# Reference for the teleport\_provision\_token Terraform data-source This page describes the supported values of the `teleport_provision_token` data source of the Teleport Terraform provider. ## Schema ### Required - `spec` (Attributes) Spec is a provisioning token V2 spec (see [below for nested schema](#nested-schema-for-spec)) - `version` (String) Version is the resource version. It must be specified. Supported values are:`v2`. ### Optional - `metadata` (Attributes) Metadata is resource metadata (see [below for nested schema](#nested-schema-for-metadata)) - `status` (Attributes) Status is extended status information, depending on token type. It is not user writable. (see [below for nested schema](#nested-schema-for-status)) - `sub_kind` (String) SubKind is an optional resource sub kind, used in some resources ### Nested Schema for `spec` Required: - `roles` (List of String) Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token Optional: - `allow` (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specallow)) - `aws_iid_ttl` (String) AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. - `azure` (Attributes) Azure allows the configuration of options specific to the "azure" join method. (see [below for nested schema](#nested-schema-for-specazure)) - `azure_devops` (Attributes) AzureDevops allows the configuration of options specific to the "azure\_devops" join method. (see [below for nested schema](#nested-schema-for-specazure_devops)) - `bitbucket` (Attributes) Bitbucket allows the configuration of options specific to the "bitbucket" join method. (see [below for nested schema](#nested-schema-for-specbitbucket)) - `bot_name` (String) BotName is the name of the bot this token grants access to, if any - `bound_keypair` (Attributes) BoundKeypair allows the configuration of options specific to the "bound\_keypair" join method. (see [below for nested schema](#nested-schema-for-specbound_keypair)) - `circleci` (Attributes) CircleCI allows the configuration of options specific to the "circleci" join method. (see [below for nested schema](#nested-schema-for-speccircleci)) - `env0` (Attributes) Env0 allows the configuration of options specific to the "env0" join method. (see [below for nested schema](#nested-schema-for-specenv0)) - `gcp` (Attributes) GCP allows the configuration of options specific to the "gcp" join method. (see [below for nested schema](#nested-schema-for-specgcp)) - `github` (Attributes) GitHub allows the configuration of options specific to the "github" join method. (see [below for nested schema](#nested-schema-for-specgithub)) - `gitlab` (Attributes) GitLab allows the configuration of options specific to the "gitlab" join method. (see [below for nested schema](#nested-schema-for-specgitlab)) - `integration` (String) Integration name which provides credentials for validating join attempts. Currently only in use for validating the AWS Organization ID in the IAM Join method. - `join_method` (String) JoinMethod is the joining method required in order to use this token. Supported joining methods include: azure, circleci, ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm - `kubernetes` (Attributes) Kubernetes allows the configuration of options specific to the "kubernetes" join method. (see [below for nested schema](#nested-schema-for-speckubernetes)) - `oracle` (Attributes) Oracle allows the configuration of options specific to the "oracle" join method. (see [below for nested schema](#nested-schema-for-specoracle)) - `spacelift` (Attributes) Spacelift allows the configuration of options specific to the "spacelift" join method. (see [below for nested schema](#nested-schema-for-specspacelift)) - `suggested_agent_matcher_labels` (Map of List of String) SuggestedAgentMatcherLabels is a set of labels to be used by agents to match on resources. When an agent uses this token, the agent should monitor resources that match those labels. For databases, this means adding the labels to `db_service.resources.labels`. Currently, only node-join scripts create a configuration according to the suggestion. - `suggested_labels` (Map of List of String) SuggestedLabels is a set of labels that resources should set when using this token to enroll themselves in the cluster. Currently, only node-join scripts create a configuration according to the suggestion. - `terraform_cloud` (Attributes) TerraformCloud allows the configuration of options specific to the "terraform\_cloud" join method. (see [below for nested schema](#nested-schema-for-specterraform_cloud)) - `tpm` (Attributes) TPM allows the configuration of options specific to the "tpm" join method. (see [below for nested schema](#nested-schema-for-spectpm)) ### Nested Schema for `spec.allow` Optional: - `aws_account` (String) AWSAccount is the AWS account ID. - `aws_arn` (String) AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "\*" and "?". - `aws_organization_id` (String) AWSOrganizationID is used for the IAM join method, the AWS identity of joining nodes must