# tctl Reference This guide provides a comprehensive list of commands, arguments, and flags for tctl. `tctl` is a CLI tool that allows a cluster administrator to manage all resources in a cluster, including nodes, users, tokens, certificates, and devices. `tctl` can also be used to modify the dynamic configuration of the cluster, such as creating new user roles or connecting to trusted clusters. For a conceptual overview of `tctl`, see [Getting Started with `tctl`](https://goteleport.com/docs/zero-trust-access/infrastructure-as-code/using-tctl.md). ``` $ tctl [] [ ...] ``` Global flags: | Flag | Default | Description | | -------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--auth-server` | none | Attempts to connect to specific auth/proxy address(es) instead of local auth \[127.0.0.1:3025] | | `-c`, `--config` | none | Path to a configuration file \[/etc/teleport.yaml] for an Auth Service instance. Can also be set via the TELEPORT\_CONFIG\_FILE environment variable. Ignored if the auth\_service is disabled. | | `-d`, `--[no-]debug` | `false` | Enable verbose logging to stderr | | `-i`, `--identity` | none | Path to an identity file. Must be provided to make remote connections to auth. An identity file can be exported with 'tctl auth sign' | | `--[no-]insecure` | `false` | When specifying a proxy address in --auth-server, do not verify its TLS certificate. Danger: any data you send can be intercepted or modified by an attacker. | Global environment variables: | Variable | Default | Description | | ------------------------ | ------- | ------------------------------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Attempts to connect to specific auth/proxy address(es) instead of local auth \[127.0.0.1:3025] | | `TELEPORT_IDENTITY_FILE` | none | Path to an identity file. Must be provided to make remote connections to auth. An identity file can be exported with 'tctl auth sign' | ## tctl acl get Get detailed information for an Access List. Usage: ``` $ tctl acl get [] ``` Flags: | Flag | Default | Description | | ---------- | ------- | ---------------------------------------- | | `--format` | `yaml` | Output format, 'yaml', 'json', or 'text' | Arguments: | Argument | Default | Description | | ---------------- | --------------- | --------------------- | | access-list-name | none (required) | The Access List name. | ## tctl acl ls List cluster Access Lists. Usage: ``` $ tctl acl ls [] ``` Flags: | Flag | Default | Description | | -------------------- | ------- | ---------------------------------------------------------------------------------- | | `--format` | `yaml` | Output format, 'yaml', 'json', or 'text' | | `--[no-]review-only` | `false` | List only access lists that are due for review within the next 2 weeks or past due | ## tctl acl reviews create Submit a new review for a given access list. Usage: ``` $ tctl acl reviews create [] ``` Flags: | Flag | Default | Description | | ------------------ | ------- | ----------------------------------------------------------------- | | `--notes` | none | Optional review notes. | | `--remove-members` | none | Comma-separated list of members to remove as part of this review. | Arguments: | Argument | Default | Description | | ---------------- | --------------- | ------------------------------------------ | | access-list-name | none (required) | The access list name to submit review for. | ## tctl acl reviews ls List past audit history for a given access list. Usage: ``` $ tctl acl reviews ls [] ``` Flags: | Flag | Default | Description | | ---------- | ------- | --------------------------------------- | | `--format` | `text` | Output format 'yaml', 'json', or 'text' | Arguments: | Argument | Default | Description | | ---------------- | --------------- | ------------------------------------------------- | | access-list-name | none (required) | The access list name to fetch review history for. | ## tctl acl users add Add a user to an Access List. Usage: ``` $ tctl acl users add [] [] [] ``` Flags: | Flag | Default | Description | | -------- | ------- | ----------------------------------------- | | `--kind` | `user` | Access list member kind, 'user' or 'list' | Arguments: | Argument | Default | Description | | ---------------- | --------------- | -------------------------------------------------------------------------------------------------------- | | access-list-name | none (required) | The Access List name. | | expires | none (optional) | When the user's access expires (must be in RFC3339). Defaults to the expiration time of the Access List. | | reason | none (optional) | The reason the user has been added to the Access List. Defaults to empty. | | user | none (required) | The user to add to the Access List. | ## tctl acl users ls List users that are members of an Access List. Usage: ``` $ tctl acl users ls [] ``` Flags: | Flag | Default | Description | | ---------- | ------- | ------------------------------- | | `--format` | `text` | Output format 'json', or 'text' | Arguments: | Argument | Default | Description | | ---------------- | --------------- | --------------------- | | access-list-name | none (required) | The Access List name. | ## tctl acl users rm Remove a user from an Access