# Teleport Machine & Workload Identity Use Teleport to replace long-lived secrets with identity-based authentication for your machines and workloads. ## Introduction to Machine & Workload Identity Teleport Machine & Workload Identity replaces static secrets across your infrastructure with short-lived certificates that are automatically issued and renewed for your Non-Human Identities (NHI). [What Teleport can do for non-human infrastructure access](https://goteleport.com/docs/machine-workload-identity/introduction.md) [Machine & Workload Identity](https://www.youtube.com/embed/ZDWRt105tBg) ## Popular use cases around Machine & Workload Identity - ### [Secure CI/CD pipelines with identity-based auth](https://goteleport.com/docs/machine-workload-identity/use-cases/mwi-ci-cd.md) Replace long-lived secrets in CI/CD pipelines - ### [Guard infrastructure as code with short-lived certs](https://goteleport.com/docs/machine-workload-identity/use-cases/iac-mwi.md) Manage IaC workflows in Terraform and Pulumi - ### [Configure workload-to-workload authentication](https://goteleport.com/docs/machine-workload-identity/use-cases/workload-mwi.md) Set up service-to-service authentication with mTLS - ### [Manage AI agent identities with role-based access](https://goteleport.com/docs/machine-workload-identity/use-cases/ai-agents-mwi.md) Use RBAC to manage autonomous agents and processes - ### [Configure hybrid & multi-cloud authentication](https://goteleport.com/docs/machine-workload-identity/use-cases/hybrid-multi-mwi.md) Set up universal identities across cloud platforms ## Getting started with Machine & Workload Identity The following steps will help you get started with Machine and Workload Identity. At the core of this flow is tbot, a lightweight agent that runs on your machines and workloads to automatically issue and renew short-lived certificates. This gives your systems secure, identity-based access to infrastructure and cloud providers without relying on static secrets. ### Step 1: Deploy tbot across your infrastructure ### [AWS](https://goteleport.com/docs/machine-workload-identity/deployment/aws.md) ### [Azure](https://goteleport.com/docs/machine-workload-identity/deployment/azure.md) ### [Azure DevOps](https://goteleport.com/docs/machine-workload-identity/deployment/azure-devops.md) ### [Bitbucket Pipelines](https://goteleport.com/docs/machine-workload-identity/deployment/bitbucket.md) ### [CircleCI](https://goteleport.com/docs/machine-workload-identity/deployment/circleci.md) ### [Google Cloud](https://goteleport.com/docs/machine-workload-identity/deployment/gcp.md) ### [GitHub Actions](https://goteleport.com/docs/machine-workload-identity/deployment/github-actions.md) ### [Gitlab CI](https://goteleport.com/docs/machine-workload-identity/deployment/gitlab.md) ### [Jenkins](https://goteleport.com/docs/machine-workload-identity/deployment/jenkins.md) ### [Kubernetes](https://goteleport.com/docs/machine-workload-identity/deployment/kubernetes.md) ### [Linux](https://goteleport.com/docs/machine-workload-identity/deployment/linux.md) ### [View all Integrations](https://goteleport.com/docs/machine-workload-identity/deployment.md#deployment-guides) References: - [ The architecture behind the bots](https://goteleport.com/docs/machine-workload-identity/introduction.md) - [ View all tbot guides](https://goteleport.com/docs/machine-workload-identity/deployment.md) ### Step 2: Configure tbot to generate short-lived credentials for resource access ### [SSH servers](https://goteleport.com/docs/machine-workload-identity/access-guides/ssh.md) Access enrolled Linux servers with OpenSSH. ### [Kubernetes](https://goteleport.com/docs/machine-workload-identity/access-guides/kubernetes.md) Access enrolled Kubernetes clusters. ### [Databases](https://goteleport.com/docs/machine-workload-identity/access-guides/databases.md) Access databases enrolled in Teleport. ### [HTTP & TCP applications](https://goteleport.com/docs/machine-workload-identity/access-guides/applications.md) Access enrolled applications. ### [Ansible](https://goteleport.com/docs/machine-workload-identity/access-guides/ansible.md) Access enrolled Linux hosts via SSH. ### [tctl](https://goteleport.com/docs/machine-workload-identity/access-guides/tctl.md) Use Teleport CLI tool for custom flows. ### [Spacelift](https://goteleport.com/docs/zero-trust-access/infrastructure-as-code/terraform-provider/spacelift.md) Configure Teleport using Spacelift. ### [Terraform](https://goteleport.com/docs/zero-trust-access/infrastructure-as-code/terraform-provider/dedicated-server.md) Configure Teleport using Terraform on a dedicated server. ### [Terraform Cloud](https://goteleport.com/docs/zero-trust-access/infrastructure-as-code/terraform-provider/ci-or-cloud.md) Configure Teleport using HCP Terraform or Terraform Enterprise. Getting started - [ Issuing certs for NHI remote server access](https://goteleport.com/docs/machine-workload-identity/getting-started.md) - [ Frequently Asked Questions](https://goteleport.com/docs/machine-workload-identity/faq.md) - [ Troubleshooting](https://goteleport.com/docs/machine-workload-identity/troubleshooting.md) ### Step 3: Secure workload and cloud authentication with SPIFFE compatible identities ### [AWS OIDC Federation](https://goteleport.com/docs/machine-workload-identity/workload-identity/aws-oidc-federation.md) Authenticate to AWS with short-lived JWTs. ### [AWS Roles Anywhere](https://goteleport.com/docs/machine-workload-identity/workload-identity/aws-roles-anywhere.md) Authenticate to AWS with short-lived X.509 certificates. ### [Azure Federated Credentials](https://goteleport.com/docs/machine-workload-identity/workload-identity/azure-federated-credentials.md) Authenticate to Azure with short-lived JWTs. ### [GCP Workload Identity Federation](https://goteleport.com/docs/machine-workload-identity/workload-identity/gcp-workload-identity-federation-jwt.md) Authenticate to GCP with short-lived JWTs. ### [tsh](https://goteleport.com/docs/machine-workload-identity/workload-identity/tsh.md) Manually issue SPIFFE SVIDs with Teleport CLI tool tsh. References - [ SPIFFE, Trust Domains, and SVIDs](https://goteleport.com/docs/machine-workload-identity/workload-identity/spiffe.md) - [ About JWT SVIDs](https://goteleport.com/docs/machine-workload-identity/workload-identity/jwt-svids.md)