# TeleportScopedTokenV1 This guide is a comprehensive reference to the fields in the `TeleportScopedTokenV1` resource, which you can apply after installing the Teleport Kubernetes operator. ## resources.teleport.dev/v1 **apiVersion:** resources.teleport.dev/v1 | Field | Type | Description | | ---------- | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: | | kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: | | metadata | object | | | scope | string | Scope is the scope of the token resource. | | spec | [object](#spec) | ScopedToken resource definition v1 from Teleport | ### spec | Field | Type | Description | | ----------------- | ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | assigned\_scope | string | The scope to which this token is assigned. Must be equivalent or descendent to the scope of the token itself. | | aws | [object](#specaws) | The AWS-specific configuration used with the "ec2" and "iam" join methods. | | azure | [object](#specazure) | The Azure-specific configuration used with the "azure" join method. | | azure\_devops | [object](#specazure_devops) | The Azure Devops-specific configuration used with the "azure\_devops" join method. | | gcp | [object](#specgcp) | The GCP-specific configuration used with the "gcp" join method. | | immutable\_labels | [object](#specimmutable_labels) | Immutable labels that should be applied to any resulting resources provisioned using this token. | | join\_method | string | The joining method required in order to use this token. Supported joining methods for scoped tokens only include 'token'. | | kubernetes | [object](#speckubernetes) | The Kubernetes-specific configuration used with the "kubernetes" join method. | | oracle | [object](#specoracle) | The Oracle-specific configuration used with the "oracle" join method. | | roles | \[]string | The list of roles associated with the token. They will be converted to metadata in the SSH and X509 certificates issued to the user of the token. | | usage\_mode | string | The usage mode of the token. Can be "single\_use" or "unlimited". Single use tokens can only be used to provision a single resource. Unlimited tokens can be be used to provision any number of resources until it expires. | ### spec.aws | Field | Type | Description | | ----------- | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | allow | \[][object](#specawsallow-items) | A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. | | iid\_ttl | string | The TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. This should be a duration string such as "8h" or "6mo". | | integration | string | Integration name which provides credentials for validating join attempts. Currently only in use for validating the AWS Organization ID in the IAM Join method. | ### spec.aws.allow items | Field | Type | Description | | --------------------- | --------- | ----------- | | aws\_account | string | | | aws\_arn | string | | | aws\_organization\_id | string | | | aws\_regions | \[]string | | | aws\_role | string | | ### spec.azure | Field | Type | Description | | ----- | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------- | | allow | \[][object](#specazureallow-items) | A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. | ### spec.azure.allow items | Field | Type | Description | | ---------------- | --------- | ----------- | | resource\_groups | \[]string | | | subscription | string | | ### spec.azure\_devops | Field | Type | Description | | ---------------- | ----------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | allow | \[][object](#specazure_devopsallow-items) | A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. | | organization\_id | string | The UUID of the Azure DevOps organization that this join token will grant access to. This is used to identify the correct issuer verification of the ID token. This is a required field. | ### spec.azure\_devops.allow items | Field | Type | Description | | ------------------- | ------ | ----------- | | definition\_id | string | | | pipeline\_name | string | | | project\_id | string | | | project\_name | string | | | repository\_ref | string | | | repository\_uri | string | | | repository\_version | string | | | sub | string | | ### spec.gcp | Field | Type | Description | | ----- | -------------------------------- | --------------------------------------------------------------------------------------------------------------------- | | allow | \[][object](#specgcpallow-items) | A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. | ### spec.gcp.allow items | Field | Type | Description | | ----------------- | --------- | ----------- | | locations | \[]string | | | project\_ids | \[]string | | | service\_accounts | \[]string | | ### spec.immutable\_labels | Field | Type | Description | | ----- | ---------------------------------- | ------------------------------------------- | | ssh | [object](#specimmutable_labelsssh) | Labels that should be applied to SSH nodes. | ### spec.immutable\_labels.ssh | Field | Type | Description | | ----- | ------ | ----------- | | key | string | | | value | string | | ### spec.kubernetes | Field | Type | Description | | ------------ | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | allow | \[][object](#speckubernetesallow-items) | A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. | | oidc | [object](#speckubernetesoidc) | The configuration specific to the `oidc` type. | | static\_jwks | [object](#speckubernetesstatic_jwks) | The configuration specific to the `static_jwks` type. | | type | string | Controls which behavior should be used for validating the Kubernetes Service Account token. Supported values: - `in_cluster` - `static_jwks` - `oidc` If unset, this defaults to `in_cluster`. | ### spec.kubernetes.allow items | Field | Type | Description | | ---------------- | ------ | ----------- | | service\_account | string | | ### spec.kubernetes.oidc | Field | Type | Description | | ----------------------------- | ------- | ----------- | | insecure\_allow\_http\_issuer | boolean | | | issuer | string | | ### spec.kubernetes.static\_jwks | Field | Type | Description | | ----- | ------ | ----------- | | jwks | string | | ### spec.oracle | Field | Type | Description | | ----- | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------- | | allow | \[][object](#specoracleallow-items) | A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. | ### spec.oracle.allow items | Field | Type | Description | | -------------------- | --------- | ----------- | | instances | \[]string | | | parent\_compartments | \[]string | | | regions | \[]string | | | tenancy | string | |