For organizations managing access to cloud resources, infrastructure, and databases, choosing the right access management solution is crucial. While both Common Fate and Teleport offer robust capabilities, they approach the challenge from different perspectives. Common Fate specializes in cloud-native, time-bound access management, while Teleport focuses on protocol-level access control and enterprise-specific features.
Cloud Access Management Challenges
Modern cloud environments present new access management challenges, and organizations must balance:
- Rapid access provisioning for developer productivity
- Security and compliance requirements
- Complex multi-cloud environments
- Integration with existing identity systems
- Audit and governance needs
Cloud Integration
A key difference between Common Fate and Teleport is that Common Fate integrates directly with AWS IAM Identity Center, whereas Teleport requires you to migrate away from Identity Center and use custom IAM roles. IAM Identity Center is recommended by AWS as the best practice approach to managing human access to multi-account environments. Common Fate also uses the AWS Organizations API to automatically inventory the available AWS accounts in your AWS organization.
When using Teleport, you will need to implement and manage your own provisioning system for IAM roles used by Teleport across your AWS organization. If you are using a mix of IAM Identity Center for persistent access and Teleport for privileged access, you now have two systems to manage.
For Cloud Access
Common Fate supports AWS resource-based access. It currently supports requesting access to specific S3 buckets, with more AWS resources planned. When using resource-based access capability, Common Fate automatically provisions a dynamic IAM policy in IAM Identity Center allowing a user read or write access to a particular S3 bucket.
Similarly for Google Cloud, Common Fate’s approach to provisioning is much simpler than Teleport’s. Teleport only allows users to request CLI access, whereas Common Fate creates native IAM bindings to GCP projects, allowing both console and CLI access. Common Fate syncs an inventory of all available GCP projects, so when new projects are synced they can be made available for access immediately if your policies permit so.
For Network Access
Common Fate includes a protocol-aware proxy, similar to products like Teleport. The proxy supports AWS RDS and AWS EKS, and allows SQL statements and kubectl exec sessions to be logged for auditing purposes. All proxy-based access requests are fully integrated with just-in-time access requests.
Common Fate does not support SSH proxying, whereas Teleport does. Common Fate’s approach is to use cloud-native alternatives such as EC2 Instance Connect or AWS SSM Session Manager, rather than exposing SSH access to the internet.
For Database Access
Both services log SQL-level commands for database sessions. Under the hood, Common Fate uses AWS SSM Session Manager for tunneling, whereas Teleport uses a certificate-based protocol. Common Fate’s RDS integration currently supports Postgres and MySQL, whereas Teleport supports other databases as well, such as Microsoft SQL and Oracle.
For Data Warehouse Access
Common Fate allows just-in-time access to be requested to BigQuery datasets and tables, whereas Teleport does not have this capability.
For Identity Provider Group Access
Common Fate allows users to request temporary access to groups in your identity provider, such as Entra, Okta, or IAM Identity Center groups. This can be used to protect access to SaaS applications and internal tools. Teleport does not have this capability.
Pricing & Deployment Options
Common Fate
- Transparent pricing available on website
- Self-service pricing calculator
- Flexible 30-day trial period
- Volume discounts available
- Open source deployment option with Terraform
Teleport
- Enterprise pricing model
- Minimum annual fee of $25,000 for self-hosted version
- 14-day trial period
- Requires contact with sales for pricing
Deployment
Both Common Fate and Teleport offer flexible deployment options, but their approaches differ in complexity and infrastructure requirements. This difference in implementation complexity can significantly impact both time-to-value and ongoing maintenance requirements for teams adopting either solution.
Common Fate’s SaaS option and Bring Your Own Cloud (BYOC) option have deep integration with existing cloud services, which means minimal infrastructure overhead for teams getting started. In contrast, Teleport's deployment options include both self-hosted enterprise and cloud-hosted SaaS platforms, but require more dedicated infrastructure and a more complex initial setup process.
Core Differentiators
Common Fate
- Cloud-native focus with integration into major cloud providers
- Emphasis on temporary, just-in-time access to reduce standing access security risks
- Direct integration with existing cloud identity systems
- Streamlined developer experience and quick time-to-value
Teleport
- Extensive protocol-level access control
- Strong support for traditional infrastructure and edge devices
- Certificate-based authentication system
- Extensive customization options for enterprise environments
Making a Choice
Common Fate stands out for cloud-first organizations, particularly those using AWS or GCP, offering seamless integration with existing cloud identity providers and native access. Its focus on just-in-time access and integration with cloud services makes it the clear choice for teams wanting to reduce standing privileges while maintaining developer productivity, especially for teams already using or planning to use AWS IAM Identity Center.
While Teleport provides protocol-level access control suitable for traditional or on-premises infrastructure and offers a wide range of supported protocols and services, it comes with both increased complexity and an enterprise price tag.
Links
https://docs.commonfate.io/introduction
https://goteleport.com/how-it-works/