List. Usage: ``` $ tctl acl users rm ``` Arguments: | Argument | Default | Description | | ---------------- | --------------- | ---------------------------------------- | | access-list-name | none (required) | The Access List name. | | user | none (required) | The user to remove from the Access List. | ## tctl alerts ack Acknowledge cluster alerts. Usage: ``` $ tctl alerts ack [] ``` Flags: | Flag | Default | Description | | -------------- | ------- | --------------------------------------------------- | | `--format` | `text` | Output format, 'text', 'json', or 'yaml' | | `--[no-]clear` | `false` | Clear the acknowledgment for the cluster alert. | | `--reason` | none | The reason for acknowledging the cluster alert. | | `--ttl` | none | Time duration to acknowledge the cluster alert for. | Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------- | | id | none (required) | The cluster alert ID. | ## tctl alerts ack ls List acknowledged cluster alerts. Usage: ``` $ tctl alerts ack ls ``` ## tctl alerts create Create cluster alerts. Usage: ``` $ tctl alerts create [] ``` Flags: | Flag | Default | Description | | ------------ | ------- | ---------------------------------------------------------------------------- | | `--labels` | none | List of labels to attach to the alert. For example: key1=value1,key2=value2. | | `--severity` | `low` | Severity of the alert (low, medium, or high). | | `--ttl` | none | Time duration after which the alert expires (default 24h). | Arguments: | Argument | Default | Description | | -------- | --------------- | ------------------- | | message | none (required) | Alert body message. | ## tctl alerts delete Deletes a cluster alert. Usage: ``` $ tctl alerts delete ``` Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------- | | id | none (required) | The cluster alert ID. | ## tctl alerts list List cluster alerts. Usage: ``` $ tctl alerts list [] ``` Flags: | Flag | Default | Description | | ---------------------- | ------- | --------------------------------------------------------------------------------- | | `--format` | `text` | Output format, 'text', 'json', or 'yaml' | | `--labels` | none | List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2) | | `-v`, `--[no-]verbose` | `false` | Show detailed alert info, including acknowledged alerts. | ## tctl apps ls List all applications registered with the cluster. Usage: ``` $ tctl apps ls [] [] ``` Flags: | Flag | Default | Description | | ---------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--format` | `text` | Output format, 'text', 'json', or 'yaml' | | `--query` | none | Query by predicate language enclosed in single quotes. Supports ==, !=, &&, and \|\| (e.g. --query='labels\["key1"] == "value1" && labels\["key2"] != "value2"') | | `--search` | none | List of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase") | | `-v`, `--[no-]verbose` | `false` | Verbose table output, shows full label output | Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------------------------------------------------------------------- | | labels | none (optional) | List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2) | ## tctl audit query create Create an audit query. Usage: ``` $ tctl audit query create [] [] ``` Flags: | Flag | Default | Description | | -------- | ------- | ---------------- | | `--name` | none | Audit query name | Arguments: | Argument | Default | Description | | -------- | --------------- | ----------- | | query | none (optional) | SQL Query | ## tctl audit query exec Execute audit query. Usage: ``` $ tctl audit query exec [] ``` Arguments: | Argument | Default | Description | | -------- | --------------- | ----------- | | query | none (optional) | SQL Query | ## tctl audit query get Get audit query. Usage: ``` $ tctl audit query get ``` Arguments: | Argument | Default | Description | | -------- | --------------- | ----------------------- | | name | none (required) | name of the audit query | ## tctl audit query ls List audit queries. Usage: ``` $ tctl audit query ls ``` ## tctl audit query rm Remove audit query. Usage: ``` $ tctl audit query rm ``` Arguments: | Argument | Default | Description | | -------- | --------------- | ----------------------- | | name | none (required) | name of the audit query | ## tctl audit report get Get security report. Usage: ``` $ tctl audit report get ``` Arguments: | Argument | Default | Description | | -------- | --------------- | ------------- | | name | none (required) | security name | ## tctl audit report ls List security reports. Usage: ``` $ tctl audit report ls ``` ## tctl audit report run Run the security report. Usage: ``` $ tctl audit report run ``` Arguments: | Argument | Default | Description | | -------- | --------------- | -------------------- | | name | none (required) | security report name | ## tctl audit report state Print the state of the security report. Usage: ``` $ tctl audit report state ``` Arguments: | Argument | Default | Description | | -------- | --------------- | -------------------- | | name | none (required) | security report name | ## tctl audit schema Print audit query schema. Usage: ``` $ tctl audit schema ``` ## tctl auth crl Export empty certificate revocation list (CRL) for Teleport certificate authorities. Usage: ``` $ tctl auth crl --type=TYPE [] ``` Flags: | Flag | Default | Description | | -------- | ------- | ---------------------------------------------------------------------------- | | `--out` | none | If set, writes exported revocation lists to files with the given path prefix | | `--type` | none | Certificate authority type, one of: host, db, db\_client, user | ## tctl auth export Export public cluster CA certificates to stdout. Usage: ``` $ tctl auth export [] ``` Flags: | Flag | Default | Description | | --------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--compat` | none | export certificates compatible with specific version of Teleport | | `--fingerprint` | none | filter authority by fingerprint | | `--integration` | none | Name of the integration. Only applies to "github" CAs. | | `--[no-]keys` | `false` | if set, will print private keys | | `--out` | none | If set writes exported authorities to files with the given path prefix | | `--type` | none | export certificate type (user, host, tls-host, tls-user, tls-user-der, tls-spiffe, windows, db, db-der, db-client, db-client-der, openssh, saml-idp, github, awsra) | ## tctl auth ls List connected auth servers. Usage: ``` $ tctl auth ls [] ``` Flags: | Flag | Default | Description | | ---------- | ------- | --------------------------------------- | | `--format` | `yaml` | Output format: 'yaml', 'json' or 'text' | ## tctl auth rotate Rotate certificate authorities in the cluster. Starts in interactive mode by default, provide --type to manually send rotation requests. Usage: ``` $ tctl auth rotate [] ``` Flags: | Flag | Default | Description | | -------------------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | `--grace-period` | `30h0m0s` | Grace period keeps previous certificate authorities signatures valid, if set to 0 will force users to re-login and nodes to re-register. | | `--[no-]interactive` | `false` | Enable interactive mode | | `--[no-]manual` | `false` | Activate manual rotation, set rotation phases manually | | `--phase` | none | Target rotation phase to set, used in manual rotation, one of: init, standby, update\_clients, update\_servers, rollback | | `--type` | none | Certificate authority to rotate, one of: host, windows, user, db, db\_client, openssh, jwt, saml\_idp, oidc\_idp, spiffe, okta, awsra, bound\_keypair | ## tctl auth sign Create an identity file(s) for a given user. Usage: ``` $ tctl auth sign --out=OUT [] ``` Flags: | Flag | Default | Description | | ---------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--app-name` | none | Application to generate identity file for. Mutually exclusive with "--db-service". | | `--compat` | none | OpenSSH compatibility flag | | `--db-name` | none | Database name placed on the identity file. Only used when "--db-service" is set. | | `--db-service` | none | Database to generate identity file for. Mutually exclusive with "--app-name". | | `--db-user` | none | Database user placed on the identity file. Only used when "--db-service" is set. | | `--format` | `file` | Identity format: file, openssh, tls, kubernetes, db, windows, mongodb, cockroachdb, redis, snowflake, elasticsearch, cassandra, scylla, oracle. file is the default. | | `--host` | none | Teleport host name | | `--kube-cluster-name` | none | Kubernetes cluster to generate identity file for when --format is set to "kubernetes" | | `--leaf-cluster` | none | Leaf cluster to generate identity file for when --format is set to "kubernetes" | | `--[no-]omit-cdp` | `false` | Omit CRL Distribution Points from the cert. Only used when --format is set to "windows" | | `--[no-]overwrite` | `false` | Whether to overwrite existing destination files. When not set, user will be prompted before overwriting any existing file. | | `--[no-]tar` | `false` | Create a tarball of the resulting certificates and stream to stdout. | | `-o`, `--out` | none | Identity output | | `--proxy` | none | Address of the Teleport proxy. When --format is set to "kubernetes", this address will be set as cluster address in the generated kubeconfig file | | `--ttl` | `12h0m0s` | TTL (time to live) for the generated certificate. | | `--user` | none | Teleport user name | | `--windows-domain` | none | Active Directory domain for which this cert is valid. Only used when --format is set to "windows" | | `--windows-pki-domain` | none | Active Directory domain where CRLs will be located. Only used when --format is set to "windows" | | `--windows-sid` | none | Optional Security Identifier to embed in the certificate. Only used when --format is set to "windows" | | `--windows-user` | none | Window user placed on the identity file. Only used when --format is set to "windows" | ## tctl autoupdate agents mark-done Marks one or many groups as done updating. Usage: ``` $ tctl autoupdate agents mark-done [...] ``` Arguments: | Argument | Default | Description | | -------- | --------------- | -------------------------------- | | groups | none (optional) | Groups to mark as done updating. | ## tctl autoupdate agents report Aggregates the agent autoupdate reports and displays agent count per version and per update group. Usage: ``` $ tctl autoupdate agents report ``` ## tctl autoupdate agents rollback Rolls back one or many groups. Usage: ``` $ tctl autoupdate agents rollback [...] ``` Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------------------------------------------------------------- | | groups | none (optional) | Groups to rollback. When empty, every group already started is rolled back. | ## tctl autoupdate agents start-update Starts updating one or many groups. Usage: ``` $ tctl autoupdate agents start-update [] [...] ``` Flags: | Flag | Default | Description | | -------------- | ------- | ------------------------------------------------------------------------ | | `--[no-]force` | `false` | Skips progressive deployment mechanism such as canaries or backpressure. | Arguments: | Argument | Default | Description | | -------- | --------------- | ------------------------- | | groups | none (optional) | Groups to start updating. | ## tctl autoupdate agents status Prints agents auto update status. Usage: ``` $ tctl autoupdate agents status ``` ## tctl autoupdate client-tools disable Disables client tools auto updates. Clients will not be told to update to the target version. Usage: ``` $ tctl autoupdate client-tools disable ``` ## tctl autoupdate client-tools enable Enables client tools auto updates. Clients will be told to update to the target version. Usage: ``` $ tctl autoupdate client-tools enable ``` ## tctl autoupdate client-tools status Prints if the client tools updates are enabled/disabled, and the target version in specified format. Usage: ``` $ tctl autoupdate client-tools status [] ``` Flags: | Flag | Default | Description | | ---------- | ------- | ------------------------------------------------------------------------------------------------------------------------- | | `--format` | `yaml` | Output format: 'yaml' or 'json' | | `--proxy` | none | Address of the Teleport proxy. When defined this address will be used to retrieve client tools auto update configuration. | ## tctl autoupdate client-tools target Sets the client tools target version. This command is not supported on Teleport Cloud. Usage: ``` $ tctl autoupdate client-tools target [] [] ``` Flags: | Flag | Default | Description | | -------------- | ------- | ------------------------------------------------------------------------------- | | `--[no-]clear` | `false` | Removes the target version, Teleport will default to its current proxy version. | Arguments: | Argument | Default | Description | | -------- | --------------- | ---------------------------------------------------------------------------- | | version | none (optional) | Client tools target version. Clients will be told to update to this version. | ## tctl bots add Add a new bot to the cluster. Usage: ``` $ tctl bots add [] ``` Flags: | Flag | Default | Description | | ----------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--format` | `text` | Output format, one of: text, json | | `--initial-public-key` | none | If set, use the given initial public key in SSH authorized\_keys format, instead of generating a registration secret. The value must be quoted. Not compatible with --token or --legacy. | | `--logins` | none | List of allowed SSH logins for the bot user | | `--max-session-ttl` | none | Set a max session TTL for the bot's internal identity. 12h default, 168h maximum. | | `--[no-]legacy` | `false` | If set, generate a legacy joining token instead of a bound keypair token. No effect if --token is set. | | `--recovery-limit` | none | Overrides the recovery limit (default: 1) for the bound keypair token. No effect if --token or --legacy is set, or if --recovery-mode is not standard. Must be greater than 1. | | `--recovery-mode` | `standard` | If set, overrides the recovery mode for the bound keypair token. No effect if --token or --legacy is set. | | `--registration-secret` | none | Sets a registration secret for the bound keypair token. If not set, one will be randomly generated. No effect if --initial-public-key, --token, or --legacy is set. | | `--roles` | none | Roles the bot is able to assume. | | `--token` | none | The token to use, if any. If unset, a new single-use token will be created. | | `--ttl` | `1h0m0s` | TTL for the bot join token. For standard bound keypair tokens, this sets must\_register\_before; for legacy tokens, this sets the resource TTL. | Arguments: | Argument | Default | Description | | -------- | --------------- | ---------------------------------------------------- | | name | none (required) | A name to uniquely identify this bot in the cluster. | ## tctl bots instances add Join a new instance onto an existing bot. Usage: ``` $ tctl bots instances add [] ``` Flags: | Flag | Default | Description | | ----------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--format` | `text` | Output format, one of: text, json | | `--initial-public-key` | none | If set, use the given initial public key in SSH authorized\_keys format, instead of generating a registration secret. The value must be quoted. Not compatible with --token or --legacy. | | `--[no-]legacy` | `false` | If set, generate a legacy joining token instead of a bound keypair token. No effect if --token is set. | | `--recovery-limit` | none | Overrides the recovery