1:00 Introduction

1:00 Hello, and welcome to today's episode of Rawkode Live. Today, we are taking a look at some of the new features that are just recently been released with Teleport version eight. I'm your host today, David Flanagan. I don't remember my name correctly this time, and you may know me from across the Internet as Rawkode. As you might be able to tell, I'm in an an entirely new space doing a livestream on a five g router. So let's see how this goes. Today, I am very lucky to be joined by Steven Martin once again from the Teleport

1:28 team. Hey, man. How's it going? Oh, good. Doing really well. Awesome. Well, welcome back. Yeah. It's it's gonna be fun. It's always nice to take a look at some of the the things that are happening with a Teleport. It's such a a cool product that I literally use every single week. So it's always a always good to sit down with someone over there and and cover some of the new shiny stuff. For anyone who didn't see the last episode, could you maybe give us a small introduction to who you are? Sure. Yeah. And I'm I'm Steven Martin, solution

1:49 Guest's Favorite Teleport Feature

1:59 engineering manager here at Teleport. Just coming up on my two years. And for folks that aren't familiar, you know, Teleport is a open source access plane and certificate authority, you know, for your infrastructure. So, essentially, you know, we make it a very secure way, passwordless approach to accessing your resources, whether that's SSH machines, web apps, Kubernetes, databases, and now with eight point o, Windows desktops. Nice. Awesome. So here's a question that I never gave you upfront, and I'm gonna lump on you now and and just see. Like, you you use Teleport a lot. Right? Would that be

2:40 a fair assumption? What's what's your what's your favorite feature? I think the part of it is the is the tunnel, the fact that I can have a machine available. I I run some some of my own, you know, personal sites, and I wanna get access to it. But I'm I am concerned about open ports, you know, and people being able to attack those ports, especially ones that I don't wanna expose all the time. So the fact that I can SSH into something or even provide other access, you know, without opening in a port because, you know, yes, you could try to try

3:18 to do some firewalling and locking down, but that gets hard, you know. Whereas this case, you know, you you can really restrict that more. Yeah. Definitely. It's a great feature for sure. I think it reminds us the the ability the capabilities to pair either through the web GUI or the command line client. Think those those are cool. I've been able to debug something in real time with some colleagues, especially at our new remote first world. I think it's it's fantastic. So what's new in Teleport eight? Yeah. This is we we consider this, you know, one of our largest

3:47 What's New in Teleport 8? (Overview)

3:55 releases, version eight. First, the the one of the largest ones that people have probably heard about is our Windows desktop access. Now we're not providing, you know, an RDP protocol. That's one of the one of the ways we're we're taking this is that we think the you know, and I'll be stepping through that shortly, you know, exactly how that works and example of it. But using our web console, you know, folks will be able to open up desktop interaction to their current, you know, Windows machines. Typically, you know, those are your your server types, like, 20 Windows 22

4:35 22 data center and others even even back to 2012. In addition, we are providing things like WebAuthn, you know, if you wanted to use your watch or in my case, I'm gonna use the the Touch ID. Others like, you know, being able to auto find r RDS machines, whereas previously, you had to specifically poke at it, or point at exactly. Another is the ability to dynamically add apps and databases. I'll I'll be showing a Grafano example today where you'll be able to directly say, okay. I want to deploy this application. Here's its tag, and then an existing agent

5:20 will that has registered itself to run those tags will automatically run it. So that's a way of getting away from, you know, worrying about, oh, I deployed. Did I set the right YAML on that machine? But now you can just say deploy. Here's your tag, and it'll you know, kind of like Kubernetes automatically, you know, run on a particular agent. Awesome. Well, it sounds like you've got some amazing things to show us in the demo. So we will get to that in just just a moment. We have a a comment from Av and Ash, which I'm gonna pop back up again

5:50 just saying that session recording has to be everybody's favorite feature. I just I just Oh, yeah. No. Yeah. Yeah. No. Yeah. I definitely take that for granted. I think it's it's something where, you know, you wanna you wanna review, you know, what happened. And I look at that as, you know, it's great for auditing, but as a you know, often if you're a developer or someone who's looking back on, okay, what did I exactly run? Because, you know, control r doesn't find everything right. You know, I wanna look back at what did I run, what order did I do

