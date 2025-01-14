Version: 16.x

Join Methods and Tokens

This guide explains the core concepts behind the Teleport joining process, references all support join methods and classifies them based on their security properties. This guide does not explain step-by-step how to join an instance with each join method, but links to the relevant How-To guides when possible.

Prerequisite You must be familiar with the Teleport Core concepts before reading this page.

Joining a Teleport cluster is the act of establishing trust between a new Teleport instance and all the existing instances already part of the Teleport cluster. At the end of the joining process, the Auth Service signs certificates for the joining instance. Those certificates represent the trust that was established. With them, the newly-joined instance can interact with the other Teleport instances.

To request its certificates, an instance must prove its identity to the Auth Service. Teleport offers multiple ways for a joining instance to prove its authenticity, they are called the join methods.

The joining process only happens when a Teleport service doesn't have valid certificates. Once the token is exchanged for certificates, those certificates are used on all subsequent attempts to connect. In most cases, this happens during the first startup.

A join method is a way for the Auth Service to validate that an instance requesting to join the Teleport cluster is legitimate. Some join methods are universal while others rely on the joining instance context. For example cloud-provider join-methods (such as iam , gcp or azure ) or CI-provider (such as github , gitlab , circleci ) are more flexible and provide better security guarantees but require the joining instance to run in a specific cloud-provider.

Different join methods may provide different security guarantees. e.g. some join methods allow the joining instance to request renewable certificates while other will require the instance to join again to renew its certificate.

The join method and its parameters are specified in the token resource.

A Token is a Teleport resource that specifies which join method can be used in which context. For example, a token can allow SSH services to join with the iam join method if they are in the AWS account 333333333333 and can assume the role teleport-instance-role :

kind: token version: v2 metadata: name: my-iam-token spec: roles: [ Node ] join_method: iam allow: - aws_account: "333333333333" aws_arn: "arn:aws:sts::333333333333:assumed-role/teleport-instance-role/i-*"

important The token name may, or may not be sensitive depending on the join method. Secret-based join methods rely on the token name to be secret. In such cases the token name must be protected as knowing the token name in enough for an instance to join the cluster.

Secret-based join methods are universal: Teleport service can use a secret-based join method regardless of the platform/cloud provider it runs on. The joining instance sends the secret and the Auth Service validates that it matches the one it knows. Those joining methods are inherently prone to secret exfiltration and the delegated join methods should be preferred when available. If you have to use a secret-based join method, it is recommended to use short-lived tokens (valid only 1 hour for example) to reduce the risk of the token leaking.

Secret-based join methods are:

warning Teleport supports static tokens for backward compatibility, their use should be avoided.

Delegated join methods rely on the context of the joining instance and a third party to establish trust. The third party can be a cloud provider, a CI platform or the container runtime. Those methods cannot be used for every instance (e.g. joining an SSH agent from a Raspberry Pi is not possible) but should be preferred when possible.

Delegated join methods might also offer more granularity. For example, cloud-provider based join methods can allow instances to join based on their Availability Zone, service account, or cloud account ID.

Delegated join methods are:

Depending on the join method used, the Auth Service might issue renewable or non-renewable certificates.

When the certificate is about to expire, instances with renewable certificates can request a new one without having to use a token again. Typically, secret-based join methods provide renewable certificates because the secret token is sensitive and typically short-lived. With a single join, the instance can stay part of the cluster indefinitely.

Renewable join-methods are:

Nodes with non-renewable certificates must join again in order to get a new certificate before expiry. The instance will have to prove again that it is legitimate. The non-renewable join methods guarantee that an attacker stealing the instance certificates will not be able to maintain access to the Teleport cluster. Those join methods can be considered more secure and more appropriate for temporary workloads such as CI/CD pipelines or containerized environments.

Non-renewable join methods are:

The token resource has the following common fields for all join methods:

kind: token version: v2 metadata: name: my-token-name spec: roles: - Node - App join_method: gcp bot_name: my-bot suggested_labels: teams: [ "sales-eng" , "eng" , "qa" ] application: [ "demo-product" ] suggested_agent_matcher_labels: teams: [ "sales-eng" ]

danger This join method is inherently less secure because long-lived tokens can be stolen and reused. Relying on it significantly reduces the security benefits of using Teleport. Its usage is strongly discouraged. You should use ephemeral tokens instead.

Static tokens are tokens defined in the Auth Service configuration ( teleport.yaml ). The token name must be kept secret as knowing it allows to join instances to the Teleport cluster.

auth_service: enabled: yes tokens: - "proxy,node:xxxxx" - "auth:yyyy" - "discovery,app,db:zzzzz"

Ephemeral tokens are secret tokens created dynamically via the CLI or Teleport API. They are time-bound and are typically created just before joining an instance to the Teleport cluster.

They can be created by the CLI (a strong random value is picked when not specified, default TTL is 30 minutes):

tctl tokens add --type discovery,app --ttl 15m

Or as Teleport resources:

kind: token version: v2 metadata: expires: "2023-11-24T21:45:40.104524Z" name: abcd123-insecure-do-not-use-this spec: join_method: token roles: - Discovery - App

When a MachineID bot uses an ephemeral join token, the token is deleted.

