| title | description | tocDepth |
|---|---|---|
Deploy Machine ID |
Explains how to deploy Machine ID on your platform and join it to your Teleport cluster. |
3 |
The first step to set up Machine ID is to deploy the tbot binary and join a
Machine ID bot to your Teleport cluster. You can run the tbot binary on a
number of platforms, from AWS and GitHub Actions to a generic Linux server or
Kubernetes cluster. This guide shows you how to deploy Machine ID on your
infrastructure.
There are two considerations to make when determining how to deploy Machine ID on your infrastructure.
The tbot binary runs as a container or on a Linux virtual machine. If you run
tbot on GitHub Actions, you can use one of the ready-made Teleport GitHub
Actions workflows.
Machine ID joins your Teleport cluster by using one of the following authentication methods:
- Platform-signed document: The platform that hosts
tbot, such as a Kubernetes cluster or Amazon EC2 instance, provides a signed identity document that Teleport can verify using the platform's certificate authority. This is the recommended approach because it avoids the use of shared secrets. - Static join token: Your Teleport client tool generates a string and stores it on the Teleport Auth Service. Machine ID provides this string when it first connects to your Teleport cluster, demonstrating to the Auth Service that it belongs in the cluster. From then on, Machine ID authenticates to your Teleport cluster with a renewable certificate.
The guides in this section show you how to deploy Machine ID and join it to your cluster. Choose a guide based on the platform where you intend to run Machine ID.
If a specific guide does not exist for your platform, the Linux guide is compatible with most platforms. For custom approaches, you can also read the Machine ID Reference and Architecture to plan your deployment.
Read the following guides for how to deploy Machine ID on your cloud platform or on-prem infrastructure.
| Platform | Installation method | Join method |
|---|---|---|
| Linux | Package manager or TAR archive | Static join token |
| Linux (TPM) | Package manager or TAR archive | Attestation from TPM 2.0 |
| GCP | Package manager, TAR archive, or Kubernetes pod | Identity document signed by GCP |
| AWS | Package manager, TAR archive, or Kubernetes pod | Identity document signed by AWS |
| Azure | Package manager or TAR archive | Identity document signed by Azure |
| Kubernetes | Kubernetes pod | Identity document signed by your Kubernetes cluster |
Read the following guides for how to deploy Machine ID on a continuous integration and continuous deployment platform
| Platform | Installation method | Join method |
|---|---|---|
| Bitbucket Pipelines | TAR archive | Bitbucket-signed identity document |
| CircleCI | TAR archive | CircleCI-signed identity document |
| GitLab | TAR archive | GitLab-signed identity document |
| GitHub Actions | Teleport job available through the GitHub Actions marketplace | GitHub-signed identity document. |
| Jenkins | Package manager or TAR archive | Static join token |
| Spacelift | Docker Image | Spacelift-signed identity document |
| Terraform Cloud | Teleport Terraform Provider via Teleport's Terraform Registry | Terraform Cloud-signed identity document |