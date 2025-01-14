Version: 18.x (unreleased)

EC2 Tags as Teleport Node Labels

When running on an AWS EC2 instance, Teleport will automatically detect and import EC2 tags as Teleport labels for SSH nodes, Applications, Databases, and Kubernetes clusters. Labels created this way will have the aws/ prefix. When the Teleport process starts, it fetches all tags from the instance metadata service and adds them as labels. The process will update the tags every hour, so newly created or deleted tags will be reflected in the labels.

If the tag TeleportHostname is present, its value (must be lower case) will override the node's hostname.

tsh ls Node Name Address Labels -------------------- -------------- ----------------------------------------------------------------------------------------------------------------------- fakehost.example.com 127.0.0.1:3022 env=example,hostname=ip-172-31-53-70,aws/Name=atburke-dev,aws/TagKey=TagValue,aws/TeleportHostname=fakehost.example.com

note For services that manage multiple resources (such as the Database Service), each resource will receive the same labels from EC2.

A running Teleport cluster version 17.0.0-dev or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl admin tool and tsh client tool. Visit Installation for instructions on downloading tctl and tsh .

One Teleport Agent running on an Amazon EC2 instance. See our guides for how to set up Teleport Agents.

To allow Teleport to import EC2 tags, tags must be enabled in the instance metadata. This can be done via the AWS console or the AWS CLI. See the AWS documentation for more details.

Note Only instances that are running on the Nitro system will update their tags while running. All other instance types must be restarted to update tags.

To launch a new instance with instance metadata tags enabled:

Open Advanced Options at the bottom of the page. Ensure that Metadata accessible is not disabled. Enable Allow tags in metadata .

To modify an existing instance to enable instance metadata tags:

From the instance summary, go to Actions > Instance Settings > Allow tags in instance metadata .

Enable Allow .

To modify the instance at launch:

aws ec2 run-instances \ --image-id <image-id> \ --instance-type <instance-type> \ --metadata-options "InstanceMetadataTags=enabled" ...

To modify a running instance: