Skip to search

TeleportProvisionToken

resources.teleport.dev / v2

apiVersion: resources.teleport.dev/v2 kind: TeleportProvisionToken metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
ProvisionToken resource definition v2 from Teleport
allow []object
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
aws_account string
AWSAccount is the AWS account ID.
aws_arn string
AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?".
aws_organization_id string
AWSOrganizationID is used for the IAM join method, the AWS identity of joining nodes must belong to this organization.
aws_organizational_units object
AWSOrganizationalUnits contains rules for matching AWS accounts based on their Organizational Units. Requires AWS Organization ID to be specified. The account's root ID is considered an Organizational Unit when validating the rule.
exclude []string
Exclude is a list of AWS Organizational Unit IDs and children OUs to exclude. Accounts that belong to these OUs, and their children, will be excluded, even if they were included. Only exact matches are supported. Optional. If empty, no OUs are excluded.
include []string
Include is a list of AWS Organizational Unit IDs and children OUs to include. Accounts that belong to these OUs, and their children, will be included. Only exact matches or wildcard (*) are supported. Required.
aws_regions []string
AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from.
aws_role string
AWSRole is used for the EC2 join method and is the ARN of the AWS role that the Auth Service will assume in order to call the ec2 API.
aws_iid_ttl string
AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token.
format: duration
azure object
Azure allows the configuration of options specific to the "azure" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
resource_groups []string
subscription string
tenant string
azure_devops object
AzureDevops allows the configuration of options specific to the "azure_devops" join method.
allow []object
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. At least one allow rule must be specified.
definition_id string
pipeline_name string
project_id string
project_name string
repository_ref string
repository_uri string
repository_version string
sub string
organization_id string
OrganizationID specifies the UUID of the Azure DevOps organization that this join token will grant access to. This is used to identify the correct issuer verification of the ID token. This is a required field.
bitbucket object
Bitbucket allows the configuration of options specific to the "bitbucket" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
branch_name string
deployment_environment_uuid string
repository_uuid string
workspace_uuid string
audience string
Audience is a Bitbucket-specified audience value for this token. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings.
identity_provider_url string
IdentityProviderURL is a Bitbucket-specified issuer URL for incoming OIDC tokens. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings.
bot_name string
BotName is the name of the bot this token grants access to, if any
bound_keypair object
BoundKeypair allows the configuration of options specific to the "bound_keypair" join method.
onboarding object
Onboarding contains parameters related to initial onboarding and keypair registration.
initial_public_key string
must_register_before string
format: date-time
registration_secret string
recovery object
Recovery contains parameters related to recovery after identity expiration.
limit integer
format: int32
mode string
rotate_after string
RotateAfter is an optional timestamp that forces clients to perform a keypair rotation on the next join or recovery attempt after the given date. If `LastRotatedAt` is unset or before this timestamp, a rotation will be requested. It is recommended to set this value to the current timestamp if a rotation should be triggered on the next join attempt.
format: date-time
circleci object
CircleCI allows the configuration of options specific to the "circleci" join method.
allow []object
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
context_id string
project_id string
organization_id string
env0 object
Env0 allows the configuration of options specific to the "env0" join method.
allow []object
Allow is a list of Rules, jobs using this token must match at least one allow rule to use this token.
deployer_email string
deployment_type string
env0_tag string
environment_id string
environment_name string
organization_id string
project_id string
project_name string
template_id string
template_name string
workspace_name string
gcp object
GCP allows the configuration of options specific to the "gcp" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
locations []string
project_ids []string
service_accounts []string
github object
GitHub allows the configuration of options specific to the "github" join method.
allow []object
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
actor string
enterprise string
enterprise_id string
environment string
ref string
ref_type string
repository string
repository_owner string
sub string
workflow string
enterprise_server_host string
EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service.
enterprise_slug string
EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the `include_enterprise_slug` option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values.
static_jwks string
StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Service.
gitlab object
GitLab allows the configuration of options specific to the "gitlab" join method.
allow []object
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
ci_config_ref_uri string
ci_config_sha string
deployment_tier string
environment string
environment_protected boolean
namespace_path string
pipeline_source string
project_path string
project_visibility string
ref string
ref_protected boolean
ref_type string
sub string
user_email string
user_id string
user_login string
domain string
Domain is the domain of your GitLab instance. This will default to `gitlab.com` - but can be set to the domain of your self-hosted GitLab e.g `gitlab.example.com`.
static_jwks string
StaticJWKS disables fetching of the GitLab signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitLab CI instances that are not reachable by the Teleport Auth Service.
integration string
Integration name which provides credentials for validating join attempts. Currently only in use for validating the AWS Organization ID in the IAM Join method.
join_method string
JoinMethod is the joining method required in order to use this token. Supported joining methods include: azure, circleci, ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm
kubernetes object
Kubernetes allows the configuration of options specific to the "kubernetes" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
service_account string
service_account_name string
service_account_namespace string
oidc object
OIDCConfig configures the `oidc` type.
insecure_allow_http_issuer boolean
issuer string
static_jwks object
StaticJWKS is the configuration specific to the `static_jwks` type.
jwks string
type string
Type controls which behavior should be used for validating the Kubernetes Service Account token. Support values: - `in_cluster` - `static_jwks` - `oidc` If unset, this defaults to `in_cluster`.
oracle object
Oracle allows the configuration of options specific to the "oracle" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
instances []string
parent_compartments []string
regions []string
tenancy string
roles []string
Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token
spacelift object
Spacelift allows the configuration of options specific to the "spacelift" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
caller_id string
caller_type string
scope string
space_id string
enable_glob_matching boolean
EnableGlobMatching enables glob-style matching for the space_id and caller_id fields in the rules.
hostname string
Hostname is the hostname of the Spacelift tenant that tokens will originate from. E.g `example.app.spacelift.io`
suggested_agent_matcher_labels object
SuggestedAgentMatcherLabels is a set of labels to be used by agents to match on resources. When an agent uses this token, the agent should monitor resources that match those labels. For databases, this means adding the labels to `db_service.resources.labels`. Currently, only node-join scripts create a configuration according to the suggestion.
suggested_labels object
SuggestedLabels is a set of labels that resources should set when using this token to enroll themselves in the cluster. Currently, only node-join scripts create a configuration according to the suggestion.
terraform_cloud object
TerraformCloud allows the configuration of options specific to the "terraform_cloud" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
organization_id string
organization_name string
project_id string
project_name string
run_phase string
workspace_id string
workspace_name string
audience string
Audience is the JWT audience as configured in the TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform Cloud. If unset, defaults to the Teleport cluster name. For example, if `TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo` is set in Terraform Cloud, this value should be `foo`. If the variable is set to match the cluster name, it does not need to be set here.
hostname string
Hostname is the hostname of the Terraform Enterprise instance expected to issue JWTs allowed by this token. This may be unset for regular Terraform Cloud use, in which case it will be assumed to be `app.terraform.io`. Otherwise, it must both match the `iss` (issuer) field included in JWTs, and provide standard JWKS endpoints.
tpm object
TPM allows the configuration of options specific to the "tpm" join method.
allow []object
Allow is a list of Rules, the presented delegated identity must match one allow rule to permit joining.
description string
ek_certificate_serial string
ek_public_hash string
ekcert_allowed_cas []string
EKCertAllowedCAs is a list of CA certificates that will be used to validate TPM EKCerts. When specified, joining TPMs must present an EKCert signed by one of the specified CAs. TPMs that do not present an EKCert will be not permitted to join. When unspecified, TPMs will be allowed to join with either an EKCert or an EKPubHash.
status object
Status defines the observed state of the Teleport resource
conditions []object
Conditions represent the latest available observations of an object's state
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
minLength: 1
maxLength: 1024
status string required
status of the condition, one of True, False, Unknown.
enum: True, False, Unknown
type string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
maxLength: 316
teleportResourceID integer
format: int64

No matches. Try .spec.allow for an exact path