Teleport Machine & Workload Identity

Report an issue with this page

Machine & Workload Identity

Use Teleport to replace long-lived secrets with identity-based authentication for your machines and workloads.

Introduction to Machine & Workload Identity

Teleport Machine & Workload Identity replaces static secrets across your infrastructure with short-lived certificates that are automatically issued and renewed for your Non-Human Identities (NHI).

What Teleport can do for non-human infrastructure access

Popular use cases around Machine & Workload Identity

• Secure CI/CD pipelines with identity-based auth

  Replace long-lived secrets in CI/CD pipelines

• Guard infrastructure as code with short-lived certs

  Manage IaC workflows in Terraform and Pulumi

• Configure workload-to-workload authentication

  Set up service-to-service authentication with mTLS

• Manage AI agent identities with role-based access

  Use RBAC to manage autonomous agents and processes

• Configure hybrid & multi-cloud authentication

  Set up universal identities across cloud platforms

Getting started with Machine & Workload Identity

The following steps will help you get started with Machine and Workload Identity. At the core of this flow is tbot, a lightweight agent that runs on your machines and workloads to automatically issue and renew short-lived certificates. This gives your systems secure, identity-based access to infrastructure and cloud providers without relying on static secrets.

Step 1: Deploy tbot across your infrastructure

AWS

Azure

Bitbucket Pipelines

CircleCI

Google Cloud

Gitlab CI

Jenkins

Kubernetes

Linux

Linux (TPM)

View all Integrations

References:

• The architecture behind the bots
• View all tbot guides

Step 2: Configure tbot to generate short-lived credentials for resource access

SSH servers

Access enrolled Linux servers with OpenSSH.

Kubernetes

Access enrolled Kubernetes clusters.

Databases

Access databases enrolled in Teleport.

HTTP & TCP applications

Access enrolled applications.

Ansible

Access enrolled Linux hosts via SSH.

tctl

Use Teleport CLI tool for custom flows.

Spacelift

Configure Teleport using Spacelift.

Terraform

Configure Teleport using Terraform on a dedicated server.

Terraform Cloud

Configure Teleport using HCP Terraform or Terraform Enterprise.

Getting started

• Issuing certs for NHI remote server access
• Frequently Asked Questions

Step 3: Secure workload and cloud authentication with SPIFFE compatible identities

AWS OIDC Federation

Authenticate to AWS with short-lived JWTs.

AWS Roles Anywhere

Authenticate to AWS with short-lived X.509 certificates.

Azure Federated Credentials

Authenticate to Azure with short-lived JWTs.

GCP Workload Identity Federation

Authenticate to GCP with short-lived JWTs.

tsh

Manually issue SPIFFE SVIDs with Teleport CLI tool tsh.

References

• SPIFFE, Trust Domains, and SVIDs
• About JWT SVIDs