Can I delete a join token after a resource has been added to a Teleport environment? #41993
-
|
Users of Teleport can have join tokens created in a variety of ways (CI/CD, ad hoc, etc...) and it may not always be clear if/when the token can be removed. Does removing a token also remove the resource or cause a negative impact? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Once a resource joins a cluster the resource is no longer using a join token and instead uses signed x.509 certificates. At this point the token is no longer in use by the joined resource and can safely be removed/rotated. Additionally an event is noted in the Audit Log that includes a suffix of the token used to join the resource. This allows users to query by suffix to see if a token was used [0]. [0] |
Beta Was this translation helpful? Give feedback.
Once a resource joins a cluster the resource is no longer using a join token and instead uses signed x.509 certificates. At this point the token is no longer in use by the joined resource and can safely be removed/rotated. Additionally an event is noted in the Audit Log that includes a suffix of the token used to join the resource. This allows users to query by suffix to see if a token was used [0].
[0]