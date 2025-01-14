Version: 16.x

On this page

Running Teleport on IBM Cloud

We've created this guide to give customers an overview of how to use Teleport on IBM Cloud. This guide provides a high-level introduction to setting up and running Teleport in production.

We have split this guide into:

tip Teleport Enterprise Cloud takes care of this setup for you so you can provide secure access to your infrastructure right away. Get started with a free trial of Teleport Enterprise Cloud.

Teleport provides privileged access management for cloud-native infrastructure that doesn’t get in the way. Infosec and systems engineers can secure access to their infrastructure, meet compliance requirements, reduce operational overhead, and have complete visibility into access and behavior.

By using Teleport with IBM you can easily unify all access for both IBM Cloud and Softlayer infrastructure.

You can use Teleport for all the services that you would SSH into. This guide is focused on IBM Cloud.

We plan on expanding our guide to eventually include using Teleport with IBM Cloud Kubernetes Service.

This guide will cover how to set up, configure and run Teleport on IBM Cloud.

IBM Services required to run Teleport in High Availability:

Other things needed:

We recommend setting up Teleport in High Availability mode (HA). In High Availability mode etcd stores the state of the system and IBM Cloud Storage stores the audit logs.

We recommend Gen 2 Cloud IBM Virtual Servers and Auto Scaling

For Staging and POCs we recommend using bx2-2x8 machines with 2 vCPUs, 4GB RAM, 4 Gbps.

machines with 2 vCPUs, 4GB RAM, 4 Gbps. For Production we would recommend cx2-4x8 with 4 vCPUs, 8 GB RAM, 8 Gbps.

IBM offers managed etcd instances. Teleport uses etcd as a scalable database to maintain High Availability and provide graceful restarts. The service has to be turned on from within the IBM Cloud Dashboard.

We recommend picking an etcd instance in the same region as your planned Teleport cluster.

Deployment region: Same as rest of Teleport Cluster

Initial Memory allocation: 2GB/member (6GB total)

Initial disk allocation: 20GB/member (60GB total)

CPU allocation: Shared

etcd version: 3.3

teleport: storage: type: etcd peers: [ "https://a9e977c0-224a-40bb-af51-21893b8fde79.b2b5a92ee2df47d58bad0fa448c15585.databases.appdomain.cloud:30359" ] username: 'root' password_file: '/var/lib/etcd-pass' tls_ca_file: '/var/lib/teleport/797cfsdf23e-4027-11e9-a020-42025ffb08c8.pem' prefix: '/teleport/'

We recommend using IBM Cloud Object Storage to store Teleport recorded sessions.

Create New Object Storage Resource. IBM Catalog - Object Storage Quick Link

Create a new bucket.

Set up HMAC Credentials

Update audit sessions URI: audit_sessions_uri: 's3://BUCKET-NAME/readonly/records?endpoint=s3.us-east.cloud-object-storage.appdomain.cloud®ion=ibm'

When setting up audit_sessions_uri use s3:// session prefix.

The credentials are used from ~/.aws/credentials and should be created with HMAC option:

{ "apikey" : "LU9VCDf4dDzj1wjt0Q-BHaa2VEM7I53_3lPff50d_uv3" , "cos_hmac_keys" : { "access_key_id" : "e668d66374e141668ef0089f43bc879e" , "secret_access_key" : "d8762b57f61d5dd524ccd49c7d44861ceab098d217d05836" } , "endpoints" : "https://control.cloud-object-storage.cloud.ibm.com/v2/endpoints" , "iam_apikey_description" : "Auto-generated for key e668d663-74e1-4166-8ef0-089f43bc879e" , "iam_apikey_name" : "Service credentials-1" , "iam_role_crn" : "crn:v1:bluemix:public:iam::::serviceRole:Writer" , "iam_serviceid_crn" : "crn:v1:bluemix:public:iam-identity::a/0328d127d04047548c9d4bedcd24b85e::serviceid:ServiceId-c7ee0ee9-ea74-467f-a49e-ef60f6b27a71" , "resource_instance_id" : "crn:v1:bluemix:public:cloud-object-storage:global:a/0328d127d04047548c9d4bedcd24b85e:32049c3c-207e-4731-8b8a-53bf3b4844e7::" }

Save these settings to ~/.aws/credentials

[ default ] aws_access_key_id="abcd1234-this-is-an-example" aws_secret_access_key="zyxw9876-this-is-an-example"

Example /etc/teleport.yaml

... storage: ... audit_sessions_uri: 's3://BUCKETNAME/readonly/records?endpoint=s3.us-east.cloud-object-storage.appdomain.cloud®ion=ibm' ...

tip When starting with teleport start --config=/etc/teleport.yaml -d you can confirm that the bucket has been created.

sudo teleport start --config=/etc/teleport.yaml -d

We recommend using IBM Cloud DNS for the Teleport Proxy public address.