Machine & Workload Identity
Use Teleport to replace long-lived secrets with identity-based authentication for your machines and workloads.
Introduction to Machine & Workload Identity
Teleport Machine & Workload Identity replaces static secrets across your infrastructure with short-lived certificates that are automatically issued and renewed for your Non-Human Identities (NHI).

Popular use cases around Machine & Workload Identity
Secure CI/CD pipelines with identity-based auth
Replace long-lived secrets in CI/CD pipelines
Guard infrastructure as code with short-lived certs
Manage IaC workflows in Terraform and Pulumi
Configure workload-to-workload authentication
Set up service-to-service authentication with mTLS
Manage AI agent identities with role-based access
Use RBAC to manage autonomous agents and processes
Configure hybrid & multi-cloud authentication
Set up universal identities across cloud platforms
Getting started with Machine & Workload Identity
The following steps will help you get started with Machine and Workload Identity. At the core of this flow is tbot, a lightweight agent that runs on your machines and workloads to automatically issue and renew short-lived certificates. This gives your systems secure, identity-based access to infrastructure and cloud providers without relying on static secrets.
Step 1: Deploy tbot across your infrastructure
AWS
Azure
Bitbucket Pipelines
CircleCI
Google Cloud
Gitlab CI
Jenkins
Kubernetes
Linux
Linux (TPM)
View all Integrations
References:
Step 2: Configure tbot to generate short-lived credentials for resource access
SSH servers
Access enrolled Linux servers with OpenSSH.
Kubernetes
Access enrolled Kubernetes clusters.
Databases
Access databases enrolled in Teleport.
HTTP & TCP applications
Access enrolled applications.
Ansible
Access enrolled Linux hosts via SSH.
tctl
Use Teleport CLI tool for custom flows.
Spacelift
Configure Teleport using Spacelift.
Terraform
Configure Teleport using Terraform on a dedicated server.
Terraform Cloud
Configure Teleport using HCP Terraform or Terraform Enterprise.
Getting started
Step 3: Secure workload and cloud authentication with SPIFFE compatible identities
AWS OIDC Federation
Authenticate to AWS with short-lived JWTs.
AWS Roles Anywhere
Authenticate to AWS with short-lived X.509 certificates.
Azure Federated Credentials
Authenticate to Azure with short-lived JWTs.
GCP Workload Identity Federation
Authenticate to GCP with short-lived JWTs.
tsh
Manually issue SPIFFE SVIDs with Teleport CLI tool tsh.
References