Teleport Workload Identity with SPIFFE: Achieving Zero Trust in Modern Infrastructure
May 23
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Fork me on GitHub

Teleport

Usage Reporting and Billing

Version 15.x

Commercial editions of Teleport send anonymized usage data to Teleport so we can calculate billing metrics. This guide describes the anonymized usage data and the billing metrics we calculate.

Anonymized usage data

The commercial editions of Teleport send anonymized information to Teleport's cloud infrastructure at reporting-teleport.teleportinfra.sh:443. This information contains the following:

  • Teleport license identifier.
  • Anonymized cluster name and Teleport Auth Service host ID.
  • For each Teleport user, the anonymized user name and a count of interactions with infrastructure resources enrolled in your Teleport cluster.

Self-hosted Teleport deployments aggregate interaction data before it reaches Teleport Cloud. Teleport Cloud accounts provide this information as an anonymized log, which Teleport aggregates over the billing period.

The count of interactions includes the following:

  • Teleport logins
  • SSH and Kubernetes exec sessions
  • Web sessions with registered HTTP applications
  • Connections with registered TCP applications
  • SSH port forwards
  • Kubernetes API requests
  • SFTP actions

The anonymization is done by passing names and IDs through HMAC-SHA-256. Teleport Cloud clusters use an HMAC key that's randomly generated when the cluster is initialized. Self-hosted Teleport deployments use an anonymization key that's generated and embedded in the license file at download time and never shared with us. This makes it infeasible for anyone without access to the cluster to deanonymize the data we store.

Each cluster in a Trusted Clusters setup is responsible for reporting about the interactions with its own resources; therefore, all clusters will periodically reach out to Teleport Cloud to report usage, and should all be using the same license file for correct aggregate measurement.

The code that aggregates and anonymizes this data can be found in our GitHub repository.

Billing metrics

Teleport uses the anonymized usage data described in the previous section to calculate two types of billing metrics:

  • Monthly Active Users
  • Teleport Protected Resources

Monthly Active Users

Monthly Active Users (MAU) is the aggregate number of unique active users accessing Teleport.

We aggregate MAU over each monthly period starting on the subscription start date and ending on each monthly anniversary thereafter.

"Active" means a user having performed any activity that would appear in a Teleport audit log, for example, connecting to a resource via the Web UI or via tsh login, submitting an Access Request, and so on.

We do not count automated actions, such as the modification of a user's role by an administrator or the automatic creation of a user through an identity provider, as user activity.

Note: when configured to perform single-sign-on against an external identity provider, Teleport creates temporary user records that are valid for the duration of the SSO session. As a result, the Users page in Teleport's web UI will only show users who have recently logged in and is not a true representation of all active users over the last month.

Teleport Protected Resources

The Teleport Protected Resources (TPR) metric is the aggregate number of unique resources connected to Teleport.

We aggregate TPRs on a daily basis and use the average of those daily sums to determine the amount of TPRs for each monthly period, which starts on the subscription start date and ends on each monthly anniversary thereafter.

A "resource" is any unique bot, such as a CI/CD Jenkins or GitHub Actions job, or a distinct computing resource, including a Kubernetes cluster, SSH server, database instance, or serverless endpoint, that registers with the Teleport cluster at least once a month.

Usage measurement for billing

We aggregate all counts of the billing metrics on a monthly basis starting on the subscription start date and ending on each monthly anniversary thereafter.

The amount of usage purchased by a Teleport customer is based on the maximum aggregate amount of a billing metric in a given month during the term of the Subscription, also known as a high water mark calculation.

Reach out to [email protected] if you have questions about the commercial editions of Teleport.