# Deploying tbot on Bitbucket Pipelines In this guide, you will configure Machine & Workload Identity's agent, `tbot`, to run within a Bitbucket Pipelines workflow. The bot will be configured to use the `bitbucket` delegated joining method to eliminate the need for long-lived secrets. ## How it works The `bitbucket` join method is a secure way for Machine & Workload Identity bots to authenticate with the Teleport Auth Service without using any shared secrets. Instead, it makes use of an OpenID Connect token that Bitbucket Pipelines injects into the job environment. This token is sent to the Teleport Auth Service, and assuming it has been configured to trust Bitbucket's identity provider and all identity assertions match, the authentication attempt will succeed. ## Prerequisites - A running Teleport cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/get-started/deploy-community.md). - The `tctl` and `tsh` clients. Installing `tctl` and `tsh` clients 1. Determine the version of your Teleport cluster. The `tctl` and `tsh` clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: ``` $ TELEPORT_DOMAIN=teleport.example.com:443 $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" ``` 2. Follow the instructions for your platform to install `tctl` and `tsh` clients: **Mac** Download the signed macOS .pkg installer for Teleport, which includes the `tctl` and `tsh` clients: ``` $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg ``` In Finder double-click the `pkg` file to begin installation. --- DANGER Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. --- **Windows - Powershell** ``` $ curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip Unzip the archive and move the `tctl` and `tsh` clients to your %PATH% NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP. Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\) instead. ``` **Linux** All of the Teleport binaries in Linux installations include the `tctl` and `tsh` clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/installation.md). ``` $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ cd teleport $ sudo ./install Teleport binaries have been copied to /usr/local/bin ``` * To check that you can connect to your Teleport cluster, sign in with `tsh login`, then verify that you can run `tctl` commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and email\@example.com to your Teleport username: ``` $ tsh login --proxy=teleport.example.com --user=email@example.com $ tctl status Cluster teleport.example.com Version 18.7.3 CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678 ``` If you can connect to the cluster and run the `tctl status` command, you can use your current credentials to run subsequent `tctl` commands from your workstation. If you host your own Teleport cluster, you can also run `tctl` commands on the computer that hosts the Teleport Auth Service for full permissions. * A Bitbucket repository you can push to. ## Step 1/4. Determine Bitbucket configuration Bitbucket joining requires a number of configuration parameters that can be found in your repository settings. From the Bitbucket repository, navigate to "Repository settings", then in the sidebar under "Pipelines" select "OpenID Connect". From this page, note the following values: - Identity provider URL (identity-provider-url) - Audience (audience) - Workspace UUID, including the braces (workspace-uuid) - Repository UUID, including the braces (repository-uuid) ## Step 2/4. Create a Bot Next, you need to create a Bot. A Bot is a Teleport identity for a machine or group of machines. Like users, bots have a set of roles and traits which define what they can access. Create `bot.yaml`: ``` kind: bot version: v1 metadata: # name is a unique identifier for the Bot in the cluster. name: example spec: # roles is a list of roles to grant to the Bot. Don't worry if you don't know # what roles you need to specify here, the Access Guides will walk you through # creating and assigning roles to the already created Bot. roles: [] ``` Make sure you replace `example` with a unique, descriptive name for your Bot. Use `tctl` to apply this file: ``` $ tctl create bot.yaml ``` ## Step 3/4. Create the join token for Bitbucket Pipelines In order to allow your Pipelines workflow to authenticate with your Teleport cluster, you'll first need to create a join token. These tokens set out criteria by which the Auth Service decides whether or not to allow a bot or node to join. Create a file named `bot-token.yaml`, ensuring that you replace the `identity_provider_url`, `audience`, `workspace_uuid`, and `repository_uuid` with the values from Step 1. ``` kind: token version: v2 metadata: name: example-bot spec: roles: [Bot] join_method: bitbucket bot_name: example bitbucket: identity_provider_url: identity-provider-url audience: audience # allow specifies the rules by which the Auth Service determines if `tbot` # should be allowed to join. allow: - workspace_uuid: 'workspace-uuid' repository_uuid: 'repository-uuid' ``` Let's go over the token resource's fields in more detail: - `metadata.name` defines the name of the token. Note that this value will need to be used in other parts of the configuration later. - `spec.bot_name` is the name of the Machine ID bot that this token will grant access to. Note that this value will need to be used in other parts of the configuration later. - `spec.roles` defines which roles that this token will grant access to. The value of `[Bot]` states that this token grants access to a Machine & Workload Identity bot. - `spec.join_method` defines the join method the token is applicable for. Since this guide only focuses on Bitbucket Pipelines, you will set this to `bitbucket`. - `spec.bitbucket.identity_provider_url` is the identity provider URL shown in the Bitbucket repository settings, under Pipelines and OpenID Connect. - `spec.bitbucket.audience` is the audience value shown in the Bitbucket repository settings, under Pipelines and OpenID connect. - `spec.bitbucket.allow` is used to set rules for what Bitbucket Pipelines runs will be able to authenticate by using the token. Refer to the [token reference](https://goteleport.com/docs/reference/deployment/join-methods.md#bitbucket-pipelines-bitbucket) for a full list of valid fields. Apply this to your Teleport cluster using `tctl`: ``` $ tctl create -f bot-token.yaml ``` ## Step 4/4. Configure a Bitbucket Pipelines workflow With the bot and join token created, you can now configure a workflow that can authenticate to Teleport. This example workflow defines a "custom" pipeline that can be triggered manually from "Pipelines" or "Branches" views: ``` image: atlassian/default-image:3 pipelines: custom: run-tbot: - step: oidc: true script: # Install Teleport - curl "https://example.teleport.sh:443/scripts/install.sh" | bash # Run `tbot` in identity mode for SSH access - tbot start identity --destination=./tbot-user --join-method=bitbucket --proxy-server=example.teleport.sh:443 --token=example-bot --oneshot # Make use of the generated SSH credentials - ssh -F ./tbot-user/ssh_config user@node.example.teleport.sh echo "hello world" ``` Replace example.teleport.sh with the address of your Teleport Proxy Service. This example will start `tbot` in identity mode to generate SSH credentials. Refer to the [`tbot` documentation](https://goteleport.com/docs/reference/cli/tbot.md) for details on using other modes such as database, application, and Kubernetes access. If you're adapting an existing workflow, note these steps: 1. Set `oidc: true` on the step properties so that step will be issued a token 2. Installs Teleport from your cluster's install script 3. Run `tbot` with `--join-method=bitbucket`, `--token=example-bot` (or whichever name was configured in Step 3), and `--oneshot` --- SHARING CREDENTIALS BETWEEN STEPS Note that in Bitbucket Pipelines, outputs cannot be securely shared between steps as anything stored using `artifacts` will remain downloadable once the CI run has completed. Due to this limitation, all operations making use of Teleport credentials should be performed as part of the same step. If necessary, you can duplicate the script shown here to download and run `tbot` multiple times in a given run if credentials are needed in multiple steps. --- ## Further steps - Follow the [access guides](https://goteleport.com/docs/machine-workload-identity/access-guides.md) to finish configuring `tbot` for your environment. - Read the [configuration reference](https://goteleport.com/docs/reference/machine-workload-identity/configuration.md) to explore all the available configuration options. - For more information about Bitbucket Pipelines itself, read [their documentation](https://support.atlassian.com/bitbucket-cloud/docs/get-started-with-bitbucket-pipelines/).