Added Machine ID documentation #10775
Conversation
| editor user:list,create,read,update,delete,... | ||
| ``` | ||
|
|
||
| The above output is from a fresh install of Teleport with the default roles, your cluster may have additional roles. In our example, let’s assume you want to give the bot `access` role to allow it to connect to SSH servers within your cluster. |
There was a problem hiding this comment.
Are we allowing the bot to connect to SSH servers, or we allowing the bot to issue certificates that allow other machines to connect to SSH servers within the cluster?
There was a problem hiding this comment.
Hmm, I think we are technically allowing the bot to issue certificates with a subset of its permissions that allow other machines (including the machine that the bot is running on) to connect to SSH servers within the cluster. I think this is likely better explained with a diagram.
| ## Getting started | ||
|
|
||
| <TileSet> | ||
| <Tile icon="database" title="Getting started" href="./getting-started.mdx"> |
There was a problem hiding this comment.
Don't forget to update the icon here.
There was a problem hiding this comment.
@xinding33 Can Machine ID get a unique icon? I think I am just going to use magic-wand for now?
There was a problem hiding this comment.
Yes, let me check with Michael on timeline.
There was a problem hiding this comment.
Left some comments. Major theme: given that we ship multiple binaries that need to run in different places (e.g. tbot out to be run on the machine you want to provide an identity for an tctl out to be run on the Auth Server node), we should be more specific with where a binary should be downloaded and where a command should be run from.
| editor user:list,create,read,update,delete,... | ||
| ``` | ||
|
|
||
| The above output is from a fresh install of Teleport with the default roles, your cluster may have additional roles. In our example, let’s assume you want to give the bot `access` role to allow it to connect to SSH servers within your cluster. |
There was a problem hiding this comment.
Hmm, I think we are technically allowing the bot to issue certificates with a subset of its permissions that allow other machines (including the machine that the bot is running on) to connect to SSH servers within the cluster. I think this is likely better explained with a diagram.
russjones
force-pushed
the
rjones/machine-id-docs
branch
from
f400b17 to
ccfd4ee
Compare
|
|
||
| # Machine ID | ||
|
|
||
| Machine ID is a fully automated Certificate Authority designed to |
There was a problem hiding this comment.
@russjones That wording sounds good to me, as does eventually editing our architecture guides to talk about Machine ID.
I also think it would be good to include one or two sentences here that mention architecture at a high level. Maybe the first paragraph could be something like,
Machine ID is a daemon that programmatically issues and
renews short-lived certificates to any service account
(e.g., a CI/CD server) by retrieving credentials from the
Teleport Auth Service. This enables fine-grained role-based
access controls and audit.
russjones
force-pushed
the
rjones/machine-id-docs
branch
from
dc08681 to
0a35699
Compare
| Some of the things you can do with Machine ID: | ||
|
|
||
| * Machines can retrieve short-lived SSH certificates for CI/CD pipelines. | ||
| * Machines can retrieve short-lived X.509 certificates for use with databases or applications. |
There was a problem hiding this comment.
Maybe a nitpick, but with app and database access still in the pipeline, this might be a little misleading.
There was a problem hiding this comment.
They should be ready by the time the marketing push starts. I can remove it, but I'm sure I'll forget to add it back in in a few weeks. Unless you have strong objections, I say let's leave it in?
There was a problem hiding this comment.
Fair enough, that makes sense to me!
| ## Next Steps | ||
|
|
||
| For the next steps, dive deeper into the topics relevant to your Machine ID use-case, for example: | ||
|
|
||
| * Check out configuration [guides](./guides.mdx). | ||
| * See [frequently asked questions](./faq.mdx). |
There was a problem hiding this comment.
Once they're done, I think we should link the Jenkins and Ansible guides in this section. @russjones what do you think?
Added Machine ID docs. Co-authored-by: Zac Bergquist <[email protected]> Co-authored-by: Roman Tkachenko <[email protected]> Co-authored-by: Xin Ding <[email protected]> Co-authored-by: Paul Gottschling <[email protected]>
russjones
force-pushed
the
rjones/machine-id-docs
branch
from
44d37c9 to
9f96d24
Compare
Added Machine ID documentation.