Deploy tbot
The first step to set up Machine & Workload Identity is to deploy the tbot
agent and join it as a Bot to your Teleport cluster. You can run the tbot
binary on a number of platforms, from AWS and GitHub Actions to a generic Linux
server or Kubernetes cluster.
Choosing a deployment method
There are two considerations to make when determining how to deploy the tbot
agent on your infrastructure.
Your infrastructure
The tbot agent runs as a container or on a Linux virtual machine. If you run
tbot on GitHub Actions, you can use one of the ready-made Teleport GitHub
Actions workflows.
Join method
The tbot agent joins your Teleport cluster by using one of the following
authentication methods:
- Platform-signed document: The platform that hosts
tbot, such as a Kubernetes cluster or Amazon EC2 instance, provides a signed identity document that Teleport can verify using the platform's certificate authority. This is the recommended approach because it avoids the use of shared secrets. - Static join token: Your Teleport client tool generates a string and stores
it on the Teleport Auth Service.
tbotprovides this string when it first connects to your Teleport cluster, demonstrating to the Auth Service that it belongs in the cluster. From then on,tbotauthenticates to your Teleport cluster with a renewable certificate.
Deployment guides
The guides in this section show you how to deploy the Machine & Workload
Identity agent, tbot, and join it to your cluster.
If a specific guide does not exist for your platform, the Linux guide is compatible with most platforms. For custom approaches, you can also read the Machine & Workload Identity Reference and Architecture to plan your deployment.
Self-hosted infrastructure
Read the following guides for how to deploy Machine ID on your cloud platform or on-prem infrastructure.
| Platform | Installation method | Join method |
|---|---|---|
| Linux | Package manager or TAR archive | Static join token |
| Linux (TPM) | Package manager or TAR archive | Attestation from TPM 2.0 |
| GCP | Package manager, TAR archive, or Kubernetes pod | Identity document signed by GCP |
| AWS | Package manager, TAR archive, or Kubernetes pod | Identity document signed by AWS |
| Azure | Package manager or TAR archive | Identity document signed by Azure |
| Kubernetes | Kubernetes pod | Identity document signed by your Kubernetes cluster |
| Kubernetes OIDC | Kubernetes pod on a cloud provider with OIDC | Identity document signed by your cloud provider |
CI/CD
Read the following guides for how to deploy tbot on a continuous integration
and continuous deployment platform:
| Platform | Installation method | Join method |
|---|---|---|
| Azure DevOps | TAR archive | Azure DevOps-signed identity document |
| Bitbucket Pipelines | TAR archive | Bitbucket-signed identity document |
| CircleCI | TAR archive | CircleCI-signed identity document |
| GitLab | TAR archive | GitLab-signed identity document |
| GitHub Actions | Teleport job available through the GitHub Actions marketplace | GitHub-signed identity document. |
| Jenkins | Package manager or TAR archive | Static join token |
| Spacelift | Docker Image | Spacelift-signed identity document |
| Terraform Cloud | Teleport Terraform Provider via Teleport's Terraform Registry | Terraform Cloud-signed identity document |