6:18 it, were there any errors, and you can see it from that. Yeah. Yeah. Definitely. Alright. Well, shall we get your screen shared? Hop off the demo, and I'll do my best to throw loads of questions at you as we go through. Please. Yep. There you go. You are now live. Take it away. Great. Thank you. So there's a there's a bit of a space theme going. I'm on moon, teleportdemo.com, and, you'll see some Apollos and Hercules, as we go. So first off, let let's start, yeah, let's start with the Windows example. So these are some

6:40 Demo: Windows Desktop Access

6:58 particular two domains I have available. So that's one of the things is that you can hook on to multiple active directory domains. It'll automatically bring in, you know, the particular tags, you know, for those machines. I I went ahead and connected, via desktop access here. You can see these running concurrently. So I'm on, you know, one of the Apollo machines, and I'm also on, one of the Hercules. And it's just like regular, you know, RDP if you're used to interacting through that. But the major difference is I came in passwordlessly, so I did not have to, you know,

7:37 provide a password password here, type it in, or save it locally on my machine, you know, which is what most of the RDP, you know, clients do is it gives you that option. But, you know, how secure is that? You know, versus in our case and I'll and I'll show in a minute, you know, how we're connecting in there. You know, user themselves do not have do not have to supply a password. But you do supply, you know, case of the roles. You would say, you know, okay. Here's here's the labels you're allowed to connect to and then what users,

8:09 it takes in my email. So that's how it comes in with Steven. So you can see I'm connecting with my particular username, Steven, that's allowed to go in there. Awesome. Very cool. Yep. And, right now, we have, you know, we have the initial web and you you notice it's labeled preview in that a couple of the major features coming, you know, will be the session recording, will be things like clipboard. You notice it is in it is in the the web browser. And, again, that's because we don't think that providing the RDP protocol directly is the most

8:44 secure way. We think that providing it through the web console does provide you that added protection that, you know, the proxy is sitting in front of it. It's it's verifying your access to the machine. It's then using a virtual smart card approach, and that's the way that it's it's securely identifying you through to the active directory, and it's it's it's maintaining that for you so that, again, to the user, it's it's all seamless. Yeah. It's very cool. I I I don't think I've ever worked for a company that doesn't have one or more random selection of

9:15 Windows servers just floating about in the infrastructure, and, like, the access management to it was always a bit a bit wild west y, to be honest. And so this is, like this is actually bringing these things under almost proper fleet management, at least from an access point of view, which I think is really, really cool. Yeah. One one thing to point out is in terms of the labeling. So some of these, you know, some of these are are just pulled directly, but then you can give additional labeling, in terms of you know, you'll notice here

9:44 I have the one environment production. So the this is not the same as some of these other tags as well as the domain. So if we take a look at, in terms of, you know, the configuration here. So this this is the this is where I've set up, the Windows desktop service from from the machine I'm connecting to. I'm saying this is my domain controller, the domain that's actually connected to Apollo, the user. You can also set it up to use another more generic user, like Teleport Service. That's actually in our documentation. But then this is part of how you

10:18 can do more host labeling. So in this case, I'm saying if the name matches this, any any of the machines that have this this name, label them domain. So this is an additional label I'm putting on. And then in case of, like, Hercules, I wanted to add in a production one. So I'm looking for that prod name and add it in. So that's where you could give that. I don't want you going to all machines, but I'm gonna say your user can see, you know, particular labeled machines. Alright. Does this have any requirements on, like,

10:45 a minimum Windows version? Does it run on all Windows since 10? Or Pre window well, we Windows Server '20 twelve, and up. Now Windows ten eleven could work. I'd say most of our clients are gonna be running the Windows servers. And you do need to be in a domain so that so the, you know, you know, these are part of an active directory domain. Alright. Okay. So it's not I can't expose my personal Windows machine over that quite yet, but maybe in the future. Yeah. No. No. Exactly. Yeah. Right. I mean, again, it's we're we're really focused on making sure it's

11:19 the most secure connection, and active directory allows us to do that virtual smart card approach. So it's patchless. You could you could just put up an RDP. You know, you could just pass through RDP protocol, but then you're just typically gonna be saying, okay. Put in your username and password and go. Yeah. But, again, we wanted to make sure it was the most secure way. Awesome. Very cool. I like that. Yeah. Yeah. I'd say the other one, which, one of the other cool features is around our about ports. So you probably have noticed in your configuration,