belong to this organization. - `aws_regions` (List of String) AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from. - `aws_role` (String) AWSRole is used for the EC2 join method and is the ARN of the AWS role that the Auth Service will assume in order to call the ec2 API. ### Nested Schema for `spec.azure` Optional: - `allow` (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specazureallow)) ### Nested Schema for `spec.azure.allow` Optional: - `resource_groups` (List of String) ResourceGroups is a list of Azure resource groups the node is allowed to join from. - `subscription` (String) Subscription is the Azure subscription. ### Nested Schema for `spec.azure_devops` Optional: - `allow` (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. At least one allow rule must be specified. (see [below for nested schema](#nested-schema-for-specazure_devopsallow)) - `organization_id` (String) OrganizationID specifies the UUID of the Azure DevOps organization that this join token will grant access to. This is used to identify the correct issuer verification of the ID token. This is a required field. ### Nested Schema for `spec.azure_devops.allow` Optional: - `definition_id` (String) The ID of the AZDO pipeline definition. Example: `1` Mapped from the `def_id` claim. - `pipeline_name` (String) The name of the AZDO pipeline. Example: `my-pipeline`. Mapped out of the `sub` claim. - `project_id` (String) The ID of the AZDO pipeline. Example: `271ef6f7-0000-0000-0000-4b54d9129990` Mapped from the `prj_id` claim. - `project_name` (String) The name of the AZDO project. Example: `my-project`. Mapped out of the `sub` claim. - `repository_ref` (String) The reference of the repository the pipeline is using. Example: `refs/heads/main`. Mapped from the `rpo_ref` claim. - `repository_uri` (String) The URI of the repository the pipeline is using. Example: `https://github.com/gravitational/teleport.git`. Mapped from the `rpo_uri` claim. - `repository_version` (String) The individual commit of the repository the pipeline is using. Example: `e6b9eb29a288b27a3a82cc19c48b9d94b80aff36`. Mapped from the `rpo_ver` claim. - `sub` (String) Sub also known as Subject is a string that roughly uniquely identifies the workload. Example: `p://my-organization/my-project/my-pipeline` Mapped from the `sub` claim. ### Nested Schema for `spec.bitbucket` Optional: - `allow` (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specbitbucketallow)) - `audience` (String) Audience is a Bitbucket-specified audience value for this token. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings. - `identity_provider_url` (String) IdentityProviderURL is a Bitbucket-specified issuer URL for incoming OIDC tokens. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings. ### Nested Schema for `spec.bitbucket.allow` Optional: - `branch_name` (String) BranchName is the name of the branch on which this pipeline executed. - `deployment_environment_uuid` (String) DeploymentEnvironmentUUID is the UUID of the deployment environment targeted by this pipelines run, if any. These values may be found in the "Pipelines -> OpenID Connect -> Deployment environments" section of the repository settings. - `repository_uuid` (String) RepositoryUUID is the UUID of the repository for which this token was issued. Bitbucket UUIDs must begin and end with braces, e.g. `{...}`. This value may be found in the Pipelines -> OpenID Connect section of the repository settings. - `workspace_uuid` (String) WorkspaceUUID is the UUID of the workspace for which this token was issued. Bitbucket UUIDs must begin and end with braces, e.g. `{...}`. This value may be found in the Pipelines -> OpenID Connect section of the repository settings. ### Nested Schema for `spec.bound_keypair` Optional: - `onboarding` (Attributes) Onboarding contains parameters related to initial onboarding and keypair registration. (see [below for nested schema](#nested-schema-for-specbound_keypaironboarding)) - `recovery` (Attributes) Recovery contains parameters related to recovery after identity expiration. (see [below for nested schema](#nested-schema-for-specbound_keypairrecovery)) - `rotate_after` (String) RotateAfter is an optional timestamp that forces clients to perform a keypair rotation on the next join or recovery attempt after the given date. If `LastRotatedAt` is unset or before this timestamp, a rotation will be requested. It is recommended to set this value to the current timestamp if a rotation should be triggered on the next join attempt. ### Nested Schema for `spec.bound_keypair.onboarding` Optional: - `initial_public_key` (String) InitialPublicKey is used to preregister a public key generated by `tbot keypair create`. When set, no initial join secret is generated or made available for use, and clients must have the associated private key available to join. If set, `initial_join_secret` and `must_register_before` are ignored. This value is written in SSH authorized\_keys format. - `must_register_before` (String) MustRegisterBefore