limit (default: 1) for the bound keypair token. No effect if --token or --legacy is set, or if --recovery-mode is not standard. Must be greater than 1. | | `--recovery-mode` | `standard` | If set, overrides the recovery mode for the bound keypair token. No effect if --token or --legacy is set. | | `--registration-secret` | none | Sets a registration secret for the bound keypair token. If not set, one will be randomly generated. No effect if --initial-public-key, --token, or --legacy is set. | | `--token` | none | The token to use, if any. If unset, a new single-use token will be created. | | `--ttl` | `1h0m0s` | TTL for the bot join token. For standard bound keypair tokens, this sets must\_register\_before; for legacy tokens, this sets the resource TTL. | Arguments: | Argument | Default | Description | | -------- | --------------- | ------------------------------------------------------------- | | name | none (required) | The name of the existing bot for which to add a new instance. | ## tctl bots instances list List bot instances. Usage: ``` $ tctl bots instances list [] [] ``` Flags: | Flag | Default | Description | | -------------- | ----------- | ------------------------------------------------------------------------------------------------ | | `--format` | `text` | Output format, 'text' or 'json' | | `--query` | none | An expression in the Teleport predicate language used to filter bot instances | | `--search` | none | Fuzzy search query used to filter bot instances | | `--sort-index` | `bot_name` | Request sort index, 'bot\_name', 'active\_at\_latest', 'version\_latest' or 'host\_name\_latest' | | `--sort-order` | `ascending` | Request sort order, 'ascending' or 'descending' | Arguments: | Argument | Default | Description | | -------- | --------------- | ------------------------------------------------------------------------------------------ | | name | none (optional) | The name of the bot from which to list instances. If unset, lists instances from all bots. | ## tctl bots instances show Shows information about a specific bot instance. Usage: ``` $ tctl bots instances show ``` Arguments: | Argument | Default | Description | | -------- | --------------- | ------------------------------------------------------------------- | | id | none (required) | The full ID of the bot instance, in the form of \[bot name]/\[uuid] | ## tctl bots ls List all certificate renewal bots registered with the cluster. Usage: ``` $ tctl bots ls ``` ## tctl bots rm Permanently remove a certificate renewal bot from the cluster. Usage: ``` $ tctl bots rm ``` Arguments: | Argument | Default | Description | | -------- | --------------- | ---------------------------------- | | name | none (required) | Name of an existing bot to remove. | ## tctl bots update Update an existing bot. Usage: ``` $ tctl bots update [] ``` Flags: | Flag | Default | Description | | ----------------------- | ------- | --------------------------------------------------------------------------------------- | | `--add-logins` | none | Adds a comma-separated list of logins to an existing bot. | | `--add-roles` | none | Adds a comma-separated list of roles to an existing bot. | | `--set-logins` | none | Sets the bot's logins to the given comma-separated list, replacing any existing logins. | | `--set-max-session-ttl` | none | Sets the max session TTL. 168h maximum. | | `--set-roles` | none | Sets the bot's roles to the given comma-separated list, replacing any existing roles. | Arguments: | Argument | Default | Description | | -------- | --------------- | ---------------------------------- | | name | none (required) | Name of an existing bot to update. | ## tctl bound-keypair request-rotation Request a keypair rotation on the next join attempt. Usage: ``` $ tctl bound-keypair request-rotation ``` Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------- | | name | none (required) | The name of the token | ## tctl create Create or update a Teleport resource from a YAML file. Usage: ``` $ tctl create [] [] ``` Flags: | Flag | Default | Description | | -------------------- | ------- | ---------------------------------------- | | `-f`, `--[no-]force` | `false` | Overwrite the resource if already exists | Arguments: | Argument | Default | Description | | -------- | --------------- | ----------------------------------------- | | filename | none (optional) | resource definition file, empty for stdin | ## tctl db ls List all databases registered with the cluster. Usage: ``` $ tctl db ls [] [] ``` Flags: | Flag | Default | Description | | ---------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--format` | `text` | Output format, 'text', 'json', or 'yaml' | | `--query` | none | Query by predicate language enclosed in single quotes. Supports ==, !