What is the difference between {{internal.}} and {{external}} variables in Teleport templates?


There are two types of variables encountered in Teleport documentation:

{{internal.logins}} and {{external.groups}}

Is there a list of variables that is supported and what is the difference?


There are two {{internal}} variables supported:

{{internal.logins}} and {{internal.kube_groups}}. Those are the variables referencing parameters of the locally created users.

On the other side, {{external.<variable>}} name are the variables referencing traits received from the SAML or OIDC provider and are user-defined.

For example, if the user has logged in using SAML SSO, Identity provider could send the following attribute statements:

groups: ["admin", "dev"]
logins: ["alice"]

Later on these variables could be used in RBAC templates:

    logins: ['{{external.logins}}']
    kubernetes_groups: ["{{external.groups}}"]]