11:42 Demo: Single Port Access (443)

11:54 the number sometimes you have a number of ports open, right, to allow access to Teleport. And with our, you know, latest version, you can limit that to a single port, like four four three. So if you take a look at and, this is getting a little nerdy. I can take a look at a configuration of Teleport through here, and this is telling me all the ports that are available. So you notice they all have a common four four three. So it's saying, this is my public address. This is what I'm going through the browser. This is

12:30 my SSH. This is my Kubernetes, you know, database, all 443. Now I have another server, enterprise, more of a Star Trek theme. You notice there's different ports. So I in this case, I'm running it off. You and you have the you have the option of using either. There are some times where you may wanna run that, but, you know, this really simplifies it going to a single port. Because, you know, as as you might run into or we run into some of our enterprise clients, you know, it can be difficult for them to open up, you know, a

13:03 number of ports like that, whether for users or for the agents, to be able to provide that connectivity. So that's really a a big thing to to make it, you know, easier for security, as well as just configuring your environment so that I don't have to worry about, you know, different ports in the load balancers or things. I can just use a single one. Yeah. The less ports I have to open up to the world or even in a private even a private network, the better. Yeah. I get that. Yep. Yeah. And and you can always use

13:32 this this URL web web API slash find to look at, you know, what is the configuration for the server, what's the server version, and and the different ports. So that's that's usually a good way that I when I'm working with a new client or someone just checking out the OSS, like, if they're having a trouble with the port, hey. What's your configuration? And they can do this. Nice. Cool. Now one of the other and I mentioned earlier was about our support for web auth in, and I hope I'm saying it right. I was it's like

13:56 Demo: WebAuthn (Biometric MFA)

14:06 web web auth in. I'm sure everyone's maybe maybe in in The UK, you say it a little differently, but, the n. But, essentially, that's providing another you know, previously, we'd supported, like, the Google auth type, as well as YubiKey, and this takes it to another level, you know, with our support of things like touch ID or using your watch and able to, authentic you know, additionally, authenticate a user. Now in this case, what I've done is I've said for a particular nodes, if they're labeled prod, then you do need to use that. And we can check your you know, I have

14:42 a prod access role. You'll see this is requiring MFA true. Yep. Yep. And then on your individual deployment, you can decide, are you gonna support multiple? So a person could have Google auth. They could have YubiKey and web auth. Or you may say, well, we're only gonna do you could say only a particular one. So it's up to you if you want to allow multiple or only or only allow a single on your machine. Then in this case, you know, so I'm gonna go ahead and log in there. It's gonna say, need to verify. And I just got this Mac, so I'm

15:22 using this lovely, fingerprint thing. Thought that was pretty cool. And now now I'm in the machine. Now if I go to another machine, like in this case, a dev one, I don't need to because it doesn't have that require on. But I'm saying for particular labeled machines, then you you will have to do that. Yeah. Okay. So we yeah. You can save for these labels or these individual nodes that you require that that second factor before we actually give you access to. Does can you use Touch ID to log in to the Teleport server too,

15:57 or is that just Yes. For for local users, you could. Now in in if you're using a single sign on, we would assume that would take over for the authentication part of it. But if you're if you're using local users only, yes, you you can you can certainly use that. That's sweet. Nice. Yep. Yeah. We definitely recommend that if you're if you want to have, even if you're using OSS, let's say let's say you're using GitHub as your SSO, well, maybe you want a backup local admin user in case, you know, as we've seen, sometimes things go down

16:33 in the last week or so, you know, then you could have an MFA on that admin user. We'd certainly recommend that. And that that is the default to have an MFA on. Yes. So you're sure there's touch ID there, but that's gonna work with anything that supports web auth in, really. Right? Yes. Yeah. Yeah. Yeah. Exactly. So this web As long as, Yeah. As long as the, yeah, the the browser supports whatever web browser you're using, then then you should be good. In terms of how you control it, so in terms of my account setting,

17:03 can say I have two. So this is my touch ID, and then I also have a Yubi registered. So the YubiKey, I can use in my desktop interaction, you know, whereas the the touch ID, can use with my Safari browser. Cool. I like that feature too. It's just one of those quality of life improvements. Right? It just enables that things available at touch ID or Windows Hello or anything else like that. It just and rather than getting your phone out and looking for Authy or Google Authenticator and all that stuff, you know, with the biometric approaches. Password. What is my password? Copy,

17:38 paste, show, reveal. You know, as as you're out on and as you probably run into your if you're out on the train or out somewhere, like, I don't really wanna be showing people my codes or passwords, but I like, you know, having a touch ID is is very convenient. Yeah. Well, I I have a an Apple Watch, and the first thing I'll be doing now in my Teleport cluster is seeing if I can get that all hooked up so that I can access my Oh. My machines with just touching my watch, which will be nice.

