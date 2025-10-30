Version: 16.x

On this page

Introduction to Machine & Workload Identity Report an issue with this page

Teleport Machine & Workload Identity offers two complementary sets of capabilities for non-human entities in your infrastructure:

Zero Trust Access for machines : Enables machines (like CI/CD pipelines) to securely authenticate with your Teleport cluster to access protected resources and configure the cluster itself.

: Enables machines (like CI/CD pipelines) to securely authenticate with your Teleport cluster to access protected resources and configure the cluster itself. Flexible Workload Identities: Issues short-lived cryptographic identities to workloads, compatible with the SPIFFE standard, enabling secure workload-to-workload communication and third-party API authentication.

Establish a root certificate authority within your Teleport cluster that issues short-lived JWTs and X509 certificates to workloads. These identities (SPIFFE Verifiable Identity Documents or SVIDs) contain the workload's identity encoded as a URI (SPIFFE ID).

Key benefits:

Eliminates long-lived shared secrets

Establishes a universal form of identity for workloads

Simplifies infrastructure by reducing authentication methods

The tbot agent manages identity requests and renewals, authenticating to the Teleport cluster using supported join methods. Workloads receive identities either through filesystem/Kubernetes secrets or via the SPIFFE Workload API.

Teleport provides machines with an identity ("bot") that can authenticate to the Teleport cluster. Bots are similar to human users with access controlled by roles and activities recorded in audit logs.

Bots authenticate using join tokens that specify which bot user they grant access to and what proof (join method) is needed. Each tbot client connection creates a server-side Bot Instance to track installations over time.

Zero Trust Access & Flexible Workload Identity can work together to create a comprehensive security model. Machines can securely access resources while workloads communicate securely with each other and external services, all managed through Teleport's unified access plane.

A CI/CD system securely deploys services to Kubernetes and establishes secure communication channels between them:

The pipeline authenticates through the proxy to deploy to Kubernetes and receives credentials to interact with cloud APIs (e.g., to push container images)

Services deployed by the pipeline receive SPIFFE identities for mutual TLS. The pipeline manages the identity lifecycle for the services it deploys

A Kubernetes-based application needs access to both internal services and external APIs:

Automation tools authenticate to configure the cluster securely

Application components are issued SPIFFE identities

Identities authenticate to internal services via mTLS

JWT-based authentication is used for external API access

A Zero Trust strategy is applied across workloads and automation:

Automation scripts authenticate through the proxy to perform infrastructure tasks

Workloads authenticate using short-lived, cryptographically verifiable identities

Security teams use Teleport’s unified audit logs to trace all identity activity

Zero-trust, identity-based communication without shared secrets are rotated automatically without human involvement.

Instead of managing static credentials (e.g., API keys, database passwords), workloads authenticate using short-lived X.509 certificates or JWTs compatible with the SPIFFE/SPIRE standard.

The service issues new identities to workloads on a regular schedule, dynamically issued by Teleport’s Auth Service and rotate automatically

All identity issuance and usage is recorded in audit logs

Flexible Workload Identities: Issues SPIFFE-compatible identities for various authentication purposes; doesn't use Teleport Proxy for workload-to-workload communication

Zero Trust Access for machines: Issues Teleport-specific credentials for accessing resources secured by Teleport; requires using the Teleport Proxy