gravitational · boxofrad · Feb 19, 2025 · Feb 7, 2025 · Feb 7, 2025 · Feb 7, 2025
diff --git a/docs/pages/enroll-resources/machine-id/faq.mdx b/docs/pages/enroll-resources/machine-id/faq.mdx
@@ -79,7 +79,7 @@ Machine ID.
 ## Can Machine ID be used to generate long-lived certificates?
 
 Machine ID cannot currently be used to generate certificates valid for longer
-than 24 hours, and requests for longer certificates using the `certificate_ttl`
+than 24 hours, and requests for longer certificates using the `credential_ttl`
 parameter will be reduced to this 24 hour limit.
 
 This limit serves multiple purposes. For one, it encourages security best

diff --git a/docs/pages/includes/machine-id/common-output-config.yaml b/docs/pages/includes/machine-id/common-output-config.yaml
@@ -15,3 +15,13 @@ destination:
 # if no roles are specified, all roles the bot is allowed to impersonate are used.
 roles:
   - editor
+
+# credential_ttl and renewal_interval override the credential TTL and renewal
+# interval for this specific output, so that you can make its certificates valid
+# for shorter than `tbot`'s internal certificates.
+#
+# This is particularly useful when using `tbot` in one-shot as part of a cron job
+# where you need `tbot`'s internal certificate to live long enough to be renewed
+# on the next invocation, but don't want long-lived workload certificates on-disk.
+credential_ttl: 30m
+renewal_interval: 15m
diff --git a/docs/pages/reference/machine-id/configuration.mdx b/docs/pages/reference/machine-id/configuration.mdx
@@ -43,17 +43,23 @@ auth_server: "teleport.example.com:3025"
 # Teleport Cloud, the address of your Teleport Cloud instance.
 proxy_server: "teleport.example.com:443" # or "example.teleport.sh:443" for Teleport Cloud
 
-# certificate_ttl specifies how long certificates generated by `tbot` should
+# credential_ttl specifies how long certificates generated by `tbot` should
 # live for. It should be a positive, numeric value with an `m` (for minutes) or
 # `h` (for hours) suffix. By default, this value is `1h`.
 # This has a maximum value of `24h`.
-certificate_ttl: "1h"
+#
+# It can be overridden for most outputs and services to give them a shorter TTL
+# than `tbot`'s internal certificates.
+credential_ttl: "1h"
 
 # renewal_interval specifies how often `tbot` should aim to renew the
 # outputs it has generated. It should be a positive, numeric value with an
 # `m` (for minutes) or `h` (for hours) suffix. The default value is `20m`.
-# This value must be lower than `certificate_ttl`.
+# This value must be lower than `credential_ttl`.
 # This value is ignored when using `tbot` is running in one-shot mode.
+#
+# It can be overridden for most outputs and services to give them a shorter
+# renewal interval than `tbot`'s internal certificates.
 renewal_interval: "20m"
 
 # oneshot configures `tbot` to exit immediately after generating the outputs.

diff --git a/integrations/lib/embeddedtbot/bot_test.go b/integrations/lib/embeddedtbot/bot_test.go
@@ -122,11 +122,13 @@ func TestBotJoinAuth(t *testing.T) {
 			TokenValue: tokenName,
 			JoinMethod: types.JoinMethodToken,
 		},
-		AuthServer:      authAddr.Addr,
-		CertificateTTL:  defaultCertificateTTL,
-		RenewalInterval: defaultRenewalInterval,
-		Oneshot:         true,
-		Debug:           true,
+		AuthServer: authAddr.Addr,
+		CredentialLifetime: config.CredentialLifetime{
+			TTL:             defaultCertificateTTL,
+			RenewalInterval: defaultRenewalInterval,
+		},
+		Oneshot: true,
+		Debug:   true,
 	}
 	bot, err := New(botConfig)
 	require.NoError(t, err)

