gravitational · nklaassen · Nov 5, 2025 · Oct 31, 2025 · Nov 4, 2025 · rosstimothy
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -2040,6 +2040,10 @@ message ProvisionTokenSpecV2Oracle {
     // full region names ("us-phoenix-1") and abbreviations ("phx") are allowed.
     // If empty, any region is allowed.
     repeated string Regions = 3 [(gogoproto.jsontag) = "regions,omitempty"];
+    // Instances is a list of the OCIDs of specific instances that are allowed
+    // to join. If empty, any instance matching the other fields in the rule is allowed.
+    // Limited to 100 instance OCIDs per rule.
+    repeated string Instances = 4 [(gogoproto.jsontag) = "instances,omitempty"];
   }
   // Allow is a list of Rules, nodes using this token must match one
   // allow rule to use this token.

diff --git a/api/types/provisioning.go b/api/types/provisioning.go
@@ -1050,6 +1050,9 @@ func (a *ProvisionTokenSpecV2Oracle) checkAndSetDefaults() error {
 				i,
 			)
 		}
+		if len(rule.Instances) > 100 {
+			return trace.BadParameter("allow[%d]: maximum 100 instances may be set (found %d)", i, len(rule.Instances))
+		}
 	}
 	return nil
 }

diff --git a/api/types/provisioning_test.go b/api/types/provisioning_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package types
 
 import (
+	"fmt"
 	"testing"
 	"time"
 
@@ -1646,6 +1647,27 @@ func TestProvisionTokenV2_CheckAndSetDefaults(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			desc: "oracle too many instance IDs",
+			token: &ProvisionTokenV2{
+				Metadata: Metadata{
+					Name: "test",
+				},
+				Spec: ProvisionTokenSpecV2{
+					Roles:      []SystemRole{RoleNode},
+					JoinMethod: JoinMethodOracle,
+					Oracle: &ProvisionTokenSpecV2Oracle{
+						Allow: []*ProvisionTokenSpecV2Oracle_Rule{
+							{
+								Tenancy:   "ocid.tenancy.oc1..mytentant",
+								Instances: genOCIDs(101),
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 
 	for _, tc := range testcases {
@@ -1667,6 +1689,14 @@ func TestProvisionTokenV2_CheckAndSetDefaults(t *testing.T) {
 	}
 }
 
+func genOCIDs(count int) []string {
+	out := make([]string, count)
+	for i := range count {
+		out[i] = fmt.Sprintf("ocid.instance.oc1.region.%d", i)
+	}
+	return out
+}
+
 func TestProvisionTokenV2_GetSafeName(t *testing.T) {
 	t.Run("token join method (short)", func(t *testing.T) {
 		tok, err := NewProvisionToken("1234", []SystemRole{RoleNode}, time.Now())

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/...structure-as-code/operator-resources/resources-teleport-dev-provisiontokens.mdx b/...structure-as-code/operator-resources/resources-teleport-dev-provisiontokens.mdx
@@ -272,6 +272,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
+|instances|[]string||
 |parent_compartments|[]string||
 |regions|[]string||
 |tenancy|string||

diff --git a/...ence/infrastructure-as-code/terraform-provider/data-sources/provision_token.mdx b/...ence/infrastructure-as-code/terraform-provider/data-sources/provision_token.mdx
@@ -306,6 +306,7 @@ Optional:
 
 Optional:
 
+- `instances` (List of String) Instances is a list of the OCIDs of specific instances that are allowed to join. If empty, any instance matching the other fields in the rule is allowed. Limited to 100 instance OCIDs per rule.
 - `parent_compartments` (List of String) ParentCompartments is a list of the OCIDs of compartments an instance is allowed to join from. Only direct parents are allowed, i.e. no nested compartments. If empty, any compartment is allowed.
 - `regions` (List of String) Regions is a list of regions an instance is allowed to join from. Both full region names ("us-phoenix-1") and abbreviations ("phx") are allowed. If empty, any region is allowed.
 - `tenancy` (String) Tenancy is the OCID of the instance's tenancy. Required.

diff --git a/...ference/infrastructure-as-code/terraform-provider/resources/provision_token.mdx b/...ference/infrastructure-as-code/terraform-provider/resources/provision_token.mdx
@@ -342,6 +342,7 @@ Optional:
 
 Optional:
 
+- `instances` (List of String) Instances is a list of the OCIDs of specific instances that are allowed to join. If empty, any instance matching the other fields in the rule is allowed. Limited to 100 instance OCIDs per rule.
 - `parent_compartments` (List of String) ParentCompartments is a list of the OCIDs of compartments an instance is allowed to join from. Only direct parents are allowed, i.e. no nested compartments. If empty, any compartment is allowed.
 - `regions` (List of String) Regions is a list of regions an instance is allowed to join from. Both full region names ("us-phoenix-1") and abbreviations ("phx") are allowed. If empty, any region is allowed.
 - `tenancy` (String) Tenancy is the OCID of the instance's tenancy. Required.

diff --git a/...luster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml b/...luster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml
@@ -467,6 +467,11 @@ spec:
                       must match one allow rule to use this token.
                     items:
                       properties:
+                        instances:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
                         parent_compartments:
                           items:
                             type: string

diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml
@@ -467,6 +467,11 @@ spec:
                       must match one allow rule to use this token.
                     items:
                       properties:
+                        instances:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
                         parent_compartments:
                           items:
                             type: string

diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go
diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
@@ -2460,6 +2460,11 @@ func validateOracleJoinToken(token types.ProvisionToken) error {
 				return trace.BadParameter("invalid region: %v", region)
 			}
 		}
+		for _, instanceID := range allow.Instances {
+			if _, err := oracle.ParseRegionFromOCID(instanceID); err != nil {
+				return trace.BadParameter("invalid instance OCID: %s", instanceID)
+			}
+		}
 	}
 	return nil
 }

diff --git a/lib/auth/join_oracle_test.go b/lib/auth/join_oracle_test.go
@@ -26,6 +26,7 @@ import (
 	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
 	"github.com/oracle/oci-go-sdk/v65/common"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/gravitational/teleport/api/client/proto"
@@ -143,6 +144,101 @@ func mapFromHeader(header http.Header) map[string]string {
 	return out
 }
 