=, &&, and \|\| (e.g. --query='labels\["key1"] == "value1" && labels\["key2"] != "value2"') | | `--search` | none | List of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase") | | `-v`, `--[no-]verbose` | `false` | Verbose table output, shows full label output | Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------------------------------------------------------------------- | | labels | none (optional) | List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2) | ## tctl desktop bootstrap Generate a PowerShell script to bootstrap Active Directory. Usage: ``` $ tctl desktop bootstrap ``` ## tctl desktop ls List all desktops registered with the cluster. Usage: ``` $ tctl desktop ls [] ``` Flags: | Flag | Default | Description | | ---------------------- | ------- | --------------------------------------------- | | `--format` | `text` | Output format, 'text', 'json' or 'yaml' | | `-v`, `--[no-]verbose` | `false` | Verbose table output, shows full label output | ## tctl devices add Register managed devices. Usage: ``` $ tctl devices add [] ``` Flags: | Flag | Default | Description | | ----------------------- | ------- | ------------------------------------------------------------- | | `--asset-tag` | none | Inventory identifier for the device (e.g., Mac serial number) | | `--enroll-ttl` | none | Time duration for the enrollment token | | `--format` | `text` | Output format, 'text', 'json', or 'yaml' | | `--[no-]current-device` | `false` | Registers the current device. Overrides --os and --asset-tag. | | `--[no-]enroll` | `false` | If set, creates a device enrollment token | | `--os` | none | Operating system | ## tctl devices enroll Creates a new device enrollment token. Usage: ``` $ tctl devices enroll [] ``` Flags: | Flag | Default | Description | | ----------------------- | ------- | ------------------------------------------------------------------ | | `--asset-tag` | none | Inventory identifier for the device | | `--device-id` | none | Device identifier | | `--[no-]current-device` | `false` | Enrolls the current device. Overrides --device-id and --asset-tag. | | `--ttl` | none | Time duration for the enrollment token | ## tctl devices lock Locks a device. Usage: ``` $ tctl devices lock [] ``` Flags: | Flag | Default | Description | | ----------------------- | ------- | ---------------------------------------------------------------- | | `--asset-tag` | none | Inventory identifier for the device | | `--device-id` | none | Device identifier | | `--expires` | none | Time point (RFC3339) when the lock expires | | `--message` | none | Message to display to locked-out users | | `--[no-]current-device` | `false` | Locks the current device. Overrides --device-id and --asset-tag. | | `--ttl` | none | Time duration after which the lock expires | ## tctl devices ls Lists managed devices. Usage: ``` $ tctl devices ls [] ``` Flags: | Flag | Default | Description | | ---------- | ------- | ---------------------------------------- | | `--format` | `text` | Output format, 'text', 'json', or 'yaml' | ## tctl devices rm Removes a managed device. Usage: ``` $ tctl devices rm [] ``` Flags: | Flag | Default | Description | | ----------------------- | ------- | ------------------------------------------------------------------ | | `--asset-tag` | none | Inventory identifier for the device | | `--device-id` | none | Device identifier | | `--[no-]current-device` | `false` | Removes the current device. Overrides --device-id and --asset-tag. | ## tctl edit Edit a Teleport resource. Usage: ``` $ tctl edit [] ``` Arguments: | Argument | Default | Description | | --------------------------- | --------------- | --------------------------------------- | | resource type/resource name | none (optional) | Resource to update, e.g., "user/myuser" | ## tctl get Print a YAML declaration of various Teleport resources. Usage: ``` $ tctl get [] ``` Flags: | Flag | Default | Description | | ---------------------- | ------- | ---------------------------------------------------------------------------- | | `--format` | `yaml` | Output format: 'yaml', 'json' or 'text' | | `--[no-]with-secrets` | `false` | Include secrets in resources like certificate authorities or OIDC connectors | | `-v`, `--[no-]verbose` | `false` | Verbose table output, shows full label output | Arguments: | Argument | Default | Description | | --------- | --------------- | --------------------------------------------- | | resources | none (required) | Resource spec: 'type/\[name]\[,...]' or 'all' | ## tctl help Show help. Usage: ``` $ tctl help [...] ``` Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------- | | command | none (optional) | Show help on command. | ## tctl idp saml test-attribute-mapping Test expression evaluation of attribute mapping. Usage: ``` $ tctl idp saml test-attribute-mapping --users=USERS --sp=SP [] ``` Flags: | Flag | Default | Description | | --------------- | ------- | ----------------------------------------------- | | `--format` | none | output format, 'yaml' or 'json' | | `--sp` | none | name of a file containing service provider spec | | `-u`, `--users` | none | username or name of a file containing user spec | ## tctl inventory list List Teleport instance inventory. Usage: ``` $ tctl inventory list [] ``` Flags: | Flag | Default | Description | | ----------------- | ------- | ---------------------------------------------- | | `--exact-version` | none | Filter output by teleport version | | `--format` | `text` | Output format, 'text' or 'json' | | `--newer-than` | none | Filter for newer teleport versions | | `--older-than` | none | Filter for older teleport versions | | `--services` | none | Filter output by