{"token_count": 1221} # Bound Keypair Joining Reference Bound Keypair is a join method designed to provide the best features of [delegated join methods](https://goteleport.com/docs/reference/deployment/join-methods.md#secret-vs-delegated) - like the AWS, GCP, or Azure join methods - but in on-prem or otherwise unsupported environments where no external verification is available. Specifically, this join method: - Does not require dedicated TPM hardware or external identity attestation - Does not require long-lived shared secrets - Allows for limited automatic recovery if certificates expire - Allows recovery restrictions to be relaxed or lifted to accommodate different use cases and deployment scenarios - Ensures failed bots can be recovered without client-side intervention in most cases --- PREVIEW NOTE Bound Keypair Joining is available in v18.1.0 and is intended to replace `token` joining as the default recommended join method for bots in Teleport v19.0.0. Bound Keypair Joining is primarily intended to be used for joining Machine & Workload ID bots, but supports standard Teleport agents as of v18.8.0. --- ## Use cases Bound Keypair Joining can be used in any environment and is designed to function as a drop-in replacement for the traditional [`token`](https://goteleport.com/docs/reference/architecture/machine-id-architecture.md#ephemeral-token) join method in all situations where it is used today. This includes bare-metal and on-prem hardware where TPMs are not available, or cloud providers not currently supported by a [delegated join method](https://goteleport.com/docs/reference/deployment/join-methods.md#delegated-join-methods). Similar to `token` joining, Bound Keypair Joining is also a good replacement for local experimentation for testing, with minimal configuration needed to onboard a bot initially. When ready to deploy to production, it's trivial to adjust onboarding and recovery settings to select your desired balance between resiliency and security. Additionally, with [static keys](https://goteleport.com/docs/reference/machine-workload-identity/bound-keypair/static-keys.md) and in situations that can accommodate the security complications, Bound Keypair Joining can be used to join bots in otherwise unsupported CI/CD providers by persisting the bot's keypair in a platform keystore. ## Limitations While Bound Keypair Joining does enable or simplify a number use cases, it does have limitations that may make it unfit in some instances. In particular, the [secure recovery modes](https://goteleport.com/docs/reference/machine-workload-identity/bound-keypair/concepts.md#recovery) introduce some deployment restrictions: - Each bot deployment must be issued a unique token. For deployment at scale, use of Teleport's [Terraform provider](https://goteleport.com/docs/reference/infrastructure-as-code/terraform-provider.md) is recommended to create tokens in bulk for each deployment. - Each bot deployment must be able to store client-side state (used for [join state verification](https://goteleport.com/docs/reference/machine-workload-identity/bound-keypair/concepts.md#join-state-verification)). This limitation can be worked around using the [`insecure` recovery mode](https://goteleport.com/docs/reference/machine-workload-identity/bound-keypair/admin-guide.md#disabling-join-state-verification), but doing so does meaningfully reduce the join method's security protections and should be used with care. ## Next steps You can read step-by-step guides on using Bound Keypair Joining with Machine & Workload Identity: - [Using Bound Keypair Joining](https://goteleport.com/docs/reference/machine-workload-identity/bound-keypair/getting-started.md): How to install and configure Machine & Workload Identity with Bound Keypair Joining - [Using Bound Keypair static keys](https://goteleport.com/docs/reference/machine-workload-identity/bound-keypair/static-keys.md): How to use Bound Keypair static keys with stateless hosts, like otherwise unsupported CI/CD providers - [Bound Keypair Joining Concepts](https://goteleport.com/docs/reference/machine-workload-identity/bound-keypair/concepts.md): Learn more about the components and architecture of Bound Keypair Joining - [Bound Keypair Joining Admin Guide](https://goteleport.com/docs/reference/machine-workload-identity/bound-keypair/admin-guide.md): Learn how to deploy and maintain bots in production with Bound Keypair Joining - [Bound Keypair Provision Token Reference](https://goteleport.com/docs/reference/deployment/join-methods.md#bound-keypair-bound_keypair): Learn about the options that can be configured for a `bound_keypair` token