Version: 18.x (unreleased)

This guide explains how to use the EC2 join method to configure Teleport processes to join your Teleport cluster without sharing any secrets when they a re running in AWS.

The EC2 join method is only available in self-hosted Teleport deployments. There are two other AWS join methods available depending on your use case:

The IAM join method is available to any Teleport process running anywhere with access to IAM credentials, such as an EC2 instance with an attached IAM role (see documentation). No specific permissions or IAM policy is required: an IAM role with no attached policies is sufficient. No IAM credentials are required on the Teleport Auth Service. Tokens not signed by AWS: You can configure Teleport processes running on AWS to join a cluster via Teleport join tokens or, for Teleport processes running on Kubernetes, signed ServiceAccount tokens. These approaches allow you to join a Teleport process to a cluster when you don't want to rely on AWS-specific APIs, e.g., when adopting a cloud-agnostic approach.

The EC2 join method is available to any Teleport process running on an EC2 instance. Only one Teleport process per EC2 instance may use the EC2 join method. The process presents an EC2 instance identity document to the Teleport Auth Service.

Meanwhile, the Teleport Auth Service has AWS IAM credentials with ec2:DescribeInstances permissions in order to check that the identity document belongs to a legitimate EC2 instance. No IAM credentials are required on the Teleport processes joining the cluster.

A running self-hosted Teleport cluster. If you want to get started with self-hosted Teleport Enterprise, contact Sales. You can also set up a demo environment with Teleport Community Edition.

The tctl admin tool and tsh client tool version >= 17.0.0-dev. Visit Installation for instructions on downloading tctl and tsh .

To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

, then verify that you can run commands using your current credentials. For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and command, you can use your current credentials to run subsequent commands from your workstation. If you host your own Teleport cluster, you can also run commands on the computer that hosts the Teleport Auth Service for full permissions. An AWS EC2 instance to host a Teleport process, with the Teleport binary installed. The host should not have an existing data dir ( /var/lib/teleport by default). Remove the data directory if this instance has previously joined a Teleport cluster.

The Teleport Auth Service needs permission to call ec2:DescribeInstances in order to check that the EC2 instances attempting to join your cluster are legitimate and currently running.

Create the following AWS IAM policy named teleport-DescribeInstances-policy in your account:

{ "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "Action" : "ec2:DescribeInstances" , "Resource" : "*" } ] }

If your Teleport Auth Service is running on an EC2 instance and already has an attached "IAM role for Amazon EC2", add the above teleport-DescribeInstances-policy to the existing role. If the instance does not already have an attached role, create an IAM role with the above policy and attach it to your EC2 instance running the Teleport Auth Service.

If you are running your Teleport Auth Service outside of AWS you can attach the teleport-DescribeInstances-policy directly to an IAM user which Teleport will use to authenticate.

You can provide the IAM credentials to Teleport through a shared configuration file or environment variables. See Specifying Credentials for details.

Configure your Teleport Auth Service with a special dynamic token which will allow services from your AWS account to join your Teleport cluster.

Under the hood, services will prove that they are running in your AWS account by sending a signed EC2 Instance Identity Document which matches an allow rule configured in your AWS joining token.

Create the following token.yaml with an allow rule specifying your AWS account and the AWS regions in which your EC2 instances will run.

kind: token version: v2 metadata: name: ec2-token spec: roles: [ Node ] join_method: ec2 aws_iid_ttl: 5m allow: - aws_account: "111111111111" aws_regions: - us-west-1 - us-west-2

Run tctl create token.yaml to create the token.

Install Teleport on your AWS EC2 Instance.

To install a Teleport Agent on your Linux server:

The easiest installation method, for Teleport versions 17.3 and above, is the cluster install script. It will use the best version, edition, and installation mode for your cluster.

Assign teleport.example.com:443 to your Teleport cluster hostname and port, but not the scheme (https://). Run your cluster's install script: curl "https:// teleport.example.com:443 /scripts/install.sh" | sudo bash

On older Teleport versions:

Assign edition to one of the following, depending on your Teleport edition: Edition Value Teleport Enterprise Cloud cloud Teleport Enterprise (Self-Hosted) enterprise Teleport Community Edition oss Get the version of Teleport to install. If you have automatic agent updates enabled in your cluster, query the latest Teleport version that is compatible with the updater: TELEPORT_DOMAIN= example.teleport.com:443 TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')" Otherwise, get the version of your Teleport cluster: TELEPORT_DOMAIN= example.teleport.com:443 TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/ping | jq -r '.server_version')" Install Teleport on your Linux server: curl https://cdn.teleport.dev/install-v15.4.11.sh | bash -s ${TELEPORT_VERSION} edition The installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide.

The EC2 join method can be used for Teleport processes running the SSH, Proxy, Kubernetes, Application, Database, or Windows Desktop Services. The Teleport process should be run directly on an AWS EC2 instance and must have network access to the AWS EC2 IMDSv2 (enabled by default for most EC2 instances).

Configure your Teleport process with a custom teleport.yaml file. Use the join_params section with token_name matching your token created in Step 2 and method: ec2 as shown in the following example config:

# /etc/teleport.yaml version: v3 teleport: join_params: token_name: ec2-token method: ec2 proxy_server: https://teleport.example.com:443 ssh_service: enabled: yes auth_service: enabled: no proxy_service: enabled: no

IMPORTANT The data directory ( /var/lib/teleport by default) must be empty prior to launching the Teleport process. If this Teleport process had previously joined by another method (e.g. token or IAM) the host UUID will not match the expected name ( <AWS Account number>-<instance id> ) and will not be allowed to join.

Configure your Teleport instance to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed your Teleport instance.

Package Manager

TAR Archive On the host where you will run your Teleport instance, enable and start Teleport: sudo systemctl enable teleport sudo systemctl start teleport On the host where you will run your Teleport instance, create a systemd service configuration for Teleport, enable the Teleport service, and start Teleport: sudo teleport install systemd -o /etc/systemd/system/teleport.service sudo systemctl enable teleport sudo systemctl start teleport

You can check the status of your Teleport instance with systemctl status teleport and view its logs with journalctl -fu teleport .

Start Teleport on the host and confirm that it is able to connect to and join your cluster. You're all set!

In order for Teleport processes to join from EC2 instances in AWS accounts other than the account in which your Teleport Auth Service is running, Teleport must have permissions to assume an IAM role in each of those accounts and call ec2:DescribeInstances in the foreign account.

In each AWS account where your EC2 instances will be running:

Create the teleport-DescribeInstances-policy from Step 1.1. Create an IAM role teleport-DescribeInstances-role that can be assumed from the account where your Teleport Auth Service is running. Go to the AWS IAM Console, select Create Role, and for "Select type of trusted entity", select "Another AWS account" and enter the AWS Account ID of the account where your Teleport Auth Service is running. Attach the teleport-DescribeInstances-policy to the role.

In the AWS account where your Teleport Auth Service is running:

Create an IAM policy named teleport-AssumeRole-policy with an AssumeRole statement for each foreign account:

{ "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "Action" : "sts:AssumeRole" , "Resource" : "arn:aws:iam::222222222222:role/teleport-DescribeInstances-role" } , { "Effect" : "Allow" , "Action" : "sts:AssumeRole" , "Resource" : "arn:aws:iam::333333333333:role/teleport-DescribeInstances-role" } ] }

Attach this teleport-AssumeRole-policy to the IAM role your Teleport Auth Service has credentials for, see Step 1.2.

When creating the AWS joining token, include an allow rule for each foreign account and specify the AWS ARN for the foreign teleport-DescribeInstances-role .