Deploy Machine ID
The first step to set up Machine ID is to deploy the tbot
binary and join a
Machine ID bot to your Teleport cluster. You can run the tbot
binary on a
number of platforms, from AWS and GitHub Actions to a generic Linux server or
Kubernetes cluster. This guide shows you how to deploy Machine ID on your
infrastructure.
Choosing a deployment method
There are two considerations to make when determining how to deploy Machine ID on your infrastructure.
Your infrastructure
The tbot
binary runs as a container or on a Linux virtual machine. If you run
tbot
on GitHub Actions, you can use one of the ready-made Teleport GitHub
Actions workflows.
Join method
Machine ID joins your Teleport cluster by using one of the following authentication methods:
- Platform-signed document: The platform that hosts
tbot
, such as a Kubernetes cluster or Amazon EC2 instance, provides a signed identity document that Teleport can verify using the platform's certificate authority. This is the recommended approach because it avoids the use of shared secrets. - Static join token: Your Teleport client tool generates a string and stores it on the Teleport Auth Service. Machine ID provides this string when it first connects to your Teleport cluster, demonstrating to the Auth Service that it belongs in the cluster. From then on, Machine ID authenticates to your Teleport cluster with a renewable certificate.
Deployment guides
The guides in this section show you how to deploy Machine ID and join it to your cluster. Choose a guide based on the platform where you intend to run Machine ID.
If a specific guide does not exist for your platform, the Linux guide is compatible with most platforms. For custom approaches, you can also read the Machine ID Reference and Architecture to plan your deployment.
Self-hosted infrastructure
Read the following guides for how to deploy Machine ID on your cloud platform or on-prem infrastructure.
Platform | Installation method | Join method |
---|---|---|
Linux | Package manager or TAR archive | Static join token |
Linux (TPM) | Package manager or TAR archive | Attestation from TPM 2.0 |
GCP | Package manager, TAR archive, or Kubernetes pod | Identity document signed by GCP |
AWS | Package manager, TAR archive, or Kubernetes pod | Identity document signed by AWS |
Azure | Package manager or TAR archive | Identity document signed by Azure |
Kubernetes | Kubernetes pod | Identity document signed by your Kubernetes cluster |
CI/CD
Read the following guides for how to deploy Machine ID on a continuous integration and continuous deployment platform
Platform | Installation method | Join method |
---|---|---|
Bitbucket Pipelines | TAR archive | Bitbucket-signed identity document |
CircleCI | TAR archive | CircleCI-signed identity document |
GitLab | TAR archive | GitLab-signed identity document |
GitHub Actions | Teleport job available through the GitHub Actions marketplace | GitHub-signed identity document. |
Jenkins | Package manager or TAR archive | Static join token |
Spacelift | Docker Image | Spacelift-signed identity document |
Terraform Cloud | Teleport Terraform Provider via Teleport's Terraform Registry | Terraform Cloud-signed identity document |