What happened:
Using a file path in the auth_token section of teleport.yaml doesn't read the token from the file - the string seems to be interpreted literally as being the token itself.
What you expected to happen:
Given that we support using a path in the tokens section under auth_service (https://gravitational.com/teleport/docs/admin-guide/#static-tokens), I would expect that providing a path to auth_token would read the token from the file in the same way.
How to reproduce it (as minimally and precisely as possible):
teleport.yaml (node) - token is not read from the file:
teleport:
auth_token: /var/lib/tokens/node/join-token
teleport.yaml (proxy/auth) - token is read from the file:
auth_service:
enabled: true
tokens:
- "node:/var/lib/tokens/node/join-token"
Environment:
teleport version): Teleport Enterprise v3.1.1git:v3.1.1-0-g8c506f47 go1.11.4
I would treat this as a lower priority thing for now. TBH the tokens config section is screaming for improvement, i.e. we've made a mistake of overloading it, i.e. if I were to touch this code again I would propose to move to an easier and cleaner YAML (while accepting the old format), i.e.
# server side:
auth_service:
tokens:
node: "file:///path/to/file"
auth: "https://host/path/to/file"
proxy: "in-place secret"
# one secret for all:
auth_service:
tokens:
"node,auth,proxy": "file://path/to/file"
# client side:
auth_token: "file:///path/to/file"
# or...
auth_token: "in-place secret"
This is a pretty big blocker if you want to run your auth nodes in kubernetes and use kubernetes secrets to store your token. Make it challenging to rotate the secrets as well.
@aaronmell agreed, we'll get to this eventually!
Most helpful comment
This is a pretty big blocker if you want to run your auth nodes in kubernetes and use kubernetes secrets to store your token. Make it challenging to rotate the secrets as well.