Securing Infrastructure Access at Scale in Large Enterprises
Dec 12
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

TeleportProvisionToken

This guide is a comprehensive reference to the fields in the TeleportProvisionToken resource, which you can apply after installing the Teleport Kubernetes operator.

resources.teleport.dev/v2

apiVersion: resources.teleport.dev/v2

FieldTypeDescription
apiVersionstringAPIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kindstringKind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadataobject
specobjectProvisionToken resource definition v2 from Teleport

spec

FieldTypeDescription
allow[]objectAllow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
aws_iid_ttlstringAWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token.
azureobjectAzure allows the configuration of options specific to the "azure" join method.
bitbucketobjectBitbucket allows the configuration of options specific to the "bitbucket" join method.
bot_namestringBotName is the name of the bot this token grants access to, if any
circleciobjectCircleCI allows the configuration of options specific to the "circleci" join method.
gcpobjectGCP allows the configuration of options specific to the "gcp" join method.
githubobjectGitHub allows the configuration of options specific to the "github" join method.
gitlabobjectGitLab allows the configuration of options specific to the "gitlab" join method.
join_methodstringJoinMethod is the joining method required in order to use this token. Supported joining methods include: azure, circleci, ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm
kubernetesobjectKubernetes allows the configuration of options specific to the "kubernetes" join method.
roles[]stringRoles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token
spaceliftobjectSpacelift allows the configuration of options specific to the "spacelift" join method.
suggested_agent_matcher_labelsobjectSuggestedAgentMatcherLabels is a set of labels to be used by agents to match on resources. When an agent uses this token, the agent should monitor resources that match those labels. For databases, this means adding the labels to db_service.resources.labels. Currently, only node-join scripts create a configuration according to the suggestion.
suggested_labelsobjectSuggestedLabels is a set of labels that resources should set when using this token to enroll themselves in the cluster. Currently, only node-join scripts create a configuration according to the suggestion.
terraform_cloudobjectTerraformCloud allows the configuration of options specific to the "terraform_cloud" join method.
tpmobjectTPM allows the configuration of options specific to the "tpm" join method.

spec.allow items

FieldTypeDescription
aws_accountstringAWSAccount is the AWS account ID.
aws_arnstringAWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?".
aws_regions[]stringAWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from.
aws_rolestringAWSRole is used for the EC2 join method and is the ARN of the AWS role that the Auth Service will assume in order to call the ec2 API.

spec.azure

FieldTypeDescription
allow[]objectAllow is a list of Rules, nodes using this token must match one allow rule to use this token.

spec.azure.allow items

FieldTypeDescription
resource_groups[]string
subscriptionstring

spec.bitbucket

FieldTypeDescription
allow[]objectAllow is a list of Rules, nodes using this token must match one allow rule to use this token.
audiencestringAudience is a Bitbucket-specified audience value for this token. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings.
identity_provider_urlstringIdentityProviderURL is a Bitbucket-specified issuer URL for incoming OIDC tokens. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings.

spec.bitbucket.allow items

FieldTypeDescription
branch_namestring
deployment_environment_uuidstring
repository_uuidstring
workspace_uuidstring

spec.circleci

FieldTypeDescription
allow[]objectAllow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
organization_idstring

spec.circleci.allow items

FieldTypeDescription
context_idstring
project_idstring

spec.gcp

FieldTypeDescription
allow[]objectAllow is a list of Rules, nodes using this token must match one allow rule to use this token.

spec.gcp.allow items

FieldTypeDescription
locations[]string
project_ids[]string
service_accounts[]string

spec.github

FieldTypeDescription
allow[]objectAllow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
enterprise_server_hoststringEnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service.
enterprise_slugstringEnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the include_enterprise_slug option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if enterprise_server_host is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values.
static_jwksstringStaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Service.

spec.github.allow items

FieldTypeDescription
actorstring
environmentstring
refstring
ref_typestring
repositorystring
repository_ownerstring
substring
workflowstring

spec.gitlab

FieldTypeDescription
allow[]objectAllow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
domainstringDomain is the domain of your GitLab instance. This will default to gitlab.com - but can be set to the domain of your self-hosted GitLab e.g gitlab.example.com.

spec.gitlab.allow items

FieldTypeDescription
ci_config_ref_uristring
ci_config_shastring
deployment_tierstring
environmentstring
environment_protectedboolean
namespace_pathstring
pipeline_sourcestring
project_pathstring
project_visibilitystring
refstring
ref_protectedboolean
ref_typestring
substring
user_emailstring
user_idstring
user_loginstring

spec.kubernetes

FieldTypeDescription
allow[]objectAllow is a list of Rules, nodes using this token must match one allow rule to use this token.
static_jwksobjectStaticJWKS is the configuration specific to the static_jwks type.
typestringType controls which behavior should be used for validating the Kubernetes Service Account token. Support values: - in_cluster - static_jwks If unset, this defaults to in_cluster.

spec.kubernetes.allow items

FieldTypeDescription
service_accountstring

spec.kubernetes.static_jwks

FieldTypeDescription
jwksstring

spec.spacelift

FieldTypeDescription
allow[]objectAllow is a list of Rules, nodes using this token must match one allow rule to use this token.
hostnamestringHostname is the hostname of the Spacelift tenant that tokens will originate from. E.g example.app.spacelift.io

spec.spacelift.allow items

FieldTypeDescription
caller_idstring
caller_typestring
scopestring
space_idstring

spec.terraform_cloud

FieldTypeDescription
allow[]objectAllow is a list of Rules, nodes using this token must match one allow rule to use this token.
audiencestringAudience is the JWT audience as configured in the TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform Cloud. If unset, defaults to the Teleport cluster name. For example, if TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo is set in Terraform Cloud, this value should be foo. If the variable is set to match the cluster name, it does not need to be set here.
hostnamestringHostname is the hostname of the Terraform Enterprise instance expected to issue JWTs allowed by this token. This may be unset for regular Terraform Cloud use, in which case it will be assumed to be app.terraform.io. Otherwise, it must both match the iss (issuer) field included in JWTs, and provide standard JWKS endpoints.

spec.terraform_cloud.allow items

FieldTypeDescription
organization_idstring
organization_namestring
project_idstring
project_namestring
run_phasestring
workspace_idstring
workspace_namestring

spec.tpm

FieldTypeDescription
allow[]objectAllow is a list of Rules, the presented delegated identity must match one allow rule to permit joining.
ekcert_allowed_cas[]stringEKCertAllowedCAs is a list of CA certificates that will be used to validate TPM EKCerts. When specified, joining TPMs must present an EKCert signed by one of the specified CAs. TPMs that do not present an EKCert will be not permitted to join. When unspecified, TPMs will be allowed to join with either an EKCert or an EKPubHash.

spec.tpm.allow items

FieldTypeDescription
descriptionstring
ek_certificate_serialstring
ek_public_hashstring