Teleport Machine & Workload Identity

Report an issue with this page

Machine & Workload Identity

Use Teleport to replace long-lived secrets with identity-based authentication for your machines and workloads.

Introduction to Machine & Workload Identity

Teleport Machine & Workload Identity replaces static secrets across your infrastructure with short-lived certificates that are automatically issued and renewed for your Non-Human Identities (NHI).

What Teleport can do for non-human infrastructure access

Popular use cases around Machine & Workload Identity

• Secure CI/CD pipelines with identity-based auth

  Replace long-lived secrets in CI/CD pipelines

• Guard infrastructure as code with short-lived certs

  Manage IaC workflows in Terraform and Pulumi

• Configure workload-to-workload authentication

  Set up service-to-service authentication with mTLS

• Manage AI agent identities with role-based access

  Use RBAC to manage autonomous agents and processes

• Configure hybrid & multi-cloud authentication

  Set up universal identities across cloud platforms

Getting started with Machine & Workload Identity

The following steps will help you get started with Machine and Workload Identity. At the core of this flow is tbot, a lightweight agent that runs on your machines and workloads to automatically issue and renew short-lived certificates. This gives your systems secure, identity-based access to infrastructure and cloud providers without relying on static secrets.

Step 1: Deploy tbot across your infrastructure

AWS

Azure

Azure DevOps

Bitbucket Pipelines

CircleCI

Google Cloud

Gitlab CI

Jenkins

Kubernetes

Linux

Linux (TPM)

View all Integrations

References:

• The architecture behind the bots
• View all tbot guides

Step 2: Configure tbot to generate short-lived credentials for resource access

Ansible

Access enrolled Linux hosts via SSH.

Terraform

Use Terraform with Machine ID on a dedicated server.

Kubernetes

Access an enrolled Kubernetes cluster.

SSH servers

Access Linux servers using OpenSSH.

Databases

Access databases enrolled in Teleport.

HTTP & TCP applications

Access enrolled applications.

tctl

Use Teleport CLI tool for custom flows.

SpaceLift

Present a Spacelift-signed ID token

Terraform Cloud

HCP Terraform or Terraform Enterprise

Getting started

• Issuing certs for NHI remote server access
• Frequently Asked Questions

Step 3: Secure workload and cloud authentication with SPIFFE compatible identities

AWS OIDC Federation

Authenticate to AWS with short-lived JWTs.

AWS Roles Anywhere

Authenticate to AWS with short-lived X.509 certificates.

Azure Federated Credentials

Authenticate to Azure with short-lived JWTs.

GCP Workload Identity Federation

Authenticate to GCP with short-lived JWTs.

tsh

Manually issue SPIFFE SVIDs with Teleport CLI tool tsh.

References

• SPIFFE, Trust Domains, and SVIDs
• About JWT SVIDs