Improve Observability for Join Token Deletion Events in Audit Logs #49198
Labels
audit-log
Issues related to Teleports Audit Log
c-vkc
Internal Customer Reference
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
Comments
pnrao1983
added
audit-log
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like Teleport to do?
Teleport does not log an event when a join token is manually deleted. This lack of visibility makes it challenging for administrators to investigate issues such as unexpectedly removing tokens before expiry. A long-lived join token (180 days) was removed, causing difficulty in joining new nodes.
Impact: Customers with complex setups, such as multiple on-prem networks where Teleport is the sole access method, face severe accessibility issues if tokens are deleted without visibility into the cause.
What problem does this solve?
If a workaround exists, please include it.
Until this feature is implemented, customers are advised to use short-lived tokens or implement automation to regenerate tokens periodically. However, these solutions may not fit all use cases, such as the one described above.
Proposed Solution:
Add a join_token.delete Audit Event:
Log details such as:
Actor: User, role, or system process responsible for deletion.
Timestamp: Exact time of the deletion.
Token Details: Token name and associated metadata (e.g., node type, validity period).
The text was updated successfully, but these errors were encountered: