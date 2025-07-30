Version: 19.x (unreleased)

Join Services with Oracle Cloud

This guide will explain how to use the Oracle join method to configure Teleport processes to join your Teleport cluster without sharing any secrets when they are running in an Oracle Cloud Infrastructure (OCI) Compute instance.

The Oracle join method is available to any Teleport process running on an OCI Compute instance.

Under the hood, services prove that they are running in your OCI tenant by sending a presigned self-authentication request to the OCI API for the Auth Service to execute.

A running Teleport cluster version 17.3.0 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-17.0.0-dev.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v17.0.0-dev-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v17.0.0-dev-linux-amd64-bin.tar.gz tar -xzf teleport-v17.0.0-dev-linux-amd64-bin.tar.gz cd teleport sudo ./install The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/ping and use a JSON query tool to obtain your cluster version: curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version' 17.0.0-dev



An OCI Compute instance to host a Teleport service.

To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Configure your Teleport Auth Service with a special dynamic token which will allow services from your OCI tenants to join your Teleport cluster.

Create the following token.yaml file with an oracle.allow rule specifying the Oracle tenant(s), compartment(s), and region(s) in which your OCI Compute instances will run:

kind: token version: v2 metadata: name: oracle-token spec: roles: [ Node ] join_method: oracle oracle: allow: - tenancy: "ocid1.tenancy.oc1..<unique ID>" parent_compartments: [ "ocid1.compartment.oc1...<unique_ID>" ] regions: [ "example-region" ]

Run the following command to create the token:

tctl create token.yaml

Every OCI Compute instance needs permission to authenticate itself with the Oracle Cloud API so the presigned request can succeed.

In the OCI console, navigate to Identity/Domains. Select your domain, then select Dynamic groups. Click Create dynamic group. Create a group with the following matching rule, assigning compartment-id to the OCID of the compartment your instance is in:

Any {instance.compartment.id = ' compartment-id '}

tip To minimize unnecessary permissions, configure your matching rules to match the rules in the token created in step 1.

In the OCI console, navigate to Identity/Domains/Policy. Click Create Policy. Create the following policy, assigning identity-domain to the name of the selected identity domain:

Allow dynamic-group ' identity-domain '/'join-teleport' to inspect authentication in tenancy

Install Teleport on your OCI Compute instance.

To install a Teleport Agent on your Linux server:

The easiest installation method, for Teleport versions 17.3 and above, is the cluster install script. It will use the best version, edition, and installation mode for your cluster.

Assign teleport.example.com:443 to your Teleport cluster hostname and port, but not the scheme (https://). Run your cluster's install script: curl "https:// teleport.example.com:443 /scripts/install.sh" | sudo bash

On older Teleport versions:

Assign edition to one of the following, depending on your Teleport edition: Edition Value Teleport Enterprise Cloud cloud Teleport Enterprise (Self-Hosted) enterprise Teleport Community Edition oss Get the version of Teleport to install. If you have automatic agent updates enabled in your cluster, query the latest Teleport version that is compatible with the updater: TELEPORT_DOMAIN= example.teleport.com:443 TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')" Otherwise, get the version of your Teleport cluster: TELEPORT_DOMAIN= example.teleport.com:443 TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/ping | jq -r '.server_version')" Install Teleport on your Linux server: curl https://cdn.teleport.dev/install.sh | bash -s ${TELEPORT_VERSION} edition The installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide.

The Oracle join method can be used for Teleport processes running the SSH ( Node ), Proxy, Kubernetes, Application, Database, or Windows Desktop Services. The Teleport process should be run directly on an OCI Compute instance.

Configure your Teleport process with a custom teleport.yaml file. Use the join_params section with token_name matching your token created in Step 1 and method: oracle as shown in the following example config:

version: v3 teleport: join_params: token_name: oracle-token method: oracle proxy_server: https://teleport.example.com:443 ssh_service: enabled: true auth_service: enabled: false proxy_service: enabled: false

Configure your Teleport instance to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed your Teleport instance.

Package Manager

TAR Archive On the host where you will run your Teleport instance, enable and start Teleport: sudo systemctl enable teleport sudo systemctl start teleport On the host where you will run your Teleport instance, create a systemd service configuration for Teleport, enable the Teleport service, and start Teleport: sudo teleport install systemd -o /etc/systemd/system/teleport.service sudo systemctl enable teleport sudo systemctl start teleport

You can check the status of your Teleport instance with systemctl status teleport and view its logs with journalctl -fu teleport .

Once you have started Teleport, confirm that your service is able to connect to and join your cluster.