# Deploy tbot

The first step to set up Machine & Workload Identity is to deploy the `tbot` agent and join it as a Bot to your Teleport cluster. You can run the `tbot` binary on a number of platforms, from AWS and GitHub Actions to a generic Linux server or Kubernetes cluster.

## Choosing a deployment method

There are two considerations to make when determining how to deploy the `tbot` agent on your infrastructure.

### Your infrastructure

The `tbot` agent runs as a container or on a Linux virtual machine. If you run `tbot` on GitHub Actions, you can use one of the ready-made [Teleport GitHub Actions workflows](https://github.com/teleport-actions).

### Join method

The `tbot` agent joins your Teleport cluster by using one of the following authentication methods:

- **Platform-signed document:** The platform that hosts `tbot`, such as a Kubernetes cluster or Amazon EC2 instance, provides a signed identity document that Teleport can verify using the platform's certificate authority. This is the recommended approach because it avoids the use of shared secrets.
- **Static join token:** Your Teleport client tool generates a string and stores it on the Teleport Auth Service. `tbot` provides this string when it first connects to your Teleport cluster, demonstrating to the Auth Service that it belongs in the cluster. From then on, `tbot` authenticates to your Teleport cluster with a renewable certificate.

## Deployment guides

The guides in this section show you how to deploy the Machine & Workload Identity agent, `tbot`, and join it to your cluster.

If a specific guide does not exist for your platform, the [Linux guide](https://goteleport.com/docs/machine-workload-identity/deployment/linux.md) is compatible with most platforms. For custom approaches, you can also read the [Machine & Workload Identity Reference](https://goteleport.com/docs/reference/machine-workload-identity.md) and [Architecture](https://goteleport.com/docs/reference/architecture/machine-id-architecture.md) to plan your deployment.

[AWS](https://goteleport.com/docs/aws)[Azure](https://goteleport.com/docs/azure)[Azure DevOps](https://goteleport.com/docs/azure-devops)[Bitbucket Pipelines](https://goteleport.com/docs/bitbucket)[CircleCI](https://goteleport.com/docs/circleci)[GitHub Actions](https://goteleport.com/docs/github-actions)[GitLab CI](https://goteleport.com/docs/gitlab)[Google Cloud](https://goteleport.com/docs/gcp)[Kubernetes](https://goteleport.com/docs/kubernetes)[Kubernetes OIDC](https://goteleport.com/docs/kubernetes-oidc)[Linux](https://goteleport.com/docs/linux)[Linux TPM](https://goteleport.com/docs/linux-tpm)[Bound Keypair Joining](https://goteleport.com/docs/../../reference/machine-workload-identity/bound-keypair/getting-started)

### CI/CD

Read the following guides for how to deploy `tbot` on a continuous integration and continuous deployment platform.

[Azure DevOps](https://goteleport.com/docs/azure-devops)[Bitbucket Pipelines](https://goteleport.com/docs/bitbucket)[CircleCI](https://goteleport.com/docs/circleci)[GitLab CI](https://goteleport.com/docs/gitlab)[GitHub Actions](https://goteleport.com/docs/github-actions)[Jenkins](https://goteleport.com/docs/jenkins)[Spacelift](https://goteleport.com/docs/../../zero-trust-access/infrastructure-as-code/terraform-provider/spacelift)[Terraform Cloud](https://goteleport.com/docs/../../zero-trust-access/infrastructure-as-code/terraform-provider/terraform-cloud)[Bound Keypair static keys (Generic)](https://goteleport.com/docs/../../reference/machine-workload-identity/bound-keypair/static-keys)

<br />

---

UNSUPPORTED PROVIDER?

If your CI/CD provider does not have a dedicated join method listed above, consider using [Bound Keypair static keys](https://goteleport.com/docs/reference/machine-workload-identity/bound-keypair/static-keys.md) as a fallback.

---