18:02 Yep. Now I am I am running this in AWS. So definitely one of the things I wanted to touch is on our additional AWS features. And you can see here I've I've a number of accounts available. So from a single Teleport instance, you can and I'm doing you can do this from the where you're deploying it or from an agent that's running in AWS, then you can act you can allow access to multiple roles in different accounts. So you can see here I have one account here, and this is actually our main solution engineer account,

18:05 AWS

18:39 and then I have others. So that gives you that ability, you know, and a lot of us, especially if you're running enterprise, you will have multiple AWS accounts. So then from here, can launch right into it. So I can see my servers. I can go to r d RDS. And then and then it it is restricted to, you know, what that role is allowed access. So I've gone in as SAM power user, which power being that user has fair amount of privileges. Or by default, you'd probably wanna give them read only, and then then they can access

19:23 request to get more access. K. That that was almost too much magic in one go for me there because it feels as if you just logged in beforehand and it's magically worked. But that's actually launched you an AWS console session, logged you in as a user that was listed on Teleport, and then that's what you're I mean, it was just so fast. Let's do a different AWS account. Yeah. Yeah. I think I probably have to check. Didn't mean to put you on the spot there. No. No. No problem. Yeah. No. I I think I didn't add a role for

19:58 this user, but that's that's part of how you would just just to highlight how you configure it. You know? So you'd add in different roles here. Mhmm. And then you would say what account they're allowed to see. So that's why it's not showing those others because that account wasn't identified. Yeah. But if you wanna add another one, yeah, you could do that that way. Yeah. It's just, you know, we're looking at the list of AWS accounts. You click launch, and right away, I'm staring at the AWS console. It was just, you know, it worked too well at

20:27 that point where I'm I'm skeptical though. I'm like, really? Did that just happen? So Yep. Yeah. No. It's it's it's very fast. One of the things we've noticed is that while there are way and I I mentioned about that power user, you know, we have seen where requesting additional access can be complicated in some of the SSOs. So this gives you that ability to do that often more quickly. Now you also have this in local, you know, from the command line. So you can see I'm logged in that same user, you know, particular access. I can take a look at the apps.

20:30 Console Access

21:05 And I already I already logged in. Let me let me show you. Let me log out of that one so I can show you the so if I log in directly to access, it's gonna get a little mad at me because what do you log in as? Okay. So, okay, before you hit return on this Mhmm. Or or maybe even another terminal, can you run AWS s three l s or something? That's just something that would, I guess, fail. Sure. So this should say unauthenticated, I would imagine. Yeah. Okay. Yep. Yeah. No. And this this

21:49 is a very new brand a brand new machine for me. And we and we've gone in our case, we, you know if I wanted to do that because we use Okta, I would have to log in through Okta, get get the, you know, temporary tokens, and then copy and paste those here. So that's a little bit a little bit of longer process for me. But, yeah, I'd say I don't I don't have the access yet. If I see, I am still getting used to this Mac world. So I'm I'm logging in as that same that same access you saw me clicking.

22:37 Yeah. So now I'm logged in. Yeah. That you can do that one. No. That's the button. So I use that command, t s h eight AWS. Now the other the other thing which which I wanted to show, particularly with this console access, is the concept of using the auto join. So one of our features here, if you go into our documentation about, you know, joining nodes. So often in in you've seen this where and let me you know, if I wanna add a new new machine, I might do tokens add type equals node. So then I get I get this particular

23:01 Demo: EC2 Node Auto-Join

23:23 token. I can copy copy and paste it and use it on machine. Well, rather than worrying about token distribution, do I use SSM? Do I use, you know, Vault or something? You know, we we we saw the best way to do that was to, you know, have the concept of, you know, auto joining. Now it will this will allow you to install Teleport, and I've gone ahead and done that in AMI machine where it's it's already built in. It uses the EC token e e EC two token. The machine itself that's running has permission to