The IAM join method is available to any Teleport process running anywhere with access to IAM credentials, such as an EC2 instance with an attached IAM role. No specific permissions or IAM policy is required: an IAM role with no attached policies is sufficient. No IAM credentials are required on the Teleport Auth Service.

This is the recommended method to join workload running on AWS.

kind: token version: v2 metadata: name: iam-token spec: roles: [ Node ] join_method: iam allow: - aws_account: "111111111111" - aws_account: "222222222222" - aws_account: "333333333333" aws_arn: "arn:aws:sts::333333333333:assumed-role/teleport-node-role/i-*"

The EC2 join method is available to any Teleport process running on an EC2 instance. Only one Teleport process per EC2 instance may use the EC2 join method.

IAM credentials with ec2:DescribeInstances permissions are required on your Teleport Auth Service. No IAM credentials are required on the Teleport processes joining the cluster.

warning The EC2 join method is not available in Teleport Enterprise Cloud and Teleport Team. Teleport Enterprise Cloud and Team customers can use the IAM join method or ephemeral secret tokens.

kind: token version: v2 metadata: name: ec2-token spec: roles: [ Node ] join_method: ec2 aws_iid_ttl: 5m allow: - aws_account: "111111111111" aws_regions: - us-west-1 - us-west-2

See Also Joining Services via AWS EC2 Identity Document.

The Azure join method is available to any Teleport process running in an Azure Virtual Machine. Support for joining a cluster with the Proxy Service behind a layer 7 load balancer or reverse proxy is available in Teleport 13.0+.

kind: token version: v2 metadata: name: azure-token spec: roles: [ Node ] join_method: azure azure: allow: - subscription: 11111111 -1111 -1111 -1111 -111111111111 - subscription: 22222222 -2222 -2222 -2222 -222222222222 - subscription: 33333333 -3333 -3333 -3333 -333333333333 resource_groups: [ "group1" , "group2" ]

The GCP join method is available to any Teleport process running on a GCP VM. The VM must have a service account assigned to it (the default service account is fine). No IAM roles are required on the Teleport process joining the cluster.

kind: token version: v2 metadata: name: gcp-token spec: roles: [ Node ] join_method: gcp gcp: allow: - project_ids: [ "example-project-id" ] locations: [ "us-west1" , "us-west2-a" ] service_accounts: [ [email protected]"

Teleport supports secure joining on both GitHub-hosted and self-hosted GitHub Actions runners as well as GitHub Enterprise Server. This join method is typically used with Machine ID to access Teleport-protected resources in GitHub Actions pipelines.

kind: token version: v2 metadata: name: github-token spec: roles: [ Bot ] join_method: github bot_name: github-demo github: enterprise_server_host: ghes.example.com static_jwks: | {"keys":[--snip--]} enterprise_slug: slug allow: - repository: gravitational/teleport repository_owner: gravitational workflow: my-workflow environment: production actor: octocat ref: ref/heads/main ref_type: branch sub: repo:gravitational/example-repo:environment:production

See Also Deploying Machine ID on GitHub Actions

This join method is typically used with Machine ID to access Teleport-protected resources in Circle CI pipelines.

kind: token version: v2 metadata: name: example-bot spec: roles: [ Bot ] join_method: circleci bot_name: example circleci: organization_id: $ORGANIZATION_ID allow: - context_id: 00000000 -0000 -0000 -0000 -000000000000 project_id: 1234

See Also Deploying Machine ID on Circle CI

Teleport supports secure joining on both cloud-hosted and self-hosted GitLab instances. The minimum supported GitLab version is 15.7.

This join method is typically used with MachineID to access Teleport-protected resources in Gitlab CI pipelines.

kind: token version: v2 metadata: name: gitlab-demo spec: roles: [ Bot ] join_method: gitlab bot_name: gitlab-demo gitlab: domain: gitlab.example.com allow: - project_path: my-user/my-project namespace_path: my-user pipeline_source: web environment: production ref_type: branch ref: main sub: project_path:my-user/my-project:ref_type:branch:ref:main user_login: octocat user_email: [email protected] ref_protected: true environment_protected: true ci_config_sha: ffffffffffffffffffffffffffffffffffffffff ci_config_ref_uri: gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main deployment_tier: production project_visibility: public

See Also Deploying Machine ID on GitLab CI

The Kubernetes join methods exists in two variants:

Kubernetes in-cluster joining is available for any Teleport process running in the same Kubernetes cluster than the Auth Service. It uses the Kubernetes ServiceAccount tokens to validate the pod identity. The method relies on the Kubernetes TokenReview API which is typically only reachable from within the Kubernetes cluster. Because of this limitation, this join method is only available for self-hosted Teleport clusters in Kubernetes.

