Skip to main content

Deploy Machine ID

The first step to set up Machine ID is to deploy the tbot binary and join a Machine ID bot to your Teleport cluster. You can run the tbot binary on a number of platforms, from AWS and GitHub Actions to a generic Linux server or Kubernetes cluster. This guide shows you how to deploy Machine ID on your infrastructure.

Choosing a deployment method

There are two considerations to make when determining how to deploy Machine ID on your infrastructure.

Your infrastructure

The tbot binary runs as a container or on a Linux virtual machine. If you run tbot on GitHub Actions, you can use one of the ready-made Teleport GitHub Actions workflows.

Join method

Machine ID joins your Teleport cluster by using one of the following authentication methods:

  • Platform-signed document: The platform that hosts tbot, such as a Kubernetes cluster or Amazon EC2 instance, provides a signed identity document that Teleport can verify using the platform's certificate authority. This is the recommended approach because it avoids the use of shared secrets.
  • Static join token: Your Teleport client tool generates a string and stores it on the Teleport Auth Service. Machine ID provides this string when it first connects to your Teleport cluster, demonstrating to the Auth Service that it belongs in the cluster. From then on, Machine ID authenticates to your Teleport cluster with a renewable certificate.

Deployment guides

The guides in this section show you how to deploy Machine ID and join it to your cluster. Choose a guide based on the platform where you intend to run Machine ID.

If a specific guide does not exist for your platform, the Linux guide is compatible with most platforms. For custom approaches, you can also read the Machine ID Reference and Architecture to plan your deployment.

Self-hosted infrastructure

Read the following guides for how to deploy Machine ID on your cloud platform or on-prem infrastructure.

PlatformInstallation methodJoin method
LinuxPackage manager or TAR archiveStatic join token
Linux (TPM)Package manager or TAR archiveAttestation from TPM 2.0
GCPPackage manager, TAR archive, or Kubernetes podIdentity document signed by GCP
AWSPackage manager, TAR archive, or Kubernetes podIdentity document signed by AWS
AzurePackage manager or TAR archiveIdentity document signed by Azure
KubernetesKubernetes podIdentity document signed by your Kubernetes cluster

CI/CD

Read the following guides for how to deploy Machine ID on a continuous integration and continuous deployment platform

PlatformInstallation methodJoin method
Bitbucket PipelinesTAR archiveBitbucket-signed identity document
CircleCITAR archiveCircleCI-signed identity document
GitLabTAR archiveGitLab-signed identity document
GitHub ActionsTeleport job available through the GitHub Actions marketplaceGitHub-signed identity document.
JenkinsPackage manager or TAR archiveStatic join token
SpaceliftDocker ImageSpacelift-signed identity document
Terraform CloudTeleport Terraform Provider via Teleport's Terraform RegistryTerraform Cloud-signed identity document