gravitational · timothyb89 · Jun 26, 2025 · Jun 24, 2025 · Jun 24, 2025 · Jun 24, 2025
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go
diff --git a/api/proto/teleport/decision/v1alpha1/ssh_access.proto b/api/proto/teleport/decision/v1alpha1/ssh_access.proto
@@ -159,6 +159,14 @@ message LockTarget {
 
   // ServerID is the host id of the Teleport instance.
   string server_id = 8;
+
+  // BotInstanceID is the bot instance ID if this is a bot identity.
+  string bot_instance_id = 9;
+
+  // JoinToken is the name of the join token used when this identity originally
+  // joined. This only applies to bot identities, and cannot be used to target
+  // bots that joined via the `token` join method.
+  string join_token = 10;
 }
 
 // HostUserMode determines how host users should be created.

diff --git a/api/proto/teleport/decision/v1alpha1/ssh_identity.proto b/api/proto/teleport/decision/v1alpha1/ssh_identity.proto
@@ -155,6 +155,10 @@ message SSHIdentity {
   // GitHubUsername indicates the GitHub username identified by the GitHub
   // connector.
   string github_username = 33;
+
+  // JoinToken is the name of the join token used for bot joining. It is unset
+  // for other identity types, or for bots using the `token` join method.
+  string join_token = 34;
 }
 
 // CertExtensionMode specifies the type of extension to use in the cert. This type

diff --git a/api/proto/teleport/decision/v1alpha1/tls_identity.proto b/api/proto/teleport/decision/v1alpha1/tls_identity.proto
@@ -149,6 +149,11 @@ message TLSIdentity {
 
   // UserType indicates if the User was created by an SSO Provider or locally.
   string user_type = 35;
+
+  // JoinToken is the name of the join token used when a bot joins; it does not
+  // apply to other identity types, or to bots using the traditional `token`
+  // join method.
+  string join_token = 36;
 }
 
 // RouteToApp holds routing information for applications.

diff --git a/api/proto/teleport/legacy/types/events/events.proto b/api/proto/teleport/legacy/types/events/events.proto
@@ -4959,6 +4959,9 @@ message Identity {
   // BotInstanceID indicates the name of the Machine ID bot instance this
   // identity was issued to, if any.
   string BotInstanceID = 29 [(gogoproto.jsontag) = "bot_instance_id,omitempty"];
+  // JoinToken is the name of the join token used when a Machine ID bot joined,
+  // if any. It is not set for bots using the `token` join method.
+  string JoinToken = 30 [(gogoproto.jsontag) = "join_token,omitempty"];
 }
 
 // RouteToApp contains parameters for application access certificate requests.

diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -6039,6 +6039,15 @@ message LockTarget {
 
   // ServerID is the host id of the Teleport instance.
   string ServerID = 9 [(gogoproto.jsontag) = "server_id,omitempty"];
+
+  // BotInstanceID is the bot instance ID if this is a bot identity and is
+  // ignored otherwise.
+  string BotInstanceID = 10 [(gogoproto.jsontag) = "bot_instance_id,omitempty"];
+
+  // JoinToken is the name of the join token used when this identity originally
+  // joined. This is only valid for bot identities, and cannot be used to target
+  // `token`-joined bots.
+  string JoinToken = 11 [(gogoproto.jsontag) = "join_token,omitempty"];
 }
 
 // AddressCondition represents a set of addresses. Presently the addresses are specified