getting-started.mdx

title	description
Machine ID Getting Started Guide	Getting started with Teleport Machine ID

In this getting started guide, you will configure Machine ID to issue certificates that enable a bot user to connect to a remote host.

Here's an overview of what you will do:

1. Download and install tbot (=teleport.version=) on the host that will run Machine ID.
2. Create a bot user.
3. Start Machine ID.
4. Use certificates issued by Machine ID to connect to a remote machine.

Prerequisites

• A host that you wish to assign an identity to using Machine ID.

(!docs/pages/includes/edition-prereqs-tabs.mdx!)

(!/docs/pages/includes/tctl.mdx!)

<Admonition type="note" title="Machine ID and TLS Routing" scopeOnly scope={["oss", "enterprise"]}

TLS Routing support was added to Machine ID in Teleport 9.3. For earlier versions, the Teleport Proxy Server will need to be configured with a dedicated SSH listener.

version: v1
proxy_service:
  enabled: "yes"
  listen_addr: "0.0.0.0:3023"
  ...

Step 1/4. Download and install Teleport (=teleport.version=)

In this step, you will be downloading and installing Teleport binaries onto the machine you wish to assign an identity to.

Each Teleport package hosted on our downloads page ships with several useful binaries, including teleport, tctl, tsh, and tbot:

• teleport is the daemon used to initialize a Teleport cluster; this binary is not used in this guide
• tctl is the administrative tool you will use to create the bot user (step 1/4)
• tsh is the client tool you will use to log in to the Teleport Cluster (steps 2/4 and 4/4)
• tbot is the Machine ID tool you will use to associate a bot user with a machine (step 3/4)

Machine ID is available starting from the Teleport 9.0.0 release.

Download the appropriate Teleport package for your platform:

(!docs/pages/includes/install-linux.mdx!)

Step 2/4. Create a bot user

Before you create a bot user, you need to determine which role(s) you want to assign to it. You can use the tctl command below to examine what roles exist on your system.

<ScopedBlock scope={["cloud"]}> On your client machine, log in to Teleport using tsh, then use tctl to examine what roles exist on your system. <ScopedBlock scope={["oss","enterprise"]}> Connect to the Teleport Auth Server and use tctl to examine what roles exist on your system.

$ tctl get roles --format=text

You will see something like the output below on a fresh install of Teleport with the default roles—your cluster may have different roles. In this example, let's assume you want to give the bot the access role to allow it to connect to machines within your cluster.

Role    Allowed to login as                           Node Labels Access to resources
------- --------------------------------------------- ----------- ----------------------------------------
access  {{internal.logins}}                           <all nodes> event:list,read,session:read,list
auditor no-login-6566121f-b602-47f1-a118-c9c618ee5aec             session:list,read,event:list,read
editor                                                            user:list,create,read,update,delete,...

Machine ID can join with a token or the IAM Method on AWS.