23:57 look up that machine and verify it. You can see here this is the policy it's setting, and and then this is example of the token that I've I've already configured, you know, what roles are allowed, SSH, apps, things of that nature. You also set in here, okay. Well, how how long until this when the server starts is it still allowed to join? Because it's not unlimited. You can't just install Teleport, use token, and then go. This is meant to be used for when any server first starts up. And then you also are setting well, okay. Well, what accounts

24:30 are are allowed to join and what from what regions? So you can restrict where those machines are coming from. So it's not just open. Yeah. So you have a a fair amount of control here. K. Yep. So in this case, I have, a set of AMI machines. The one I wanna use is example node three. It's it's a Amazon Linux two, with a built in Teleport installer already there. Go ahead and do t two micro, whatever is your favorite. As part of this, I wanted to you I wanted to be able to pull out, some of the tags,

25:09 when it runs. So it pulls it pulls in tags, and it's both gonna use that in terms of how it connects to Teleport as well as just informational things. So that's a useful feature if you can you can say, oh, pull pull in whatever tags are being set on your your EC two. And I am I don't need SSH, so I'm taking it out. Now the way I'm I'm telling it to connect and not necessarily the way you have to, but I'm saying this is your auth service. So I don't need a token, but I'm saying this is what I want you

25:43 to connect to. I'm gonna name you dev three. You're in environment dev and then group dev. When I was setting this up, was like, environment groups, those are sometimes different. Let's do that. So we're pretty good to go. Alright. Let me you can click the button now, I'm gonna try and rephrase what I think you're doing just to make sure I understand that what what was actually happening here. So you've got an AMI image, an Amazon machine image that you're spending up, and you've added some tags to it through the UI. Now you've assigned an IAM

26:23 role to this machine so that it can query its own tags. Also, this AMI is shipping with Teleport, which because it's in this account with the right role is auto going to auto join your Teleport cluster and be automatically approved and be available in the UI. Is that close? Pretty close. The the one thing is this doesn't need a role itself to join. It's the server itself that has the role that can verify that machine. So you don't you don't need to you don't need to come with a role as the node. It rather, it's the server itself

27:02 has the role, so it's able to describe instances. Otherwise, it couldn't confirm, what is what is that machine, where is it coming from. Okay. So yeah. So there's nothing special about the machines themselves, although other than that you've configured it with a tag to tell it where the the cluster server is. That's it. Yeah. I I I didn't have to do that. It was just my my preference. Yeah. Okay. K. It looks like I didn't run that. What is what I thought it was O, E C 2. Oh, yeah. Good catch. I have to stay at that for another

27:43 forty five minutes before I noticed. Well, just wanted to so I'm using so I'm using our AWS access here to to verify has it started up yet. I can see it has started. Everything we saw before, it's in US East 1 D, and it is running. So then if we go back, here it is. And as part as part of this configuration, I'm using our our PAM. I installed Teleport. I use our PAM integration so they can auto create the user. So Steven isn't on this machine, but it'll auto automatically create it when it comes in.

28:30 I also I also allow this you know, the user to get pseudo rights, know, just like EC two, but I'm it doesn't have to come in as EC two. And then this this is what I was mentioning about, you know, getting tags. So Yep. This is pulling in the metadata intent, which you don't need a role for that, but you do need it for this if you wanna pull out a group and environment, and then I have the PAM on. And here here's that token part. So there's no, you know, long token needed anymore. You just say I'm joining by e c

28:58 2 token. It's gonna see I'm coming from US West 1 in the account, and then it's gonna let it's going to allow it to join. Okay. I I I got two questions then. So let's assuming I wanna be able to replicate this in my own AWS infrastructure. Anyone watching does. Like, what's what's special about this AMI or what do they need to do themselves to be able to get this kind of workflow without using the, you know, your demo AMI? Yep. I'd say they would they would have the AMI. They or I'm sorry. They would start with

29:28 a machine. They would want to install Teleport and at least have the token configuration set up. So you're saying I'm using a token and the auth service. I I had this Teleport YAML generated, but you don't you wouldn't have to. You could just set up the Teleport YAML, and have that ready to go, have the Teleport service installed and enabled, and then it'll start and then use this configuration. The the biggest thing is making sure that your Teleport auth service is on a EC two that has this permission that is allowed to describe those instances. Otherwise, it can't confirm

