Teleport Machine ID Demo: Securing the Infrastructure and Applications with Robots
As part of Teleport 9.0, a new feature, Teleport Machine ID was released to help bridge human and machine access which consolidates identity-based credentials for engineers and the IT applications they use. The new feature aims to close the security loopholes that stem from the complexity of accessing the cloud infrastructure at scale.
In this podcast, Ben Arent, developer relations manager, Teleport showed us a preview of Teleport Machine ID and how security and compliance can be implemented using automatically retrieved, short-lived certificates from tbots. Watch our recap here and our lightly edited transcript of the video.
Alex Williams (host): What is Teleport Machine ID?
Ben Arent, Teleport: This preview is our first release of Machine ID that lets customers enroll robots into their clusters. You can set up tbots which will automatically retrieve new short-lived certificates every 20 minutes. If there is a compromise on your machine, you can easily lock those credentials. The other benefit is a full audit log of what’s happening during those runs. You can also see the enhanced session recording and detailed information about what happened during the session.
Williams: Where does this become useful for people?
Arent: Some say it’s all about like compliance auditing. We have community users who see this like a journal. If you’re accessing your home lab, it can be helpful to know what exactly you did and you can go back. It’s like a TiVo for your terminal.
Williams: Like a digital recorder?
Arent: Yes. There’s also the ability to join active sessions and add other teammates, so you can debug together. We also have traditional application support that are protected behind Teleport. You can protect your Jenkins server or wiki behind Teleport in the same SSO flow. One other interesting addition, we’ve added support for AWS Management Console so you can define people a specific IAM role.
You can access Kubernetes clusters through the command line. But we also have instructions to access Kubernetes clusters using your terminal, and it’s the same with our database support. You can access everything using your terminal and your command-line tools. Once you’ve accessed those, you can use the standard like Psql or Redis CLI. It feels very familiar, and we try not to kind of get in your way.
Williams: A lot of work has been done on the backend. What have you done with the architecture to allow for more abstractions that Kubernetes users would not have been able to do a year or two?
Arent: If I go to my role where we select the default Kubernetes groups and Kubernetes users in the background, this is all backed by short-lived certificates. The cube configuration that you get is like a native cube configuration. It only provides access for whatever you’ve defined — for example, minus 30 hours. Once I have that cube configuration, I can go about my business, but in 30 hours’ time, I need to re-authenticate again. And if I have teammates that come and go, I don’t have to worry about it because whatever credentials they obtained automatically expires after 30 hours.
Williams: That’s really core to the Teleport story is that are those short-lived certificates.
Arent: I’m now on my playbook, and here are my active sessions. These are the robot sessions gathering facts that are starting to populate. This gives visibility into what service accounts CID servers are doing. When the run is complete, we have a full sort of audit log. You can see how Ansible works up to the machine, and how the information is captured in the audit log. And that’s new in Teleport 9.0 — the ability to use standard tooling but in the background, this is powered and supported by short-lived credentials, that tbot is getting for you.
Williams: How do you see the Kubernetes environment evolving with Teleport?
Arent: We think of Machine ID as doing machine-to-machine communication, as Let’s Encrypt did for TLS certificates. We see an industry that will be moving from long lift tokens, secrets and service credentials to more automation and services that can help automate and rotate it without worrying about it. Kubernetes is a great example: as you have more microservices and teams, it’s difficult to have those same security best practices across your whole fleet at scale. And then automating everything is the way Teleport can help these organizations.