Assuming that you are using the default access role, ensure that you use the --logins flag when adding your bot to specify the SSH logins that you wish to allow the bot to access on hosts. For our example, we will be using root.

```code $ tctl bots add robot --roles=access --logins=root ``` First, create an IAM method token that specifies the AWS account from which the bot can join. Create the below file as `iam-token.yaml` then run `tctl create -f iam-token.yaml`.

kind: token
version: v2
metadata:
  # The token name is not a secret because instances must prove that they are
  # running in your AWS account to use this token.
  name: iam-token
spec:
  # Only allow bots to join using this token.
  roles: [Bot]

  # Set the join method to be IAM.
  join_method: iam

  # Define the name of the bot that will be allowed to use this token.
  bot_name: robot

  allow:
  # Restrict the AWS account and (optionally) ARN that can use this token.
  # This information can be obtained from running the
  # "aws sts get-caller-identity" command from the CLI.
  - aws_account: "111111111111"
    aws_arn: "arn:aws:sts::111111111111:assumed-role/teleport-bot-role/i-*"

Next, create the bot user.

$ tctl bots add robot --token=iam-token --roles=access --logins=root

Step 3/4. Start Machine ID

Now start Machine ID using the tbot binary. The tbot start command will start running Machine ID in a loop, writing renewable certificates to /var/lib/teleport/bot and the short-lived certificates your application will use to /opt/machine-id.

In a production environment you will want to run Machine ID in the background using a service manager like systemd. However, in this guide you will run it in the foreground to better understand how it works.

<ScopedBlock scope={["oss", "enterprise"]}>

$ tbot start \
   --data-dir=/var/lib/teleport/bot \
   --destination-dir=/opt/machine-id \
   --token=(=presets.tokens.first=) \
   --join-method=token \
   --ca-pin=(=presets.ca_pin=) \
   --auth-server=auth.example.com:3025

$ tbot start \
   --data-dir=/var/lib/teleport/bot \
   --destination-dir=/opt/machine-id \
   --token=(=presets.tokens.first=) \
   --join-method=token \
   --ca-pin=(=presets.ca_pin=) \
   --auth-server=example.teleport.sh:443

<ScopedBlock scope={["oss", "enterprise"]}>

$ tbot start \
   --data-dir=/var/lib/teleport/bot \
   --destination-dir=/opt/machine-id \
   --token=iam-token \
   --join-method=iam \
   --ca-pin=(=presets.ca_pin=) \
   --auth-server=auth.example.com:3025

$ tbot start \
   --data-dir=/var/lib/teleport/bot \
   --destination-dir=/opt/machine-id \
   --token=iam-token \
   --join-method=iam \
   --ca-pin=(=presets.ca_pin=) \
   --auth-server=example.teleport.sh:443

Replace the following fields with values from your own cluster.

<ScopedBlock scope={["cloud"]}>

• token is the token output by the tctl bots add command or the name of your IAM method token.
• ca-pin is the CA Pin for your Teleport cluster, and is output by the tctl bots add command.
• destination-dir is where Machine ID writes user certificates that can be used by applications and tools.
• data-dir is where Machine ID writes its private data, including its own short-lived renewable certificates. These should not be used by applications and tools.
• auth-server is the address of your Teleport Cloud Proxy Server, for example example.teleport.sh:443.

• token is the token output by the tctl bots add command or the name of your IAM method token.
• ca-pin is the CA Pin for your Teleport cluster, and is output by the tctl bots add command.
• destination-dir is where Machine ID writes user certificates that can be used by applications and tools.
• data-dir is where Machine ID writes its private data, including its own short-lived renewable certificates. These should not be used by applications and tools.
• auth-server is the address of your Teleport Auth Server, for example auth.example.com:3025. If your Machine ID host is in a different network than your Auth Server, use the public web address of your Proxy Service instead (e.g., auth.example.com:443).

Now that Machine ID has successfully started, let's investigate the /opt/machine-id directory to see what was written to disk.

$ tree /opt/machine-id
machine-id
├── key
├── key.pub
├── known_hosts
├── ssh_config
├── sshcacerts
├── sshcert
├── tlscacerts
└── tlscert

0 directories, 8 files

This directory contains private key material in the key.* files, SSH certificates in the ssh* files, X.509 certificates in the tls* files, and OpenSSH configuration in the ssh_config and known_hosts files to make it easy to integrate Machine ID with external applications and tools.

Step 4/4. Use certificates issued by Machine ID

To use Machine ID, find a host that you want to connect to within your cluster using tsh ls. You might see output like the following on your system.

$ tsh ls
Node Name Address        Labels
--------- -------------- -----------------------------
node-name  127.0.0.1:3022 arch=x86_64,group=api-servers

(!docs/pages/includes/node-logins.mdx!)

To use Machine ID with the OpenSSH integration, run the following command to connect to node-name within cluster example.com.

ssh -F /opt/machine-id/ssh_config [email protected]

The below error can occur when the bot does not have permission to log in to a node as the requested user:

$ ssh -F /opt/machine-id/ssh_config [email protected]
root@node-name: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host

This can happen in two circumstances:

• The user you are trying to log in as is not specified under logins in the role you are using
• If you have used --logins when creating the bot user, the role the bot is impersonating does not have the {{ internal.logins }} variable specified.

If you have been following along with the access role, do the following.

• Export the role by running tctl get roles/access > access.yaml
• Edit the logins field in access.yaml
• Update the role by running tctl create -f access.yaml

Now you can replace any invocations of ssh with the above command to provide your applications and tools a machine identity that can be rotated, audited, and controlled with all the familiar Teleport access controls.

Next Steps

Now that you know how to create a bot user to access resources in your infrastructure, dive deeper into the topics relevant to your Machine ID use-case, for example:

• Machine ID with Ansible
• Machine ID with Jenkins
• Machine ID with Databases