+func TestOracleTokenValidation(t *testing.T) {
+	t.Parallel()
+	server, err := authtest.NewTestServer(authtest.ServerConfig{
+		Auth: authtest.AuthServerConfig{
+			Dir: t.TempDir(),
+		},
+	})
+	require.NoError(t, err)
+	a, err := server.NewClient(authtest.TestAdmin())
+	require.NoError(t, err)
+
+	for _, tc := range []struct {
+		desc      string
+		rule      types.ProvisionTokenSpecV2Oracle_Rule
+		assertion assert.ErrorAssertionFunc
+	}{
+		{
+			desc: "valid",
+			rule: types.ProvisionTokenSpecV2Oracle_Rule{
+				Tenancy:            "ocid1.tenancy.oc1..mytenant",
+				ParentCompartments: []string{"ocid1.compartment.oc1..mycompartment"},
+				Regions:            []string{"us-phoenix-1"},
+				Instances:          []string{"ocid1.instance.oc1.phx.myinstance"},
+			},
+			assertion: assert.NoError,
+		},
+		{
+			desc: "invalid tenant",
+			rule: types.ProvisionTokenSpecV2Oracle_Rule{
+				Tenancy:            "ocid1.badtenancy.oc1..mytenant",
+				ParentCompartments: []string{"ocid1.compartment.oc1..mycompartment"},
+				Regions:            []string{"us-phoenix-1"},
+				Instances:          []string{"ocid1.instance.oc1.phx.myinstance"},
+			},
+			assertion: func(t assert.TestingT, err error, msgAndArgs ...any) bool {
+				return assert.ErrorAs(t, err, new(*trace.BadParameterError), msgAndArgs...) &&
+					assert.ErrorContains(t, err, "invalid tenant", msgAndArgs...)
+			},
+		},
+		{
+			desc: "invalid compartment",
+			rule: types.ProvisionTokenSpecV2Oracle_Rule{
+				Tenancy:            "ocid1.tenancy.oc1..mytenant",
+				ParentCompartments: []string{"ocid1.badcompartment.oc1..mycompartment"},
+				Regions:            []string{"us-phoenix-1"},
+				Instances:          []string{"ocid1.instance.oc1.phx.myinstance"},
+			},
+			assertion: func(t assert.TestingT, err error, msgAndArgs ...any) bool {
+				return assert.ErrorAs(t, err, new(*trace.BadParameterError), msgAndArgs...) &&
+					assert.ErrorContains(t, err, "invalid compartment", msgAndArgs...)
+			},
+		},
+		{
+			desc: "invalid region",
+			rule: types.ProvisionTokenSpecV2Oracle_Rule{
+				Tenancy:            "ocid1.tenancy.oc1..mytenant",
+				ParentCompartments: []string{"ocid1.compartment.oc1..mycompartment"},
+				Regions:            []string{"badregion"},
+				Instances:          []string{"ocid1.instance.oc1.phx.myinstance"},
+			},
+			assertion: func(t assert.TestingT, err error, msgAndArgs ...any) bool {
+				return assert.ErrorAs(t, err, new(*trace.BadParameterError), msgAndArgs...) &&
+					assert.ErrorContains(t, err, "invalid region", msgAndArgs...)
+			},
+		},
+		{
+			desc: "invalid instance",
+			rule: types.ProvisionTokenSpecV2Oracle_Rule{
+				Tenancy:            "ocid1.tenancy.oc1..mytenant",
+				ParentCompartments: []string{"ocid1.compartment.oc1..mycompartment"},
+				Regions:            []string{"us-phoenix-1"},
+				Instances:          []string{"ocid1.badinstance.oc1.phx.myinstance"},
+			},
+			assertion: func(t assert.TestingT, err error, msgAndArgs ...any) bool {
+				return assert.ErrorAs(t, err, new(*trace.BadParameterError), msgAndArgs...) &&
+					assert.ErrorContains(t, err, "invalid instance", msgAndArgs...)
+			},
+		},
+	} {
+		t.Run(tc.desc, func(t *testing.T) {
+			tokenSpec := types.ProvisionTokenSpecV2{
+				Roles:      []types.SystemRole{types.RoleNode},
+				JoinMethod: types.JoinMethodOracle,
+				Oracle: &types.ProvisionTokenSpecV2Oracle{
+					Allow: []*types.ProvisionTokenSpecV2Oracle_Rule{&tc.rule},
+				},
+			}
+			token, err := types.NewProvisionTokenFromSpec("my-token", time.Now().Add(time.Minute), tokenSpec)
+			require.NoError(t, err)
+			err = a.UpsertToken(t.Context(), token)
+			tc.assertion(t, err)
+		})
+	}
+}
+
 func TestRegisterUsingOracleMethod(t *testing.T) {
 	t.Parallel()
 	ctx := t.Context()
-Original file line number
+Diff line change
@@ Expand Up @@
     				i,
     			)
     		}
+    		if len(rule.Instances) > 100 {
+    			return trace.BadParameter("allow[%d]: maximum 100 instances may be set (found %d)", i, len(rule.Instances))
+    		}
     	}
     	return nil
     }
@@ Expand Down @@