Just-in-Time Access Software
Independent guidance for JIT access buyers
Subscribe →
Vendor Profile

Teleport

Open-source infrastructure access proxy built around certificate-based authentication. Engineers receive short-lived X.509 certificates and SSH keys — no persistent credentials stored on target machines, no password rotation schedules, no vault to maintain. The certificate is the session.

Category
Workload / NHI JIT
Deployment
Open source (self-hosted) + Enterprise cloud
JIT approach
Certificate-based short-lived credentials
Access scope
Human + NHI
On-prem support
Yes
Pricing
Open source free / $$ Enterprise
License
Apache 2.0 (community) / Commercial (enterprise)

Overview

Teleport's architecture rests on a certificate authority it operates internally. When an engineer authenticates, Teleport's CA issues a short-lived X.509 certificate or SSH certificate valid for a configured duration — typically hours, not days. When the certificate expires, the engineer must re-authenticate. No persistent credentials are stored on target servers. No SSH authorized_keys files to audit. No passwords to rotate. The certificate lifespan is the access window.

This is a different ephemeral model from IAM-layer JIT platforms. Britive and Apono provision and delete cloud IAM entities. Teleport provisions and expires cryptographic certificates that grant direct access to infrastructure. The model eliminates a different attack surface: credential theft from target machines, long-lived SSH keys distributed across server fleets, and authorized_keys files that accumulate entries without lifecycle management.

Architecture and key capabilities

The Teleport cluster is the central component: it runs the certificate authority, proxies connections, and stores the audit log. Engineers install the Teleport client (tsh) and authenticate via SSO, MFA, or hardware keys; the cluster issues a short-lived certificate valid for the configured session duration. Target resources — servers, databases, Kubernetes clusters, web applications — run the Teleport agent, which accepts certificates from the cluster CA and rejects anything else.

Kubernetes access is a strength. Teleport integrates with the Kubernetes API server audit log and issues short-lived kubeconfig credentials that expire independently of any persistent kubeconfig file. For Kubernetes-heavy environments where developer access to cluster APIs is a security concern, this provides strong controls without the operational overhead of managing long-lived service account tokens.

For the NHI use case, Teleport supports machine ID: a mechanism for issuing short-lived certificates to bots, pipelines, and automated processes without storing persistent credentials in CI/CD configuration or secrets managers. A GitHub Actions workflow can receive a fresh Teleport certificate per run, valid for the duration of the job.

Open-source considerations: Teleport Community Edition is production-capable and widely deployed. The enterprise features — Access Requests with approval workflows, enhanced audit log integrations, hardware key support — require a commercial license. Teams starting on open source can run a real JIT deployment; teams requiring the full enterprise feature set should scope the commercial license before assuming open source covers the requirement.

Strengths

Strengths
  • Certificate-based architecture eliminates persistent SSH keys and authorization files on target machines
  • Open-source community edition is production-capable — buyers can evaluate with real workloads before a commercial commitment
  • Strong Kubernetes access controls; kubeconfig credentials expire with the session
  • Machine ID covers NHI/pipeline JIT without secrets manager dependency
  • On-premises and cloud coverage via a single access plane
  • Strong developer community with broad documentation and integrations
Limitations
  • Self-hosted deployment requires running and maintaining the Teleport cluster
  • Teleport Cloud reduces operational overhead but introduces a commercial dependency
  • Access request approval workflows are more limited in community edition
  • Certificate-based model requires Teleport agent deployment on all target machines — a non-trivial rollout for large server fleets
  • Less competitive for cloud IAM role provisioning (AWS/Azure/GCP console access) compared to IAM-native platforms

Target environment

Teleport is the right evaluation for engineering-led organizations with strong Kubernetes usage, SSH-heavy server access, and database access requirements where certificate-based JIT is the preferred security model. The open-source availability makes it compelling for organizations that want to evaluate on real infrastructure before a commercial commitment, and for teams that prefer to run their own access plane.

Organizations that need cloud IAM role provisioning as the primary JIT use case will find Teleport less competitive than Britive or Apono. Teleport's strength is in the infrastructure layer below the cloud control plane: servers, databases, Kubernetes, and internal web applications accessed by both humans and automated workloads.

Verdict

The best certificate-based JIT option in the market, with open-source community edition as a genuine production alternative to commercial platforms. The deployment requirement — running the Teleport cluster and deploying agents to targets — is real operational overhead that scales with the environment size. For Kubernetes-heavy engineering organizations, the Kubernetes access model alone justifies the evaluation. For environments where cloud IAM role provisioning is primary, evaluate IAM-native platforms first.

Related comparisons