30:09 that, you know, as you set here, what account is it, what region is it, and then verifying that it's allowed to join. Okay. So because that allow list there takes multiple accounts, like, I can actually have a single Teleport that looks after or has access to my instances across multiple AWS account? Yep. Very cool. I like that. I guess my my next question is how do I get this on every other cloud now? Is that is that Teleport nine? Do I have to wait a little longer? Well, kind of like the console part where, you know, a a large amount of our

30:42 Discussion: AWS & Other Clouds

30:48 clients are AWS. So we we have initially released console and CLI for AWS. You know, we'll see one one of our ads, and I don't have that database running on this one, but we did just add our one of our first Azure features of database. So we're supporting their Postgres and MySQL, which you know, so that so we are expanding into, you know, GCP and Azure. I'd say right now, the Console and CLI are AWS only, but we we could see about adding them in there. A lot of it is Yeah. Yeah, how how well do they integrate from an API standpoint.

31:22 Some of them make it more awkward than others, but, you know, we're we're continuing to look at it. AWS needs us the most. I mean, I don't know how many times I've had to bang my head against access delegation for AWS. You know, Azure and GCP are lucky. Like, generally, those companies are using g Suite or maybe even Outlook or also c six five, and it's all integrated really nicely. But AWS is just this big sore jaggy thumb of authentication. How do get people access to this within my organization? At least I I've always found it notoriously

31:50 difficult. So I like this feature. I think it's a whole lot. Yep. Yeah. And we try to make these docs I mean, part of why I'm showing them is make them as explicit as possible. Also, on the AWS console one, which I wrote part of that, so yell at me. Not but this steps you through really low really low level with, like, giving you read only access example and a power user example. One of the trickier parts I found is that it says power user. I had to expand that, because the it it doesn't give you IAM

32:24 rights. You can you can I can do an e c two, but then I couldn't in in this case, I couldn't actually assign an IAM role to my e c two, which seems kind of strange? But you have to have a specific IAM permission to do that or even if I wanted to change IAM roles. So what they might call power user, and this is a default role in AWS, may not always mean what you think. So I'd say that's the only extra thing is making sure you you're clear what these roles are doing Yep. And that they don't always cover every

32:56 part of AWS that you expect. Awesome. And we have a question from the audience, which I knew was gonna come up eventually, and I'm sure you've heard this a billion times. But Kevin is asking, any chance we can have SAML or YDC in the open open source version so that we don't have to use GitHub? Well, yeah. I mean, that that's one of our particular enterprise features, probably one of the largest that people decide to go enterprise. I'd say most of our clients who are using SAML or ADC, you know, are already in a company.

33:00 Teleport open source

33:35 We don't see quite as many of our open source. Maybe there are more than I expect. Like, if they're using, Keycloak, you you could use that. But, you know, right now, we see that as a way of us providing value in enterprise, whether you're using our hosted service or the on prem. Now, you know, in in some cases, like with our RBAC, you know, we release that to open source. Previously, that was an enterprise feature. So, you know, we are we are always evaluating that. I I there's no plans that I know of to release that that way.

34:07 But we are looking at, you know, still increasing the GitHub feature, making that, you know, even better. So, you know, we we we do we definitely don't do want OSS to be, fully usable in in a deployment. You know, we're not trying to say you get 90% in the last 10% you have to pay for. But, you know, for now, we we do think it's better to keep that as enterprise. Yeah. I'm always very thankful that the GitHub one is available for me because I I I use it in all of my Teleport instances. What I would say to you, Kevin, is

34:30 Teleport use case

34:38 I know Kevin is in the Discord server. So jump into the Teleport channel and tell us what your use case is, and I'll share that with Steven and the Teleport team. And maybe there's maybe something will happen in the longer run. But I do like the GitHub SSO. It works well. Yep. Yep. Oh, no. We we definitely appreciate feedback on that and other features. It helps us to understand what the community is doing and and making sure it's definitely functional for them. Yeah. Okay. Alright. That's that's a lot of features in a release. I've gotta say that that that

35:10 but you could you could just have done the desktop of Windows access, so that would have been already a huge release, but that's to add on all this other stuff as well. Well, just say, I I I've a lot of my when I when I was a consultant, often, we were we were deploying to Linux servers, but our our development and some of our even our staging until we got to final release was Windows. Or we or we might rely on active directory for maintaining our single sign on. Like, well, we have to get to that machine.

