot to join the cluster without
the exchange of a long-lived secret.
While this guide focuses on deploying Machine ID on an EC2 instance, it is also
possible to use the
iam join method with workloads running on an EKS
Kubernetes cluster. To do so, you must configure IAM Roles for Service Accounts
(IRSA)
for the cluster and the Kubernetes service account that will be used by the
tbot pod. See the Kubernetes platform guide for further
guidance on deploying Machine ID as a workload on Kubernetes.
Prerequisites
-
A running Teleport cluster version 15.4.30 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctladmin tool and
tshclient tool.
On Teleport Enterprise, you must use the Enterprise version of
tctl, which you can download from your Teleport account workspace. Otherwise, visit Installation for instructions on downloading
tctland
tshfor Teleport Community Edition.
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials.
tctlis supported on macOS and Linux machines. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
Cluster teleport.example.com
Version 15.4.30
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
- An AWS IAM role that you wish to grant access to your Teleport cluster. This
role must be granted
sts:GetCallerIdentity. In this guide, this role will be named
teleport-bot-role.
- An AWS EC2 virtual machine that you wish to install Machine ID onto configured with the IAM role attached.
Step 1/5. Install
tbot
This step is completed on the AWS EC2 instance.
First,
tbot needs to be installed on the VM that you wish to use Machine ID
on.
Download and install the appropriate Teleport package for your platform:
Install Teleport on your Linux server:
-
Assign edition to one of the following, depending on your Teleport edition:
Edition Value Teleport Enterprise Cloud
cloud
Teleport Enterprise (Self-Hosted)
enterprise
Teleport Community Edition
oss
-
Get the version of Teleport to install. If you have automatic agent updates enabled in your cluster, query the latest Teleport version that is compatible with the updater:TELEPORT_DOMAIN=example.teleport.comTELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')"
Otherwise, get the version of your Teleport cluster:TELEPORT_DOMAIN=example.teleport.comTELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/ping | jq -r '.server_version')"
-
Install Teleport on your Linux server:curl https://cdn.teleport.dev/install-v15.4.30.sh | bash -s ${TELEPORT_VERSION} edition
The installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide.
Step 2/5. Create a Bot
This step is completed on your local machine.
Next, you need to create a Bot. A Bot is a Teleport identity for a machine or group of machines. Like users, bots have a set of roles and traits which define what they can access.
Create
bot.yaml:
kind: bot
version: v1
metadata:
# name is a unique identifier for the Bot in the cluster.
name: example
spec:
# roles is a list of roles to grant to the Bot. Don't worry if you don't know
# what roles you need to specify here, the Access Guides will walk you through
# creating and assigning roles to the already created Bot.
roles: []
Make sure you replace
example with a unique, descriptive name for your Bot.
Use
tctl to apply this file:
tctl create bot.yaml
Step 3/5. Create a join token
This step is completed on your local machine.
Create
bot-token.yaml:
kind: token
version: v2
metadata:
# name will be specified in the `tbot` to use this token
name: example-bot
spec:
roles: [Bot]
# bot_name should match the name of the bot created earlier in this guide.
bot_name: example
join_method: iam
# Restrict the AWS account and (optionally) ARN that can use this token.
# This information can be obtained from running the
# "aws sts get-caller-identity" command from the CLI.
allow:
- aws_account: "111111111111"
aws_arn: "arn:aws:sts::111111111111:assumed-role/teleport-bot-role/i-*"
Replace:
111111111111with the ID of your AWS account.
teleport-bot-rolewith the name of the AWS IAM role you created and assigned to the EC2 instance.
examplewith the name of the bot you created in the second step.
i-*indicates that any instance with the specified role can use the join method. If you wish to restrict this to an individual instance, replace
i-*with the full instance ID.
Use
tctl to apply this file:
tctl create -f bot-token.yaml
Step 4/5. Configure
tbot
This step is completed on the AWS EC2 instance.
Create
/etc/tbot.yaml:
version: v2
proxy_server: example.teleport.sh:443
onboarding:
join_method: iam
token: example-bot
storage:
type: memory
# outputs will be filled in during the completion of an access guide.
outputs: []
Replace:
example.teleport.sh:443with the address of your Teleport Proxy or Auth Server. Prefer using the address of a Teleport Proxy.
example-botwith the name of the token you created in the second step.
Now, you must decide if you want to run
tbot as a daemon or in one-shot mode.
In daemon mode,
tbot runs continually, renewing the short-lived credentials
for the configured outputs on a fixed interval. This is often combined with a
service manager (such as systemd) in order to run
tbot in the background.
This is the default behaviour of
tbot.
In one-shot mode,
tbot generates short-lived credentials and then exits. This
is useful when combining
tbot with scripting (such as in CI/CD) as it allows
further steps to be dependent on
tbot having succeeded. It is important to
note that the credentials will expire if not renewed and to ensure that the
TTL for the certificates is long enough to cover the length of the CI/CD job.
Configuring
tbot as a daemon
By default,
tbot will run in daemon mode. However, this must then be
configured as a service within the service manager on the Linux host. The
service manager will start
tbot on boot and ensure it is restarted if it
fails. For this guide, systemd will be demonstrated but
tbot should be
compatible with all common alternatives.
Use
tbot install systemd to generate a systemd service file:
tbot install systemd \ --write \ --config /etc/tbot.yaml \ --user teleport \ --group teleport \ --anonymous-telemetry
Ensure that you replace:
teleportwith the name of Linux user you wish to run
tbotas.
/etc/tbot.yamlwith the path to the configuration file you have created.
You can omit
--write to print the systemd service file to the console instead
of writing it to disk.
--anonymous-telemetry enables the submission of anonymous usage telemetry.
This helps us shape the future development of
tbot. You can disable this by
omitting this.
Next, enable the service so that it will start on boot and then start the service:
sudo systemctl daemon-reloadsudo systemctl enable tbotsudo systemctl start tbot
Check the service has started successfully:
sudo systemctl status tbot
Configuring
tbot for one-shot mode
To use
tbot in one-shot mode, modify
/etc/tbot.yaml to add
oneshot: true:
version: v2
oneshot: true
auth_server: ...
Now, you should test your
tbot configuration. When started, several log
messages will be emitted before it exits with status 0:
export TELEPORT_ANONYMOUS_TELEMETRY=1tbot start -c /etc/tbot.yaml
TELEPORT_ANONYMOUS_TELEMETRY enables the submission of anonymous usage
telemetry. This helps us shape the future development of
tbot. You can disable
this by omitting this.
Step 5/5. Configure outputs
You have now prepared the base configuration for
tbot. At this point, it
identifies itself to the Teleport cluster and renews its own credentials but
does not output any credentials for other applications to use.
Follow one of the access guides to configure an output that meets your access needs.
Next steps
- Follow the access guides to finish configuring
tbotfor your environment.
- Read the configuration reference to explore all the available configuration options.
- More information about
TELEPORT_ANONYMOUS_TELEMETRY.