Skip to content

Files

Latest commit

stevenGravystevenGravy
docs: include install Teleport for join services (#49522)
Nov 28, 2024
47c06b9 · Nov 28, 2024

History

History
82 lines (60 loc) · 2.49 KB

gcp.mdx

File metadata and controls

82 lines (60 loc) · 2.49 KB
title description
Join Services with GCP
Use the GCP join method to add services to your Teleport cluster.

This guide will explain how to use the GCP join method to configure Teleport processes to join your Teleport cluster without sharing any secrets when they are running in a GCP VM.

The GCP join method is available to any Teleport process running on a GCP VM. The VM must have a service account assigned to it (the default service account is fine). No IAM roles are required on the Teleport process joining the cluster.

Prerequisites

(!docs/pages/includes/edition-prereqs-tabs.mdx!)

  • A GCP VM to host a Teleport service, with a service account assigned to it and with the Teleport binary installed.
  • (!docs/pages/includes/tctl.mdx!)

Step 1/4. Create the GCP joining token

Configure your Teleport Auth Service with a special dynamic token which will allow services from your GCP projects to join your Teleport cluster.

Under the hood, services will prove that they are running in your GCP project by sending a signed ID token which matches an allow rule configured in your GCP joining token.

Create the following token.yaml file with a gcp.allow rule specifying your GCP project ID(s), service account(s), and location(s) in which your GCP instances will run:

(!docs/pages/includes/provision-token/gcp-spec.mdx!)

Run the following command to create the token:

$ tctl create token.yaml

Step 2/4 Install Teleport

Install Teleport on your GCP Linux VM.

(!docs/pages/includes/install-linux.mdx!)

Step 3/4. Configure your services

The GCP join method can be used for Teleport processes running the SSH (Node), Proxy, Kubernetes, Application, Database, or Windows Desktop Services. The Teleport process should be run directly on a GCP VM.

Configure your Teleport process with a custom teleport.yaml file. Use the join_params section with token_name matching your token created in Step 1 and method: gcp as shown in the following example config:

# /etc/teleport.yaml
version: v3
teleport:
  join_params:
    token_name: gcp-token
    method: gcp
  proxy_server: https://teleport.example.com:443
ssh_service:
  enabled: yes
auth_service:
  enabled: no
proxy_service:
  enabled: no

Step 4/4. Launch your Teleport process

(!docs/pages/includes/start-teleport.mdx!)

Once you have started Teleport, confirm that your service is able to connect to and join your cluster.