35:18 Demo: Dynamic App Registration

35:42 And it was, you know, often a single admin user or, it it could be difficult to, issue issue passwords that, weren't like your typical one. So we definitely see that that expands our functionality and, you know, a lot of what we think of our our, you know, customer, you know, usage that that it's that a lot of people are using both. And nowadays, it gets kinda tricky about, you know, we don't have Windows phones much, but many people are using surfaces. Many people are using Windows servers for various various reasons. Alright. Awesome. Suresh, I do see your comment.

36:18 Teleport metrics

36:22 I'm not sure I fully understand. So if you wanna type in a bit more detail, please feel free. I will read out the question for you, Steven, but Okay. I think we might I think we might need some more on that. But Suresh is asking, do we have any monitoring tool which can pull container and server metrics on dashboards for Teleport? So I'm not sure if Suresh is asking if Teleport exposes, like, Prometheus endpoint or anything like that or if it's gonna prevent access to other Prometheus endpoints, but I'll let you if you wanna try it now, so let

36:50 go for it. I'd say I mean, Teleport provides its own Prometheus metrics. It it does not it's not offering a general set of metrics. So we would expect you to use another tool, like Prometheus. You can definitely get access to those, through Teleport. So it's not it's not just but I would say it itself is not meant as a a monitoring tool, you know, for your particular set of services or servers. Yeah. That makes sense. Yeah. Alright. Harish, if you wanna add any more details, if we didn't answer that question for you, just jump back

37:23 Teleport Agent

37:28 into the comments and we'll do our best. Is there anything else, Steven, you wanna you wanna show us? Yeah. A couple couple quick things. One, and I and I think this is a little bit related to what that gentleman was asking in terms of, you know well, when you do wanna let's say you did wanna deploy, a particular, you know, either analytics or monitoring system. So this is a case of, you know, I have a Grafana configuration, and I want to deploy it on a machine that will take my Grafana. So you can in this case, we can take

38:01 a quick look at you know, I I have a Teleport agent running here, and I've said, okay. This is an app service. I'm not specifically defining my app services, but I'm saying you can, I will take any applications that have this this, particular set of tags? So it's in development environment, and it's the Grafana app. So then when I'm ready, I can just say, t cuddle create. And then that's deployed, directly available, and I can launch straight into it. So just a few seconds, I was able to deploy a particular web application right on right on an agent that's running.

38:51 So that's a big jump from have as we I talked a little bit earlier, having to have that YAML all defined, all perfect, all set, and, you know, oh, where do I wanna run it? You know, I have to have that in the right place. You know, as long in this case, I can say, well, I'm gonna deploy an agent. I I may not even want it running all the time. You know, I may wanna deploy this and then take it and then take it back down. So I I can actually just remove that. Now it's gone.

39:27 So is that is the is the magic effect again, Steven? You're you're Yes. You're confusing me. So we're we don't have to run any more agents? Is that what you're is that did everything else apply? You're still the agent. So I am definitely running an agent here. Okay. This this dev one, this machine, I deployed it specifically because I wanted it to be an agent. Oh, okay. I want yeah. So in this case, I'm saying I want I'm allowing resources, web applications that fit this labeling. Oh, okay. Okay. Yeah. Got it. Yeah. If I try if

40:04 I try to yeah. Exact no. That's that's an important point. If I try to deploy this with environment prod, I would have to have an agent that accepts those labels. And then it it it wouldn't find a home if that's if that's not if that's not set. So it's meant to be, yes, that I I'm saying I want this particular deployment. And Okay. You know, it'll it allows you allows you to do that. Similar similar to Kubernetes, like, you have the the taints or tolerations, right, of saying, you know, what's what's allowed to be to run here.