is an optional time before which registration via initial join secret must be performed. Attempts to register using an initial join secret after this timestamp will not be allowed. This may be modified after creation if necessary to allow the initial registration to take place. This value is ignored if `initial_public_key` is set. - `registration_secret` (String) RegistrationSecret is a secret joining clients may use to register their public key on first join, which may be used instead of preregistering a public key with `initial_public_key`. If `initial_public_key` is set, this value is ignored. Otherwise, if set, this value will be used to populate `.status.bound_keypair.registration_secret`. If unset and no `initial_public_key` is provided, a random secure value will be generated server-side to populate the status field. ### Nested Schema for `spec.bound_keypair.recovery` Optional: - `limit` (Number) Limit is the maximum number of allowed recovery attempts. This value may be raised or lowered after creation to allow additional recovery attempts should the initial limit be exhausted. If `mode` is set to `standard`, recovery attempts will only be allowed if `.status.bound_keypair.recovery_count` is less than this limit. This limit is not enforced if `mode` is set to `relaxed` or `insecure`. This value must be at least 1 to allow for the initial join during onboarding, which counts as a recovery. - `mode` (String) Mode sets the recovery rule enforcement mode. It may be one of these values: - standard (or unset): all configured rules enforced. The recovery limit and client join state are required and verified. This is the most secure recovery mode. - relaxed: recovery limit is not enforced, but client join state is still required. This effectively allows unlimited recovery attempts, but client join state still helps mitigate stolen credentials. - insecure: neither the recovery limit nor client join state are enforced. This allows any client with the private key to join freely. This is less secure, but can be useful in certain situations, like in otherwise unsupported CI/CD providers. This mode should be used with care, and RBAC rules should be configured to heavily restrict which resources this identity can access. ### Nested Schema for `spec.circleci` Optional: - `allow` (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-speccircleciallow)) - `organization_id` (String) ### Nested Schema for `spec.circleci.allow` Optional: - `context_id` (String) - `project_id` (String) ### Nested Schema for `spec.env0` Optional: - `allow` (Attributes List) Allow is a list of Rules, jobs using this token must match at least one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specenv0allow)) ### Nested Schema for `spec.env0.allow` Optional: - `deployer_email` (String) DeployerEmail is the email of the person that triggered the deployment, corresponding to `deployerEmail` in an Env0 OIDC token. - `deployment_type` (String) DeploymentType is the env0 deployment type, such as "deploy", "destroy", etc. Corresponds to `deploymentType` in an Env0 OIDC token. - `env0_tag` (String) Env0Tag is a custom tag value corresponding to `env0Tag` when `ENV0_OIDC_TAG` is set. - `environment_id` (String) EnvironmentID is the unique identifier of the Env0 environment, corresponding to `environmentId` in an Env0 OIDC token. - `environment_name` (String) EnvironmentName is the name of the Env0 environment, corresponding to `environmentName` in an Env0 OIDC token. - `organization_id` (String) OrganizationID is the unique organization identifier, corresponding to `organizationId` in an Env0 OIDC token. - `project_id` (String) ProjectID is a unique project identifier, corresponding to `projectId` in an Env0 OIDC token. - `project_name` (String) ProjectName is the name of the project under which the job was run corresponding to `projectName` in an Env0 OIDC token. - `template_id` (String) TemplateID is the unique identifier of the Env0 template, corresponding to `templateId` in an Env0 OIDC token. - `template_name` (String) TemplateName is the name of the Env0 template, corresponding to `templateName` in an Env0 OIDC token. - `workspace_name` (String) WorkspaceName is the name of the Env0 workspace, corresponding to `workspaceName` in an Env0 OIDC token. ### Nested Schema for `spec.gcp` Optional: - `allow` (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specgcpallow)) ### Nested Schema for `spec.gcp.allow` Optional: - `locations` (List of String) Locations is a list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b"). - `project_ids` (List of String) ProjectIDs is a list of project IDs (e.g. ``). - `service_accounts` (List of String) ServiceAccounts is a list of service account emails (e.g. `-compute@developer.gserviceaccount.com`). ### Nested Schema for `spec.github` Optional: - `allow` (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specgithuballow)) - `enterprise_server_host` (String) EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service. - `enterprise_slug` (String) EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the `include_enterprise_slug` option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if `enterprise_server_host` is specified. See for more information about customized issuer values. - `static_jwks` (String) StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Service. ### Nested Schema for `spec.github.allow` Optional: - `actor` (String) The personal account that initiated the workflow run. This field supports "glob-style" matching: - Use '\*' to match zero or more characters. - Use '?' to match any single character. - `environment` (String) The name of the environment used by the job. This field supports "glob-style" matching: - Use '\*' to match zero or more characters. - Use '?' to match any single character. - `ref` (String) The git ref that triggered the workflow run. This field supports "glob-style" matching: - Use '\*' to match zero or more characters. - Use '?' to match any single character. - `ref_type` (String) The type of ref, for example: "branch". - `repository` (String) The repository from where the workflow is running. This includes the name of the owner e.g `gravitational/teleport` This field supports "glob-style" matching: - Use '\*' to match zero or more characters. - Use '?' to match any single character. - `repository_owner` (String) The name of the organization in which the repository is stored. This field supports "glob-style" matching: - Use '\*' to match zero or more characters. - Use '?' to match any single character. - `sub` (String) Sub also known as Subject is a string that roughly uniquely identifies the workload. The format of this varies depending on the type of github action run. This field supports "glob-style" matching: - Use '\*' to match zero or more characters. - Use '?' to match any single character. - `workflow` (String) The name of the workflow. This field supports "glob-style" matching: - Use '\*' to match zero or more characters. - Use '?' to match any single character. ### Nested Schema for `spec.gitlab` Optional: - `allow` (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specgitlaballow)) - `domain` (String) Domain is the domain of your GitLab instance. This will default to `gitlab.com` - but can be set to the domain of your self-hosted GitLab e.g `gitlab.example.com`. - `static_jwks` (String) StaticJWKS disables fetching of the GitLab signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitLab CI instances that are not reachable by the Teleport Auth Service. ### Nested Schema for `spec.gitlab.allow` Optional: - `ci_config_ref_uri` (String) CIConfigRefURI is the ref path to the top-level pipeline definition, for example, gitlab.example.com/my-group/my-project//.gitlab-ci.yml\@refs/heads/main. - `ci_config_sha` (String) CIConfigSHA is the git commit SHA for the ci\_config\_ref\_uri. - `deployment_tier` (String) DeploymentTier is the deployment tier of the environment the job specifies - `environment` (String) Environment limits access by the environment the job deploys to (if one is associated) - `environment_protected` (Boolean) EnvironmentProtected is true if the Git ref is protected, false otherwise. - `namespace_path` (String) NamespacePath is used to limit access to jobs in a group or user's projects. Example: `mygroup` This field supports "glob-style" matching: - Use '\*' to match zero or more characters. - Use '?' to match any single character. - `pipeline_source` (String) PipelineSource limits access by the job pipeline source type. Example: `web` - `project_path` (String) ProjectPath is used to limit access to jobs belonging to an individual project. Example: `mygroup/myproject` This field supports "glob-style" matching: - Use '\*' to match zero or more characters. - Use '?' to match any single character. - `project_visibility` (String) ProjectVisibility is the visibility of the project where the pipeline is running. Can be internal, private, or public. - `ref` (String) Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref\_type. This field supports "glob-style" matching: - Use '\*' to match zero or more characters. - Use '?' to match any single character. - `ref_protected` (Boolean) RefProtected is true if the Git ref is protected, false otherwise. - `ref_type` (String) RefType allows access to be limited to jobs triggered by a specific git ref type. Example: `branch` or `tag` - `sub` (String) Sub roughly uniquely identifies the workload. Example: `project_path:mygroup/my-project:ref_type:branch:ref:main` project\_path:GROUP/PROJECT:ref\_type:TYPE:ref:BRANCH\_NAME This field supports "glob-style" matching: - Use '\*' to match zero or more characters. - Use '?' to match any single character. - `user_email` (String) UserEmail is the email of the user executing the job - `user_id` (String) UserID is the ID of the user executing the job - `user_login` (String) UserLogin is the username of the user executing the job ### Nested Schema for `spec.kubernetes` Optional: - `allow` (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-speckubernetesallow)) - `oidc` (Attributes) OIDCConfig configures the `oidc` type. (see [below for nested schema](#nested-schema-for-speckubernetesoidc)) - `static_jwks` (Attributes) StaticJWKS is the configuration specific to the `static_jwks` type. (see [below for nested schema](#nested-schema-for-speckubernetesstatic_jwks)) - `type` (String) Type controls which behavior should be used for validating the Kubernetes Service Account token. Support values: - `in_cluster` - `static_jwks` - `oidc` If unset, this defaults to `in_cluster`. ### Nested Schema for `spec.kubernetes.allow` Optional: - `service_account` (String) ServiceAccount is the namespaced name of the Kubernetes service account. Its format is "namespace:service-account". ### Nested Schema for `spec.kubernetes.oidc` Optional: - `insecure_allow_http_issuer` (Boolean) InsecureAllowHTTPIssuer is a flag that, if set, disables the requirement that the issuer must use HTTPS. - `issuer` (String) Issuer is the URI of the OIDC issuer. It must have an accessible and OIDC-compliant `/.well-known/oidc-configuration` endpoint. This should be a valid URL and must exactly match the `issuer` field in a service account JWT. For example: ... ### Nested Schema for `spec.kubernetes.static_jwks` Optional: - `jwks` (String) JWKS should be the JSON Web Key Set formatted public keys of that the Kubernetes Cluster uses to sign service account tokens. This can be fetched from /openid/v1/jwks on the Kubernetes API Server. ### Nested Schema for `spec.oracle` Optional: - `allow` (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specoracleallow)) ### Nested Schema for `spec.oracle.allow` Optional: - `instances` (List of String) Instances is a list of the OCIDs of specific instances that are allowed to join. If empty, any instance matching the other fields in the rule is allowed. Limited to 100 instance OCIDs per rule. - `parent_compartments` (List of String) ParentCompartments is a list of the OCIDs of compartments an instance is allowed to join from. Only direct parents are allowed, i.e. no nested compartments. If empty, any compartment is allowed. - `regions` (List of String) Regions is a list of regions an instance is allowed to join from. Both full region names ("us-phoenix-1") and abbreviations ("phx") are allowed. If empty, any region is allowed. - `tenancy` (String) Tenancy is the OCID of the instance's tenancy. Required. ### Nested Schema for `spec.spacelift` Optional: - `allow` (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specspaceliftallow)) - `enable_glob_matching` (Boolean) EnableGlobMatching enables glob-style matching for the space\_id and caller\_id fields in the rules. - `hostname` (String) Hostname is the hostname of the Spacelift tenant that tokens will originate from. E.g `example.app.spacelift.io` ### Nested Schema for `spec.spacelift.allow` Optional: - `caller_id` (String) CallerID is the ID of the caller, ie. the stack or module that generated the run. This field supports "glob-style" matching when enable\_glob\_matching is true: - Use '\*' to match zero or more characters. - Use '?' to match any single character. - `caller_type` (String) CallerType is the type of the caller, ie. the entity that owns the run - either `stack` or `module`. - `scope` (String) Scope is the scope of the token - either `read` or `write`. See - `space_id` (String) SpaceID is the ID of the space in which the run that owns the token was executed. This field supports "glob-style" matching when enable\_glob\_matching is true: - Use '\*' to match zero or more characters. - Use '?' to match any single character. ### Nested Schema for `spec.terraform_cloud` Optional: - `allow` (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specterraform_cloudallow)) - `audience` (String) Audience is the JWT audience as configured in the TFC\_WORKLOAD\_IDENTITY\_AUDIENCE(\_$TAG) variable in Terraform Cloud. If unset, defaults to the Teleport cluster name. For example, if `TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo` is set in Terraform Cloud, this value should be `foo`. If the variable is set to match the cluster name, it does not need to be set here. - `hostname` (String) Hostname is the hostname of the Terraform Enterprise instance expected to issue JWTs allowed by this token. This may be unset for regular Terraform Cloud use, in which case it will be assumed to be `app.terraform.io`. Otherwise, it must both match the `iss` (issuer) field included in JWTs, and provide standard JWKS endpoints. ### Nested Schema for `spec.terraform_cloud.allow` Optional: - `organization_id` (String) OrganizationID is the ID of the HCP Terraform organization. At least one organization value is required, either ID or name. - `organization_name` (String) OrganizationName is the human-readable name of the HCP Terraform organization. At least one organization value is required, either ID or name. - `project_id` (String) ProjectID