diff --git a/integrations/lib/embeddedtbot/config.go b/integrations/lib/embeddedtbot/config.go
@@ -45,8 +45,8 @@ func (c *BotConfig) BindFlags(fs *flag.FlagSet) {
 	fs.StringVar(&c.AuthServer, "auth-server", "127.0.0.1:3025", "Address of the Teleport Auth Server or Proxy Server")
 	fs.StringVar(&c.Onboarding.TokenValue, "token", "teleport-operator", "A bot join token or path to file with token value.")
 	fs.StringVar((*string)(&c.Onboarding.JoinMethod), "join-method", string(types.JoinMethodKubernetes), "Method to use to join the Teleport cluster.")
-	fs.DurationVar(&c.CertificateTTL, "certificate-ttl", defaultCertificateTTL, "TTL of short-lived machine certificates.")
-	fs.DurationVar(&c.RenewalInterval, "renewal-interval", defaultRenewalInterval, "Interval at which short-lived certificates are renewed; must be less than the certificate TTL.")
+	fs.DurationVar(&c.CredentialLifetime.TTL, "certificate-ttl", defaultCertificateTTL, "TTL of short-lived machine certificates.")
+	fs.DurationVar(&c.CredentialLifetime.RenewalInterval, "renewal-interval", defaultRenewalInterval, "Interval at which short-lived certificates are renewed; must be less than the certificate TTL.")
 	caPinsFlag := StringListVar{
 		list: &c.Onboarding.CAPins,
 	}

diff --git a/integrations/terraform/provider/credentials.go b/integrations/terraform/provider/credentials.go
@@ -521,8 +521,10 @@ See https://goteleport.com/docs/reference/join-methods for more details.`)
 				AudienceTag: audienceTag,
 			},
 		},
-		CertificateTTL:  time.Hour,
-		RenewalInterval: 20 * time.Minute,
+		CredentialLifetime: tbotconfig.CredentialLifetime{
+			TTL:             time.Hour,
+			RenewalInterval: 20 * time.Minute,
+		},
 	}
 	bot, err := embeddedtbot.New(botConfig)
 	if err != nil {

diff --git a/lib/tbot/cli/start_identity_test.go b/lib/tbot/cli/start_identity_test.go
@@ -55,8 +55,8 @@ func TestIdentityCommand(t *testing.T) {
 				require.Equal(t, "foo", token)
 
 				require.ElementsMatch(t, cfg.Onboarding.CAPins, []string{"bar"})
-				require.Equal(t, time.Minute*10, cfg.CertificateTTL)
-				require.Equal(t, time.Minute*5, cfg.RenewalInterval)
+				require.Equal(t, time.Minute*10, cfg.CredentialLifetime.TTL)
+				require.Equal(t, time.Minute*5, cfg.CredentialLifetime.RenewalInterval)
 				require.Equal(t, types.JoinMethodGitHub, cfg.Onboarding.JoinMethod)
 				require.True(t, cfg.Oneshot)
 				require.Equal(t, "0.0.0.0:8080", cfg.DiagAddr)

diff --git a/lib/tbot/cli/start_legacy.go b/lib/tbot/cli/start_legacy.go
@@ -188,29 +188,29 @@ func (c *LegacyCommand) ApplyConfig(cfg *config.BotConfig, l *slog.Logger) error
 	}
 
 	if c.CertificateTTL != 0 {
-		if cfg.CertificateTTL != 0 {
+		if cfg.CredentialLifetime.TTL != 0 {
 			log.WarnContext(
 				context.TODO(),
 				"CLI parameters are overriding configuration",
 				"flag", "certificate-ttl",
-				"config_value", cfg.CertificateTTL,
+				"config_value", cfg.CredentialLifetime.TTL,
 				"cli_value", c.CertificateTTL,
 			)
 		}
-		cfg.CertificateTTL = c.CertificateTTL
+		cfg.CredentialLifetime.TTL = c.CertificateTTL
 	}
 
 	if c.RenewalInterval != 0 {
-		if cfg.RenewalInterval != 0 {
+		if cfg.CredentialLifetime.RenewalInterval != 0 {
 			log.WarnContext(
 				context.TODO(),
 				"CLI parameters are overriding configuration",
 				"flag", "renewal-interval",
-				"config_value", cfg.RenewalInterval,
+				"config_value", cfg.CredentialLifetime.RenewalInterval,
 				"cli_value", c.RenewalInterval,
 			)
 		}
-		cfg.RenewalInterval = c.RenewalInterval
+		cfg.CredentialLifetime.RenewalInterval = c.RenewalInterval
 	}
 
