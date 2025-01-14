Deploying Machine ID on CircleCI
In this guide, you will configure Machine ID's agent,
tbot, to run within a
CircleCI workflow. The bot will be configured to use the
circleci delegated
joining method to eliminate the need for long-lived secrets.
Prerequisites
-
A running Teleport cluster version 15.4.30 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctladmin tool and
tshclient tool.
On Teleport Enterprise, you must use the Enterprise version of
tctl, which you can download from your Teleport account workspace. Otherwise, visit Installation for instructions on downloading
tctland
tshfor Teleport Community Edition.
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials.
tctlis supported on macOS and Linux machines. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
Cluster teleport.example.com
Version 15.4.30
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
- A CircleCI project connected to a Git repository you can push to.
Step 1/5. Configure CircleCI
In order to configure the rules for which CircleCI workflows will be allowed to connect to your Teleport cluster, you must determine the ID of your CircleCI organization and create a CircleCI context.
Find your organization ID
Open CircleCI and navigate to "Organization settings" from the navbar.
You should be presented with an interface titled "Overview" with a section
called "Organization ID". Note this value down and substitute
$ORGANIZATION_ID
in configuration examples with this.
Create a context
CircleCI has an organization-level concept called contexts, which allow you to configure a series of secrets that should be exposed to a workflow job. You can configure CircleCI to control which actors are allowed to trigger jobs associated with a context.
The contexts that a workflow job has been assigned are also encoded in the identity token that CircleCI creates for the job. This makes them an ideal way for Teleport to determine which CircleCI jobs should be granted access to the Teleport cluster.
In this example, you will create a CircleCI context named
teleport-access.
You will then grant this context access to your Teleport cluster.
To create the CircleCI context, open up "Organization settings" in CircleCI
and navigate to "Contexts". Click "Create Context" and provide
teleport-access
as the name of the context you wish to create. You may substitute this value
for a string that makes more sense to your organization, but ensure in future
steps of this guide that you replace
teleport-access with your value.
Select the context you have just created. You will now be on a page that allows you to configure the context. To determine the ID of the context to use when configuring Teleport, locate the URL of the context settings page, which should have a format similar to the following:
https://app.circleci.com/settings/organization/github/gravitational/contexts/00000000-0000-0000-0000-000000000000
In this case, the context ID is:
00000000-0000-0000-0000-000000000000.
Note this value down and substitute
$CONTEXT_ID in configuration examples
with this
Step 2/5. Create the Machine ID bot
Next, you need to create a Bot. A Bot is a Teleport identity for a machine or group of machines. Like users, bots have a set of roles and traits which define what they can access.
Create
bot.yaml:
kind: bot
version: v1
metadata:
# name is a unique identifier for the Bot in the cluster.
name: example
spec:
# roles is a list of roles to grant to the Bot. Don't worry if you don't know
# what roles you need to specify here, the Access Guides will walk you through
# creating and assigning roles to the already created Bot.
roles: []
Make sure you replace
example with a unique, descriptive name for your Bot.
Use
tctl to apply this file:
tctl create bot.yaml
Step 3/5. Create the join token for CircleCI
In order to allow your CircleCI workflow to authenticate with your Teleport cluster, you'll first need to create a join token. These tokens set out criteria by which the Auth Server decides whether or not to allow a bot or node to join.
Create a file named
bot-token.yaml, ensuring that you replace
$ORGANIZATION_ID and
$CONTEXT_ID with the values from Step 1.
kind: token
version: v2
metadata:
name: example-bot
spec:
roles: [Bot]
join_method: circleci
bot_name: example
circleci:
organization_id: $ORGANIZATION_ID
# allow specifies the rules by which the Auth Server determines if `tbot`
# should be allowed to join.
allow:
- context_id: $CONTEXT_ID
Let's go over the token resource's fields in more detail:
metadata.namedefines the name of the token. Note that this value will need to be used in other parts of the configuration later.
metadata.expiresdefines the date that the join token will expire. This example is set to the year
2100.
spec.bot_nameis the name of the Machine ID bot that this token will grant access to. Note that this value will need to be used in other parts of the configuration later.
spec.rolesdefines which roles that this token will grant access to. The value of
[Bot]states that this token grants access to a Machine ID bot.
spec.join_methoddefines the join method the token is applicable for. Since this guide only focuses on CircleCI, you will set this to to
circleci.
spec.circleci.allowis used to set rules for what CircleCI runs will be able to authenticate by using the token.
Apply this to your Teleport cluster using
tctl:
tctl create -f bot-token.yaml
Step 4/5. Configure a CircleCI workflow
With the bot and join token created, you can now configure a CircleCI workflow that can connect to your Teleport cluster.
To configure
tbot, a YAML file will be used. In this example we'll store this
within the repository itself, but this could be generated or created by the
CI pipeline itself.
Create
tbot.yaml within your repository:
version: v2
proxy_server: example.teleport.sh:443
onboarding:
join_method: circleci
token: example-bot
oneshot: true
storage:
type: memory
# outputs will be filled in during the completion of an access guide.
outputs: []
Replace:
example.teleport.sh:443with the address of your Teleport Proxy or Auth Server. Prefer using the address of a Teleport Proxy.
example-botwith the name of the token you created in the second step
Now, the CircleCI pipeline can be defined. Before the pipeline can use
tbot,
it must be available within the environment. For this example, we'll show
downloading
tbot as part of the CI step, but in a production implementation
you may wish to build a docker image that contains this binary to avoid
depending on the Teleport CDN.
Open your Git repository and create a directory called
.circleci. Then open
a file called
config.yml and insert the following configuration:
# See: https://circleci.com/docs/2.0/configuration-reference
version: 2.1
jobs:
write-run-log:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: "Install Teleport"
command: |
cd /tmp
curl -O https://cdn.teleport.dev/teleport-v15.4.30-linux-amd64-bin.tar.gz
tar -xvf teleport-v15.4.30-linux-amd64-bin.tar.gz
sudo ./teleport/install
- run:
name: "Run Machine ID"
command: |
export TELEPORT_ANONYMOUS_TELEMETRY=1
tbot start -c tbot.yaml
workflows:
write-run-log:
jobs:
- write-run-log:
context:
- teleport-access
TELEPORT_ANONYMOUS_TELEMETRY enables the submission of anonymous usage
telemetry. This helps us shape the future development of
tbot. You can disable
this by omitting this.
Add, commit, and push these two configuration files to your repository.
Open CircleCI and check the status of the job, wait for it to complete and ensure that no errors are emitted.
A note on security implications and risk
Once
tbot start has been used in a job, all successive steps in that job will
have access to the credentials that have been produced by
tbot. Break your
workflow down into multiple jobs to reduce the amount of steps that have access
to these credentials.
Ensure that the role you assign to your CircleCI bot has access to only the resources in your Teleport cluster that your CI/CD needs to interact with.
Step 5/5. Configure outputs
You have now prepared the base configuration for
tbot. At this point, it
identifies itself to the Teleport cluster and renews its own credentials but
does not output any credentials for other applications to use.
Follow one of the access guides to configure an output that meets your access needs.
Further steps
- Follow the access guides to finish configuring
tbotfor your environment.
- Read the configuration reference to explore all the available configuration options.
- For more information about CircleCI itself, read their documentation.
- More information about
TELEPORT_ANONYMOUS_TELEMETRY.