Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish join tokens to parameter store #1546

Closed
klizhentas opened this issue Jan 4, 2018 · 3 comments · Fixed by #1615
Closed

Publish join tokens to parameter store #1546

klizhentas opened this issue Jan 4, 2018 · 3 comments · Fixed by #1615
Assignees
@gravitational-jenkins
Labels
enhancement
Milestone
2.5.0 "New York"

Comments

@klizhentas
Copy link
Contributor

Publish and rotate join tokens to SSM parameter store and show how nodes can use the data to join the cluster.
@klizhentas klizhentas added this to the 2.5.0 milestone Jan 4, 2018
@klizhentas klizhentas self-assigned this Jan 4, 2018
@klizhentas klizhentas mentioned this issue Jan 4, 2018
Closed
@kontsevoy
Copy link
Contributor

Implementation proposal:

auth_service:
    token_publish: /path/to/executable {{token}} {{purpose}}

Where "token" gets substituted with the generated token and "purpose" is one of the same values we already use in "tokens" section, i.e. "node", "user", etc.

This provides a generic way for forwarding tokens dynamically to external secret store on any infrastructure. Also, users can stick their own additional arguments in-between our own.

@kontsevoy
Copy link
Contributor

kontsevoy commented Jan 11, 2018
edited
Loading

Implementation proposal 2: "Inversion of control"

Instead of pushing Teleport-generated tokens, consider an external source of tokens, i.e. users can use anything they like to generate a token and publish it anywhere they want. This way we need to add --token parameter to tctl node add.

The more I think about it, the more I like it.

@klizhentas
Copy link
Contributor Author

for the first proposal, we would not even need additional configuration section. I wanted to see if I can get away with a cron job that uses existing CLI and uses our resources to produce tokens.

@klizhentas klizhentas mentioned this issue Jan 18, 2018
Merged
klizhentas added a commit that referenced this issue Jan 18, 2018
@klizhentas
Add support for custom tokens.
5d134b4 
fixes #1546, fixes #1535

This commit fixes error message in case if token
is generated for trusted cluster and allows
admins to provide custom tokens:

tctl nodes add --roles=node --token=custom --ttl=100h
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gravitational-jenkins gravitational-jenkins

Labels
enhancement
Projects
None yet
Milestone
2.5.0 "New York"
Development

Successfully merging a pull request may close this issue.

Add support for custom tokens. gravitational/teleport
3 participants
@klizhentas @kontsevoy @gravitational-jenkins