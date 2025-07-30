Version: 19.x (unreleased)

On this page

Deploying Machine ID on Azure Report an issue with this page

In this guide, you will install Machine ID's agent, tbot on an Azure VM. The bot will be configured to use the azure delegated joining method to authenticate to your Teleport cluster. This eliminates the need for long-lived secrets.

On the Azure platform, virtual machines can be assigned a managed identity. The Azure platform will then make available to the virtual machine an attested data document and JWT that allows the virtual machine to act as this identity. This identity can be validated by a third party by attempting to use this token to fetch its own identity from the Azure identity service.

The azure join method instructs the bot to use this attested data document and JWT to prove its identity to the Teleport Auth Service. This allows joining to occur without the use of a long-lived secret.

A running Teleport cluster version 17.0.0-dev or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-17.0.0-dev.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v17.0.0-dev-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v17.0.0-dev-linux-amd64-bin.tar.gz tar -xzf teleport-v17.0.0-dev-linux-amd64-bin.tar.gz cd teleport sudo ./install The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/ping and use a JSON query tool to obtain your cluster version: curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version' 17.0.0-dev



To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

, then verify that you can run commands using your current credentials. For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and command, you can use your current credentials to run subsequent commands from your workstation. If you host your own Teleport cluster, you can also run commands on the computer that hosts the Teleport Auth Service for full permissions. An Azure managed identity with a role granting the Microsoft.Compute/virtualMachines/read permission. You will need to know the UID of this identity.

permission. You will need to know the UID of this identity. An Azure VM you wish to install Machine ID onto with the managed identity configured as a user-assigned managed identity.

This step is completed on the Azure VM.

First, tbot needs to be installed on the VM that you wish to use Machine ID on.

Download and install the appropriate Teleport package for your platform:

To install a Teleport Agent on your Linux server:

The easiest installation method, for Teleport versions 17.3 and above, is the cluster install script. It will use the best version, edition, and installation mode for your cluster.

Assign teleport.example.com:443 to your Teleport cluster hostname and port, but not the scheme (https://). Run your cluster's install script: curl "https:// teleport.example.com:443 /scripts/install.sh" | sudo bash

On older Teleport versions:

Assign edition to one of the following, depending on your Teleport edition: Edition Value Teleport Enterprise Cloud cloud Teleport Enterprise (Self-Hosted) enterprise Teleport Community Edition oss Get the version of Teleport to install. If you have automatic agent updates enabled in your cluster, query the latest Teleport version that is compatible with the updater: TELEPORT_DOMAIN= example.teleport.com:443 TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')" Otherwise, get the version of your Teleport cluster: TELEPORT_DOMAIN= example.teleport.com:443 TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/ping | jq -r '.server_version')" Install Teleport on your Linux server: curl https://cdn.teleport.dev/install.sh | bash -s ${TELEPORT_VERSION} edition The installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide.

This step is completed on your local machine.

Next, you need to create a Bot. A Bot is a Teleport identity for a machine or group of machines. Like users, bots have a set of roles and traits which define what they can access.

Create bot.yaml :

kind: bot version: v1 metadata: name: example spec: roles: []

Make sure you replace example with a unique, descriptive name for your Bot.

Use tctl to apply this file:

tctl create bot.yaml

This step is completed on your local machine.

Create bot-token.yaml :

kind: token version: v2 metadata: name: example-bot spec: roles: [ Bot ] bot_name: example join_method: azure azure: allow: - subscription: 11111111 -1111 -1111 -1111 -111111111111 resource_groups: [ "group1" ]

Replace:

11111111-1111-1111-1111-111111111111 with the UID of your Azure subscription

with the UID of your Azure subscription example with the name of the bot you created in the second step

with the name of the bot you created in the second step group1 with the name of the resource group that the VM resides within or omit this entirely to allow joining from any VM within the subscription

Use tctl to apply this file:

tctl create -f bot-token.yaml

This step is completed on the Azure VM.

Create /etc/tbot.yaml :

version: v2 proxy_server: example.teleport.sh:443 onboarding: join_method: azure token: example-bot azure : client_id: 22222222 -2222 -2222 -2222 -222222222222 storage: type: memory outputs: []

Replace:

example.teleport.sh:443 with the address of your Teleport Proxy or Auth Service. Prefer using the address of a Teleport Proxy.

with the address of your Teleport Proxy or Auth Service. Prefer using the address of a Teleport Proxy. 22222222-2222-2222-2222-222222222222 with the ID of the Azure managed identity that has been assigned to the VM.

with the ID of the Azure managed identity that has been assigned to the VM. example-bot with the name of the token you created in the second step.

Now, you must decide if you want to run tbot as a daemon or in one-shot mode.

In daemon mode, tbot runs continually, renewing the short-lived credentials for the configured outputs on a fixed interval. This is often combined with a service manager (such as systemd) in order to run tbot in the background. This is the default behaviour of tbot .

In one-shot mode, tbot generates short-lived credentials and then exits. This is useful when combining tbot with scripting (such as in CI/CD) as it allows further steps to be dependent on tbot having succeeded. It is important to note that the credentials will expire if not renewed and to ensure that the TTL for the certificates is long enough to cover the length of the CI/CD job.

By default, tbot will run in daemon mode. However, this must then be configured as a service within the service manager on the Linux host. The service manager will start tbot on boot and ensure it is restarted if it fails. For this guide, systemd will be demonstrated but tbot should be compatible with all common alternatives.

Use tbot install systemd to generate a systemd service file:

sudo tbot install systemd \ --write \ --config /etc/tbot.yaml \ --user teleport \ --group teleport \ --anonymous-telemetry

Ensure that you replace:

teleport with the name of Linux user you wish to run tbot as.

with the name of Linux user you wish to run as. /etc/tbot.yaml with the path to the configuration file you have created.

You can omit --write to print the systemd service file to the console instead of writing it to disk.

--anonymous-telemetry enables the submission of anonymous usage telemetry. This helps us shape the future development of tbot . You can disable this by omitting this.

Next, enable the service so that it will start on boot and then start the service:

sudo systemctl daemon-reload sudo systemctl enable tbot sudo systemctl start tbot

Check the service has started successfully:

sudo systemctl status tbot

To use tbot in one-shot mode, modify /etc/tbot.yaml to add oneshot: true :

version: v2 oneshot: true auth_server: ...

Now, you should test your tbot configuration. When started, several log messages will be emitted before it exits with status 0:

export TELEPORT_ANONYMOUS_TELEMETRY=1 tbot start -c /etc/tbot.yaml

TELEPORT_ANONYMOUS_TELEMETRY enables the submission of anonymous usage telemetry. This helps us shape the future development of tbot . You can disable this by omitting this.

You have now prepared the base configuration for tbot . At this point, it identifies itself to the Teleport cluster and renews its own credentials but does not output any credentials for other applications to use.

Follow one of the access guides to configure an output that meets your access needs.