This method should be preferred when available as tokens are revoked as soon as the pod enters the Terminated state.

kind: token version: v2 metadata: name: kubernetes-token expires: "2050-01-01T00:00:00Z" spec: roles: [ App ] join_method: kubernetes kubernetes: type: in_cluster allow: - service_account: "teleport-agent:teleport-app-service"

See Also Joining Services via Kubernetes ServiceAccount Token

Kubernetes JWKS joining is available for any Teleport process running in Kubernetes. The Auth Service does not have to run in Kubernetes so this method can be used with any Teleport cluster, including Teleport Cloud. This join method works by exporting the public Kubernetes signing keys and using them to validate Kubernetes SA token signatures. The signature validation can be performed by an Auth Service without access to the Kubernetes.

The Kubernetes JWKS join method is available in Teleport 14+.

kind: token version: v2 metadata: name: example spec: roles: [ App ] join_method: kubernetes kubernetes: type: static_jwks static_jwks: jwks: | # Place the kubernetes JWKS here (`kubectl get --raw /openid/v1/jwks`) {"keys":[--snip--]} allow: - service_account: "namespace:serviceaccount"

warning After rotating the Kubernetes CA, you must update the Kubernetes JWKS tokens to contain the new Kubernetes signing keys (update the spec.kubernetes.static_jwks.jwks field).

See Also Deploying Machine ID on Kubernetes

The tpm join method is a secure way for Bots and Agents to authenticate with the Teleport Auth Service without using any shared secrets. Instead of using a shared secret, the unique identity of the host's Trusted Platform Module (TPM) and public key cryptography is used to authenticate the host.

In environments where there is no other form of identity available to machines, e.g on-prem, this is the most secure method for joining. It avoids the need to distribute a shared secret as is needed for the token join method.

A Trusted Platform Module (TPM) is a secure, physical cryptoprocessor that is installed on a host. TPMs can store cryptographic material and perform a number of cryptographic operations, without exposing the cryptographic material to the operating system. Each TPM has a unique key pair burned-in known as the Endorsement Key (EK). This key does not change, even if the host operating system is reinstalled.

Some TPMs also contain an X.509 certificate for this key pair that is signed by the manufacturer's CA. This is known as the EK Certificate (EKCert). This certificate can be used by the TPM to prove to a third-party (who trusts the manufacturer's CA) that the TPM is genuine and abides by the TPM specification.

When using the tpm join method, you must first query the TPM's public key and then create a join token that explicitly allows this public key. To list information about the detected TPM, run the teleport tpm identify command.

If you have a large number of hosts, it may make sense to use automation tooling such as Ansible to query the TPMs across your fleet and then generate join tokens.

warning The tpm join method is currently not compatible with FIPS 140-2.

kind: token version: v2 metadata: name: tpm-token spec: roles: [ Bot ] join_method: tpm bot_name: tpm-demo tpm: ekcert_allowed_cas: - | -----BEGIN CERTIFICATE----- ... CA Certificate Data ... -----END CERTIFICATE----- allow: - description: "example-build-server-100" ek_public_hash: "d4b4example6fabfc568d74f2example6c35a05337d7af9a6example6c891aa6" ek_certificate_serial: "01:23:45:67:89:ex:am:pl:e0:23:45:67:89:ab:cd:ef"

See Also Deploying Machine ID on Linux: TPM

This join method is used to authenticate using Terraform Cloud Workload Identity. It is typically used by the Teleport Terraform provider on either HCP Terraform or self-hosted Terraform Enterprise. It can not be used to join Terraform runs on other platforms and dedicated join methods should be used instead.

Enterprise Support for self-hosted Terraform Enterprise requires Teleport Enterprise.

kind: token version: v2 metadata: name: terraform spec: roles: [ Bot ] join_method: terraform bot_name: terraform terraform: audience: '' hostname: '' allow: - organization_name: OrgName organization_id: org-foo project_name: ProjectName project_id: prj-bar workspace_name: WorkspaceName workspace_id: ws-baz run_phase: ''

See Also Run the Teleport Terraform Provider on Terraform Cloud

This join method is used to authenticate using Spacelift. It is typically used by the Teleport Terraform provider on Spacelift (including self-hosted deployments).

kind: token version: v2 metadata: name: spacelift spec: roles: [ Bot ] join_method: spacelift bot_name: spacelift spacelift: hostname: example.app.spacelift.io allow: - space_id: root caller_type: stack caller_id: my-stack scope: read

See Also Run the Teleport Terraform Provider on Spacelift

This join method is used to authenticate using Bitbucket's support for OpenID Connect, and is typically used to allow either Machine ID's tbot or the Teleport Terraform provider to authenticate to Teleport without use of shared secrets.

kind: token version: v2 metadata: name: example-bot spec: roles: [ Bot ] join_method: bitbucket bot_name: example bitbucket: identity_provider_url: $IDENTITY_PROVIDER_URL audience: $AUDIENCE allow: - workspace_uuid: '{WORKSPACE_UUID}' repository_uuid: '{REPOSITORY_UUID}' deployment_environment_uuid: '{DEPLOYMENT_ENVIRONMENT_UUID}' branch_name: "main"