service (node,kube,proxy,etc) | | `--update-group` | none | Filter output by update group | | `--upgrader` | none | Filter output by upgrader (kube,unit,none) | ## tctl inventory ping Ping locally connected instance. Usage: ``` $ tctl inventory ping ``` Arguments: | Argument | Default | Description | | --------- | --------------- | ------------------- | | server-id | none (required) | ID of target server | ## tctl inventory status Show inventory status summary. Usage: ``` $ tctl inventory status [] ``` Flags: | Flag | Default | Description | | ------------------ | ------- | ---------------------------------------- | | `--format` | `text` | Output format, 'text' or 'json' | | `--[no-]connected` | `false` | Show locally connected instances summary | ## tctl kube ls List all Kubernetes clusters registered with the cluster. Usage: ``` $ tctl kube ls [] [] ``` Flags: | Flag | Default | Description | | ---------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--format` | `text` | Output format, 'text', 'json', or 'yaml' | | `--query` | none | Query by predicate language enclosed in single quotes. Supports ==, !=, &&, and \|\| (e.g. --query='labels\["key1"] == "value1" && labels\["key2"] != "value2"') | | `--search` | none | List of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase") | | `-v`, `--[no-]verbose` | `false` | Verbose table output, shows full label output | Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------------------------------------------------------------------- | | labels | none (optional) | List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2) | ## tctl list-kinds Lists all resource kinds supported by this tctl version. Usage: ``` $ tctl list-kinds [] ``` Flags: | Flag | Default | Description | | ------------- | ------- | ------------------------------------------------------------------------- | | `--[no-]wide` | `false` | Do not truncate the Description column, even if it exceeds terminal width | ## tctl lock Create a new lock. Usage: ``` $ tctl lock [] ``` Flags: | Flag | Default | Description | | ------------------- | ------- | ------------------------------------------- | | `--access-request` | none | UUID of an Access Request to disable. | | `--bot-instance-id` | none | UUID of a bot instance to disable | | `--device` | none | UUID of a trusted device to disable. | | `--expires` | none | Time point (RFC3339) when the lock expires. | | `--join-token` | none | Bot join token name to disable | | `--login` | none | Name of a local UNIX user to disable. | | `--message` | none | Message to display to locked-out users. | | `--mfa-device` | none | UUID of a user MFA device to disable. | | `--role` | none | Name of a Teleport role to disable. | | `--server-id` | none | UUID of a Teleport server to disable. | | `--ttl` | none | Time duration after which the lock expires. | | `--user` | none | Name of a Teleport user to disable. | | `--windows-desktop` | none | Name of a Windows desktop to disable. | ## tctl login\_rule test Test the parsing and evaluation of login rules. Usage: ``` $ tctl login_rule test [] [] ``` Flags: | Flag | Default | Description | | -------------------------- | ------- | ------------------------------------------------------------- | | `--format` | `yaml` | Output format: 'yaml' or 'json' | | `--[no-]load-from-cluster` | `false` | load existing login rules from the connected Teleport cluster | | `--resource-file` | none | login rule resource file name (YAML or JSON) | Arguments: | Argument | Default | Description | | ----------- | --------------- | ----------------------------------------------------------- | | traits-file | none (optional) | input user traits file name (YAML or JSON), empty for stdin | ## tctl nodes add Generate a node invitation token. Usage: ``` $ tctl nodes add [] ``` Flags: | Flag | Default | Description | | --------- | ------- | ------------------------------------------------------------------ | | `--roles` | `node` | Comma-separated list of roles for the new node to assume \[node] | | `--token` | none | Override the default random generated token with a specified value | | `--ttl` | `30m0s` | Time to live for a generated token | ## tctl nodes ls List all active SSH nodes within the cluster. Usage: ``` $ tctl nodes ls [] [] ``` Flags: | Flag | Default | Description | | ---------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--format` | `text` | Output format, 'text', or 'yaml' | | `--query` | none | Query by predicate language enclosed in single quotes. Supports ==, !