 	// DataDir overrides any previously-configured storage config

diff --git a/lib/tbot/cli/start_legacy_test.go b/lib/tbot/cli/start_legacy_test.go
@@ -53,8 +53,8 @@ func TestLegacyCommand(t *testing.T) {
 				require.Equal(t, "foo", token)
 
 				require.ElementsMatch(t, cfg.Onboarding.CAPins, []string{"bar"})
-				require.Equal(t, time.Minute*10, cfg.CertificateTTL)
-				require.Equal(t, time.Minute*5, cfg.RenewalInterval)
+				require.Equal(t, time.Minute*10, cfg.CredentialLifetime.TTL)
+				require.Equal(t, time.Minute*5, cfg.CredentialLifetime.RenewalInterval)
 				require.Equal(t, types.JoinMethodGitHub, cfg.Onboarding.JoinMethod)
 				require.True(t, cfg.Oneshot)
 				require.Equal(t, "0.0.0.0:8080", cfg.DiagAddr)

diff --git a/lib/tbot/cli/start_shared.go b/lib/tbot/cli/start_shared.go
@@ -153,29 +153,29 @@ func (s *sharedStartArgs) ApplyConfig(cfg *config.BotConfig, l *slog.Logger) err
 	}
 
 	if s.CertificateTTL != 0 {
-		if cfg.CertificateTTL != 0 {
+		if cfg.CredentialLifetime.TTL != 0 {
 			l.WarnContext(
 				context.TODO(),
 				"CLI parameters are overriding configuration",
 				"flag", "certificate-ttl",
-				"config_value", cfg.CertificateTTL,
+				"config_value", cfg.CredentialLifetime.TTL,
 				"cli_value", s.CertificateTTL,
 			)
 		}
-		cfg.CertificateTTL = s.CertificateTTL
+		cfg.CredentialLifetime.TTL = s.CertificateTTL
 	}
 
 	if s.RenewalInterval != 0 {
-		if cfg.RenewalInterval != 0 {
+		if cfg.CredentialLifetime.RenewalInterval != 0 {
 			l.WarnContext(
 				context.TODO(),
 				"CLI parameters are overriding configuration",
 				"flag", "renewal-interval",
-				"config_value", cfg.RenewalInterval,
+				"config_value", cfg.CredentialLifetime.RenewalInterval,
 				"cli_value", s.RenewalInterval,
 			)
 		}
-		cfg.RenewalInterval = s.RenewalInterval
+		cfg.CredentialLifetime.RenewalInterval = s.RenewalInterval
 	}
 
 	if s.DiagAddr != "" {

diff --git a/lib/tbot/cli/start_shared_test.go b/lib/tbot/cli/start_shared_test.go
@@ -66,8 +66,8 @@ func TestSharedStartArgs(t *testing.T) {
 	require.Equal(t, "foo", token)
 
 	require.ElementsMatch(t, cfg.Onboarding.CAPins, []string{"bar"})
-	require.Equal(t, time.Minute*10, cfg.CertificateTTL)
-	require.Equal(t, time.Minute*5, cfg.RenewalInterval)
+	require.Equal(t, time.Minute*10, cfg.CredentialLifetime.TTL)
+	require.Equal(t, time.Minute*5, cfg.CredentialLifetime.RenewalInterval)
 	require.Equal(t, types.JoinMethodGitHub, cfg.Onboarding.JoinMethod)
 	require.True(t, cfg.Oneshot)
 	require.Equal(t, "0.0.0.0:8080", cfg.DiagAddr)