Skip to main content

Deploy tbot

Report an Issue

The first step to set up Machine & Workload Identity is to deploy the tbot agent and join it as a Bot to your Teleport cluster. You can run the tbot binary on a number of platforms, from AWS and GitHub Actions to a generic Linux server or Kubernetes cluster.

Choosing a deployment method

There are two considerations to make when determining how to deploy the tbot agent on your infrastructure.

Your infrastructure

The tbot agent runs as a container or on a Linux virtual machine. If you run tbot on GitHub Actions, you can use one of the ready-made Teleport GitHub Actions workflows.

Join method

The tbot agent joins your Teleport cluster by using one of the following authentication methods:

  • Platform-signed document: The platform that hosts tbot, such as a Kubernetes cluster or Amazon EC2 instance, provides a signed identity document that Teleport can verify using the platform's certificate authority. This is the recommended approach because it avoids the use of shared secrets.

  • Bound keypair token: Your tbot agent generates a public/private keypair and the Teleport Auth Service is configured to trust the public key. This trust can either be established manually - by an administrator copying the key to Teleport - or automatically if a single-use joining secret is provided to the tbot client.

    Once trusted, the tbot agent can use its keypair to prove its long-term identity to Teleport and receive a renewable certificate. It authenticates to Teleport for as long as the renewable credential remains valid, but can use the bound keypair to automatically recover if it ever expires - if allowed to do so by your own policy. Read more about Bound Keypair Joining.

  • Static join token: Your Teleport client tool generates a string and stores it on the Teleport Auth Service. tbot provides this string when it first connects to your Teleport cluster, demonstrating to the Auth Service that it belongs in the cluster. From then on, tbot authenticates to your Teleport cluster with a renewable certificate.

Deployment guides

The guides in this section show you how to deploy the Machine & Workload Identity agent, tbot, and join it to your cluster.

If a specific guide does not exist for your platform, the Linux guide is compatible with most platforms. For custom approaches, you can also read the Machine & Workload Identity Reference and Architecture to plan your deployment.

AWSAzureAzure DevOpsBitBucket PipelinesCircleCIGitHub ActionsGitLab CIGoogle CloudKubernetesKubernetes OIDCLinuxLinux TPMBound Keypair Joining

CI/CD

Read the following guides for how to deploy tbot on a continuous integration and continuous deployment platform.

Azure DevOpsBitBucket PipelinesCircleCIGitLab CIGitHub ActionsJenkinsSpaceliftTerraform CloudBound Keypair static keys (Generic)

Unsupported Provider?

If your CI/CD provider does not have a dedicated join method listed above, consider using Bound Keypair static keys as a fallback.