Skip to main content

TeleportScopedTokenV1

Report an Issue

This guide is a comprehensive reference to the fields in the TeleportScopedTokenV1 resource, which you can apply after installing the Teleport Kubernetes operator.

resources.teleport.dev/v1

apiVersion: resources.teleport.dev/v1

FieldTypeDescription
apiVersionstringAPIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kindstringKind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadataobject
scopestringScope is the scope of the token resource.
specobjectScopedToken resource definition v1 from Teleport

spec

FieldTypeDescription
assigned_scopestringThe scope to which this token is assigned. Must be equivalent or descendent to the scope of the token itself.
awsobjectThe AWS-specific configuration used with the "ec2" and "iam" join methods.
azureobjectThe Azure-specific configuration used with the "azure" join method.
azure_devopsobjectThe Azure Devops-specific configuration used with the "azure_devops" join method.
botstringThe bot associated with this join token, if any, as a scope-qualified name of the form <scope>::<bot-name> (e.g. "/staging/west::mybot"). The scope component must be a descendant of or equivalent to the token's resource scope. Mutually exclusive with assigned_scope.
bound_keypairobjectConfiguration specific to the "bound_keypair" join method.
gcpobjectThe GCP-specific configuration used with the "gcp" join method.
generic_oidcobjectConfiguration specific to the "generic_oidc" join method.
immutable_labelsobjectImmutable labels that should be applied to any resulting resources provisioned using this token.
join_methodstringThe joining method required in order to use this token. Note that not all join methods support joining with scoped tokens.
kubernetesobjectThe Kubernetes-specific configuration used with the "kubernetes" join method.
oracleobjectThe Oracle-specific configuration used with the "oracle" join method.
roles[]stringThe list of roles associated with the token. They will be converted to metadata in the SSH and X509 certificates issued to the user of the token.
usage_modestringThe usage mode of the token. Can be "single_use" or "unlimited". Single use tokens can only be used to provision a single resource. Unlimited tokens can be be used to provision any number of resources until it expires.

spec.aws

FieldTypeDescription
allow[]objectA list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.
iid_ttlstringThe TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. This should be a duration string such as "8h" or "6mo".
integrationstringIntegration name which provides credentials for validating join attempts. Currently only in use for validating the AWS Organization ID in the IAM Join method.

spec.aws.allow items

FieldTypeDescription
aws_accountstring
aws_arnstring
aws_organization_idstring
aws_regions[]string
aws_rolestring

spec.azure

FieldTypeDescription
allow[]objectA list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.

spec.azure.allow items

FieldTypeDescription
resource_groups[]string
subscriptionstring
tenantstring

spec.azure_devops

FieldTypeDescription
allow[]objectA list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.
organization_idstringThe UUID of the Azure DevOps organization that this join token will grant access to. This is used to identify the correct issuer verification of the ID token. This is a required field.

spec.azure_devops.allow items

FieldTypeDescription
definition_idstring
pipeline_namestring
project_idstring
project_namestring
repository_refstring
repository_uristring
repository_versionstring
substring

spec.bound_keypair

FieldTypeDescription
onboardingobjectParameters related to initial onboarding and keypair registration.
recoveryobjectParameters related to recovery after identity expiration, including the initial join.
rotate_afterstringAn optional timestamp that forces clients to perform a keypair rotation on the next join or recovery attempt after the given date. If LastRotatedAt is unset or before this timestamp, a rotation will be requested. It is recommended to set this value to the current timestamp if a rotation should be triggered on the next join attempt.

spec.bound_keypair.onboarding

FieldTypeDescription
initial_public_keystring
must_register_beforestring
registration_secretstring

spec.bound_keypair.recovery

FieldTypeDescription
limitinteger
modestring

spec.gcp

FieldTypeDescription
allow[]objectA list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.

