Deploy tbot
The first step to set up Machine & Workload Identity is to deploy the tbot
agent and join it as a Bot to your Teleport cluster. You can run the tbot
binary on a number of platforms, from AWS and GitHub Actions to a generic Linux
server or Kubernetes cluster.
Choosing a deployment method
There are two considerations to make when determining how to deploy the tbot
agent on your infrastructure.
Your infrastructure
The tbot agent runs as a container or on a Linux virtual machine. If you run
tbot on GitHub Actions, you can use one of the ready-made Teleport GitHub
Actions workflows.
Join method
The tbot agent joins your Teleport cluster by using one of the following
authentication methods:
- Platform-signed document: The platform that hosts
tbot, such as a Kubernetes cluster or Amazon EC2 instance, provides a signed identity document that Teleport can verify using the platform's certificate authority. This is the recommended approach because it avoids the use of shared secrets. - Static join token: Your Teleport client tool generates a string and stores
it on the Teleport Auth Service.
tbotprovides this string when it first connects to your Teleport cluster, demonstrating to the Auth Service that it belongs in the cluster. From then on,tbotauthenticates to your Teleport cluster with a renewable certificate.
Deployment guides
The guides in this section show you how to deploy the Machine & Workload
Identity agent, tbot, and join it to your cluster.
If a specific guide does not exist for your platform, the Linux guide is compatible with most platforms. For custom approaches, you can also read the Machine & Workload Identity Reference and Architecture to plan your deployment.
CI/CD
Read the following guides for how to deploy tbot on a continuous integration
and continuous deployment platform.
If your CI/CD provider does not have a dedicated join method listed above, consider using Bound Keypair static keys as a fallback.