is the ID of the HCP Terraform project. At least one project or workspace value is required, either ID or name. - `project_name` (String) ProjectName is the human-readable name for the HCP Terraform project. At least one project or workspace value is required, either ID or name. - `run_phase` (String) RunPhase is the phase of the run the token was issued for, e.g. `plan` or `apply` - `workspace_id` (String) WorkspaceID is the ID of the HCP Terraform workspace. At least one project or workspace value is required, either ID or name. - `workspace_name` (String) WorkspaceName is the human-readable name of the HCP Terraform workspace. At least one project or workspace value is required, either ID or name. ### Nested Schema for `spec.tpm` Optional: - `allow` (Attributes List) Allow is a list of Rules, the presented delegated identity must match one allow rule to permit joining. (see [below for nested schema](#nested-schema-for-spectpmallow)) - `ekcert_allowed_cas` (List of String) EKCertAllowedCAs is a list of CA certificates that will be used to validate TPM EKCerts. When specified, joining TPMs must present an EKCert signed by one of the specified CAs. TPMs that do not present an EKCert will be not permitted to join. When unspecified, TPMs will be allowed to join with either an EKCert or an EKPubHash. ### Nested Schema for `spec.tpm.allow` Optional: - `description` (String) Description is a human-readable description of the rule. It has no bearing on whether or not a TPM is allowed to join, but can be used to associate a rule with a specific host (e.g the asset tag of the server in which the TPM resides). Example: "build-server-100" - `ek_certificate_serial` (String) EKCertificateSerial is the serial number of the EKCert in hexadecimal with colon separated nibbles. This value will not be checked when a TPM does not have an EKCert configured. Example: 73:df:dc:bd:af:ef:8a:d8:15:2e:96:71:7a:3e:7f:a4 - `ek_public_hash` (String) EKPublicHash is the SHA256 hash of the EKPub marshaled in PKIX format and encoded in hexadecimal. This value will also be checked when a TPM has submitted an EKCert, and the public key in the EKCert will be used for this check. Example: d4b45864d9d6fabfc568d74f26c35ababde2105337d7af9a6605e1c56c891aa6 ### Nested Schema for `metadata` Optional: - `description` (String) Description is object description - `expires` (String) Expires is a global expiry time header can be set on any resource in the system. - `labels` (Map of String) Labels is a set of labels - `name` (String, Sensitive) Name is an object name ### Nested Schema for `status` Optional: - `bound_keypair` (Attributes) BoundKeypair contains status information related to bound\_keypair type tokens. (see [below for nested schema](#nested-schema-for-statusbound_keypair)) ### Nested Schema for `status.bound_keypair` Optional: - `bound_bot_instance_id` (String) BoundBotInstanceID is the ID of the currently associated bot instance. A new bot instance is issued on each join; the new bot instance will have a `previous_bot_instance` set to this value, if any. - `bound_host_id` (String) BoundHostID is the agent UUID bound to this keypair. This field is left empty if bound to a bot, or if no agent has joined yet. It is mutually exclusive with BoundBotInstanceID but otherwise behaves identically. - `bound_public_key` (String) BoundPublicKey contains the currently bound public key. If `.spec.bound_keypair.onboarding.initial_public_key` is set, that value will be copied here on creation, otherwise it will be populated as part of public key registration process. This value will be updated over time if keypair rotation takes place, and will always reflect the currently trusted public key. This value is written in SSH authorized\_keys format. - `last_recovered_at` (String) LastRecoveredAt contains a timestamp of the last successful recovery attempt. Note that normal renewals with valid client certificates do not count as a recovery attempt, however the initial join during onboarding does. This corresponds with the last time `bound_bot_instance_id` was updated. - `last_rotated_at` (String) LastRotatedAt contains a timestamp of the last time the keypair was rotated, if any. This is not set at initial join. - `recovery_count` (Number) RecoveryCount is a count of the total number of recoveries performed using this token. It is incremented for every successful join or rejoin. Recovery is only allowed if this value is less than `.spec.bound_keypair.recovery.limit`, or if the recovery mode is `relaxed` or `insecure`. - `registration_secret` (String) RegistrationSecret contains a secret value that may be used for public key registration during the initial join process if no public key is preregistered. If `.spec.bound_keypair.onboarding.initial_public_key` is set, this field will remain empty. Otherwise, if `.spec.bound_keypair.onboarding.registration_secret` is set, that value will be copied here. If that field is unset, a value will be randomly generated.