spec.gcp.allow items

FieldTypeDescription
locations[]string
project_ids[]string
service_accounts[]string

spec.generic_oidc

FieldTypeDescription
allow_any[]objectComplex rules evaluated using "OR" semantics. If any rules are specified, at least one rule must evaluate to true for the join attempt/ to be allowed. These rules are evaluated after must_match_fields, if any field matchers are specified in that block. Note that at least one rule, either in must_match_fields or allow_any, must be specified for any join attempts to succeed.
audiencestringThe expected JWT audience value (required). This must match or be included in the list of aud values in the JWT provided by the client when joining. For providers that do not allow you to configure this value yourself (this is technically an OIDC spec violation, but is common), use the value they provide. Otherwise, we recommend using a value that uniquely identifies the Teleport cluster and join token. For example, you can use this scheme: $clusterName/$tokenName For a cluster named example.teleport.sh and a token named example, this would result in an audience of example.teleport.sh/example. If you prefer, you can also use a UUID instead of the token name. Note that you will need to configure the matching value with the issuer, usually at request time.
insecure_allow_http_issuerbooleanIf set, disables the requirement that the issuer must use HTTPS.
issuerstringThe expected iss value as written in the JWT you wish to trust. Unless static_jwks is configured, this issuer must be accessible over HTTPS to the Teleport cluster and must serve valid OIDC metadata, including discovery configuration and JWKS keys.
must_match_fieldsobject"Must match" fields perform simple comparison matches using "AND" semantics. Rules are specified by mirroring the structure of the JWT, using values that are expected to be equal to those on the incoming token. These field matching rules can only be used to compare simple values: strings, numbers, booleans, and nested fields. Complex values, including lists, will need to use allow_any expression rules instead. If any field match rules are specified, all must be equal to corresponding JWT fields for the join attempt to succeed. If complex rules are specified in allow_any, those are evaluated after must_match_fields. If must_match_fields is not specified or is empty, only rules in allow_any are evaluated. These rules can be used as "global" rules that apply to all join attempts. For example, you can use these to ensure all attempts originate from your organization, then use allow_any rules to allow individual repositories, pipelines, or workspaces. Note that at least one rule, either in must_match_fields or allow_any, must be specified for any join attempts to succeed.
static_jwksstringAn optional static JWKS value that can be used to specify JWKS keys when either OIDC discovery is either not supported by the provider or the discovery configuration is not accessible to Teleport. When set, configuration and JWKS keys will not be fetched from the URL contained in issuer and JWTs will be validated using the key set specified here.
tls_castringA TLS CA certificate that should be used to verify requests for OIDC metadata from the issuer instead of Teleport's CA store, useful if the issuer is not public or otherwise uses a self-signed certificate. If unset, the standard web PKI root certificates will be used to verify the connection to the issuer when fetching OIDC metadata. Note that this value only applies to requests using this token, and will be used instead of and not in addition to the system CA store, and will need to be updated manually if the remote CA is updated.

spec.generic_oidc.allow_any items

FieldTypeDescription
conditions[]object
expressionstring

spec.generic_oidc.allow_any items.conditions items

FieldTypeDescription
attributestring
eqobject
inobject
not_eqobject
not_inobject

spec.generic_oidc.allow_any items.conditions items.eq

FieldTypeDescription
valuestring

spec.generic_oidc.allow_any items.conditions items.in

FieldTypeDescription
values[]string

spec.generic_oidc.allow_any items.conditions items.not_eq

FieldTypeDescription
valuestring

spec.generic_oidc.allow_any items.conditions items.not_in

FieldTypeDescription
values[]string

spec.immutable_labels

FieldTypeDescription
sshobjectLabels that should be applied to SSH nodes.

spec.immutable_labels.ssh

FieldTypeDescription
keystring
valuestring

spec.kubernetes

FieldTypeDescription
allow[]objectA list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.
oidcobjectThe configuration specific to the oidc type.
static_jwksobjectThe configuration specific to the static_jwks type.
typestringControls which behavior should be used for validating the Kubernetes Service Account token. Supported values: - in_cluster - static_jwks - oidc

spec.kubernetes.allow items

FieldTypeDescription
service_accountstring
service_account_namestring
service_account_namespacestring

spec.kubernetes.oidc

FieldTypeDescription
insecure_allow_http_issuerboolean
issuerstring

spec.kubernetes.static_jwks

FieldTypeDescription
jwksstring

spec.oracle

FieldTypeDescription
allow[]objectA list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.

spec.oracle.allow items

FieldTypeDescription
instances[]string
parent_compartments[]string
regions[]string
tenancystring