title | description |
---|---|
Machine ID FAQ |
Frequently asked questions about Teleport Machine ID |
Yes, however it depends on your CI/CD provider. It's currently a good fit in the following situations:
- Either short-lived or long-lived tasks run on AWS instances using AWS IAM joining.
- Long-lived worker nodes, like self-hosted Jenkins workers, using token-based joining.
- You use a supported SaaS CI/CD Provider:
- GitHub Actions (Teleport 11)
- CircleCI (coming in Teleport 11.1)
From Teleport 12.2, Trusted Cluster support for SSH Access has been included in Machine ID.
We currently do not support Application Access, Database Access or Kubernetes Access to resources in leaf clusters.
When defining the logins that your bot will be allowed to use, there are two options:
- Directly adding the login to the
logins
section of the role that your bot will impersonate. - Adding the login to the logins trait of the bot user, and impersonating a role
that includes the
{{ internal.logins }}
role variable. This is usually done by providing the--logins
parameter when creating the bot.
For simpler scenarios, where you only expect to configure your bot with a single
destination or role, it is permissible to add the login to the logins trait of
the bot user. This will allow you to leverage existing roles like access
.
For situations where your bot is producing certificates for different roles in different destinations it is important to consider if using login traits will grant access to resources that you were not intending to grant. For this reason, we recommend that in this situation you create bespoke roles that directly include the logins that you wish to grant to the certificates output in that destination.
We do not currently support Machine ID and per-session MFA. Enabling per-session MFA globally, or for roles impersonated by Machine ID, will prevent credentials produced by Machine ID from being used to connect to resources.
As a work-around, ensure that per-session MFA is enforced on individual roles rather than enforced globally, and that it is not enforced for roles that you will impersonate using Machine ID.