Server Side

Set up Teleport to allow access to an EC2 server

Set up an Agent

Agents are used as Bastions to access an AWS Account, Database, or other custom App. An agent should be set up inside each AWS Account to allow SSO access.

The easiest way to set up an Agent in an AWS Account is using Terraform.

Create a new Terraform file and enter the below:

module "teleport_app_agent" {
  source = "github.com/chelsea-apps/teleport-app-agent"

  name       = "<project-name>"
  profile    = "AWS-profile>"
  region     = "eu-west-2"
  subnet_ids = ["<subnet-id>"]
  proxy_url  = "dev.chelsea-apps.com:3080"
  token      = var.token
}

variable "token" {
  description = "App token"
  type        = string
}

Variable

Value

project-name

Name of the AWS Account (e.g. "Uplevyl")

profile

The AWS profile to use

subnet-id

One or more subnet IDs to set up an Agent in. An Agent will be created in each subnet.

Generate a Token

Before creating the Agent, SSH into the main Teleport server (using Teleport or via the AWS Console) and create a new token with the required permissions (app and node must be present, db is optional):

$ sudo tctl tokens add --type=node,app

This will output the token to enter when prompted by Terraform

Run Terraform

In the directory with your Terraform file, run:

$ terraform init
$ terraform apply

This will initialise a new Terraform project, and begin applying it. Confirm what resources will be created, and enter 'yes'.

The new Agent node and AWS Console app should both show up in Teleport soon

Elastic IP

The Teleport Agent needs a static IP assigned to the EC2 instance. The Terraform setup creates an Elastic IP but does not assign it to the instance.

You must assign this IP to the EC2 instance; once this is done the AWS app and SSH node should show in Teleport.

Deprecated: Set up a new standalone node

Add a new machine to the Teleport Cluster to allow it to be SSH'd into.

You'll need to SSH into the machine first to run these steps

The setup script needs to be run as root, so switch to the root user:

$ sudo -s

Then download the setup script and run it:

$ bash <(curl -s 'https://raw.githubusercontent.com/chelsea-apps/scripts/main/teleport.sh?token=ACUN56GBH3JAZ5KVF7OHOEDA52ZSQ')

The source code for the script is available here

This will automatically download and install Teleport, write the config to a config file, and set Teleport up to run automatically when the system starts.

The script will ask for the following items:

Input

Description

Example

Node name

Descriptive name for the node

least-backend-staging

Invitation token

Invite token generated on the cluster root node

cd0c3a5dad624ae2e6b898e0511ef844

CA Pin

Certificate authority pin from the cluster root

sha256:********************************

Project name

Name of the Chelsea Apps project/client

least

Environment name

Type of environment

staging

You can generate a token by running this on the teleport host machine:

$ sudo tctl tokens add --type=node

Once this script has been run, the node will automatically discover and connect to the cluster. The node pings the server every few seconds, so the node may take a few seconds to show up.

Changing the node details

To change the name, labels, etc. of the node, SSH into the machine and edit /etc/teleport.yaml.

To apply these changes, restart the node's teleport service using sudo systemctl restart teleport.service

PreviousTeleport NextClient Side

Last updated 3 years ago

Was this helpful?

hashtagSet up an Agent

hashtagGenerate a Token

hashtagRun Terraform

hashtagElastic IP

hashtagDeprecated: Set up a new standalone node

hashtagChanging the node details