40:35 Database Agent

40:35 Yeah. You've given us the ability now to kind of schedule these app services and point them to the correct agents to expose them. Previously, I was always it was a very manual process. I was having to make sure I set up the agents in the regard, please, and and Yeah. This is this is much nicer. Again, one of those quality of life things that just makes it all a bit easier to get started. So Yep. I mean, it took me a minute to work at what was actually happening here, but I like it though. I got

40:57 it. Yeah. Cool. The one I want and and kinda a little bit similar to the in terms of auto finding is the databases. So you notice I have a mix here of names. I have some that are look a little you probably noticed are a little more manual types where I'm I'm I have a name, I have a tier, and then here, I have ones that are more expanded. They have an account ID, engine version, and then and then others here. So in terms of this database agent I can take a look here. I've I've configured this database service. So I've

41:00 Demo: Auto-Finding RDS Databases

41:37 said, you will find any database service or, like, RDS that has a type of RDS and this tag environment dev. And if we take a look at back on our RDS, Maybe? Yeah. US East One. Don't go down on me again. So I have this. Is that the one I want? That's fine. So I've tagged this as environment dev. So it will only bring back, those specific, databases with that tag, And then you'd you can allow users to have that. Now, again, just like the allowing machines to come in, my agent running needs permission to find these databases.

42:35 And once it has that permission, and it's also able to control your its access, that's one of our important security considerations is that it can auto find them and add them, but you also want to limit what it can do. So in this case, I'm saying, okay. You can get your role. You can change your role. You can modify it. But I'm gonna put a boundary on you. I'm gonna say, you're only able to do this. You can connect, but you can't do more than that. And that's an important thing we we strongly recommend people using this feature do is set

43:19 those permission boundaries so that a machine itself can change its permissions to say, well, I'm gonna add, you know, a database connection here, but, you know, we're not gonna let you then, add in some other service or things. You know, the machine can only set, you know, these particular changes for it. So so it's dynamic, but it's not able to do more than that than what you're limiting to, the the permission boundary. Nice. Yeah. Very cool. Yep. And then this also also leads into that that, you know, port thing where I can, you know, provide that access

43:57 for user. So I can log in to, you know, and then what if I if I wanna connect, I I can set up a proxy to it that allows me to, you know, keep that single single port. Nope. I think I think I meant to do one. Yep. There you go. But in this case, I'm I'm going through the local proxy, and then I'm connecting through to through that single Teleport four four three. So this way, I don't have to expose, like, the three zero three six or another port, for the user to go through. But I

45:01 can I can use this this proxy approach? And that that again allows us to use that single port approach which simplifies things. Yeah. 100%. Couldn't agree with that, Mark. Alright. Their ask is Quite a lot. Yeah. That's it's it's it's a big release. I mean, I just don't understand how Teleport maintains this velocity. I feel like it was just a little while ago. We were talking about all the new features with Teleport seven and the new database access stuff, and then Teleport eight sneaks up on me, and there's all this other new stuff now. And I I

45:11 Discussion: Monitoring & Release Velocity

45:38 love the balance of, like, here's some new shiny features, but also we're always making improvements to that quality of life. Like, I think half the stuff we've seen today is just making things simpler and easier for Teleport users, which is fantastic. Yeah. And people are welcome to join our Slack. You know, there's also get GitHub discussions that we have in our repository. So both are great great places to have that dialogue, you know, so it we really encourage people to to try things out. You know, most of the features besides that SAML one we talked about, you

45:52 Community & Conclusion

46:11 know, those are all those are open available in open sas open OSS. We're already seeing some dialogue in terms of desktop access and things. So definitely encourage people to try those out and let us know any questions. Yeah. I I I think I say this to everyone, but just there's no there's no excuses for not having a Teleport in your setup these days. It's just you get so much value from having it there and and convention, and security is hard. Like, why would you make it harder and not have something like Teleport there to take away some of that

46:38 burden? Yeah. Thank you for taking time out of your day, for joining us, preparing those demos, and walking us through it. Really, really cool additions to Teleport. And then, hopefully, we can have you back again for Teleport nine, which based on your velocity, will soon be in about three weeks. Maybe maybe Ben and I will join. We'll we'll join together. Awesome. Alright, David. Thank you so much for having us. Just, you know, please please, visit goteleport.com. We hope you try it out. Let us know any feedback, good and bad. And as always, I I really enjoy dialoguing

47:01 Farewell & Outro

47:13 with you here directly, David, or or anywhere else. It's fantastic to work with you. Alright. Awesome. Well, it was a pleasure, and well done on all those demos. They all worked. There were no full paths other than potentially AWS going down, but I think we managed to stay away from that. Have a great day, Steven. It was a pleasure, and I'll catch you again soon. Yep. Bye. Yep. Happy holidays. Bye. Live.