=, &&, and \|\| (e.g. --query='labels\["key1"] == "value1" && labels\["key2"] != "value2"') | | `--search` | none | List of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase") | | `-v`, `--[no-]verbose` | `false` | Verbose table output, shows full label output | Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------------------------------------------------------------------- | | labels | none (optional) | List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2) | ## tctl notifications create Create a cluster notification. Usage: ``` $ tctl notifications create --title=TITLE --content=CONTENT [] ``` Flags: | Flag | Default | Description | | -------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--content` | none | Set the notification's content. | | `--labels` | none | List of labels to attach to the notification. For example: key1=value1,key2=value2. | | `--[no-]require-all-roles` | `false` | Set whether this notification should target users who have all of the provided roles. | | `--[no-]warning` | `false` | Set whether this notification is a warning notification. | | `--roles` | none | Target a specific set of roles. By default, this will target all users with any of the provided roles, use --require-all-roles to exclusively target users with all of them. | | `-t`, `--title` | none | Set the notification's title. | | `--ttl` | `30d` | Time duration after which the notification expires (default 30 days). | | `--user` | none | Target a specific user. | ## tctl notifications ls List notifications which were manually created using `tctl notifications create`. By default, this will list notifications capable of targeting multiple users, such as role-based ones. To list notifications directed only at a specific user, use the --user flag. To include notifications generated by Teleport, use --all. Usage: ``` $ tctl notifications ls [] ``` Flags: | Flag | Default | Description | | ------------ | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--format` | `text` | Output format, 'yaml', 'json', or 'text' | | `--labels` | none | List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2) | | `--[no-]all` | `false` | Set whether all notifications should be included, including those generated by Teleport, as opposed to solely those created using `tctl notifications create`. | | `--user` | none | Set which user to list user-specific notifications for, or leave empty to list your own. | ## tctl notifications rm Remove a cluster notification. Usage: ``` $ tctl notifications rm [] ``` Flags: | Flag | Default | Description | | -------- | ------- | ------------------------------------------------------- | | `--user` | none | The user the notification to remove belongs to, if any. | Arguments: | Argument | Default | Description | | -------- | --------------- | ------------------------------------- | | id | none (required) | The ID of the notification to remove. | ## tctl plugins cleanup Cleans up the given plugin type. Usage: ``` $ tctl plugins cleanup [] ``` Flags: | Flag | Default | Description | | ---------------- | ------- | ---------------------------------------------------- | | `--[no-]dry-run` | `true` | Dry run the cleanup command. Dry run defaults to on. | Arguments: | Argument | Default | Description | | -------- | --------------- | -------------------------------------------------------------- | | type | none (required) | The type of plugin to clean up. Only supports Okta at present. | ## tctl plugins delete Remove a plugin instance. Usage: ``` $ tctl plugins delete [] ``` Arguments: | Argument | Default | Description | | -------- | --------------- | ---------------------------------------------- | | name | none (optional) | The name of the SCIM plugin resource to delete | ## tctl plugins edit awsic Edit an AWS IAM Identity Center integration's settings. Usage: ``` $ tctl plugins edit awsic [] ``` Flags: | Flag | Default | Description | | ------------------- | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--plugin-name` | `aws-identity-center` | Name of the AWS Identity Center integration instance to update. Defaults to aws-identity-center. | | `--roles-sync-mode` | none | Control account-assignment role creation. ALL creates roles for all possible account assignments. NONE creates no roles, and also implies a totally-exclusive group import filter. | ## tctl plugins install awsic Install an AWS IAM Identity Center integration. Usage: ``` $ tctl plugins install awsic --access-list-default-owner=ACCESS-LIST-DEFAULT-OWNER --scim-url=SCIM-URL --scim-token=SCIM-TOKEN --instance-region=INSTANCE-REGION --instance-arn=INSTANCE-ARN [] ``` Flags: | Flag | Default | Description | | ------------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--access-list-default-owner` | none | Teleport user to set as default owner for the imported Access Lists. Multiple flags allowed. | | `--account-id` | none | Add AWS Account to account import list by ID. All AWS accounts will be imported if no items are added to account import list. | | `--account-name` | none | Add AWS Account to account import list by name. Can be a glob, or enclosed in ^$ to specify a regular expression. All AWS accounts will be imported if no items are added to account import list. | | `--assume-role-arn` | none | ARN of a role that the system credential should assume. | | `--exclude-account-id` | none | Exclude AWS account from import list by ID. | | `--exclude-account-name` | none | Exclude AWS account from import list by name. Can be a glob or a regular expression (enclosed in ^$). | | `--exclude-group-name` | none | Exclude AWS group from import list by name. Can be a glob or a regular expression (enclosed in ^$). | | `--group-name` | none | Add AWS group to group import list by name. Can be a glob, or enclosed in ^$ to specify a regular expression. If no filters are supplied then all AWS groups will be imported. | | `--instance-arn` | none | AWS Identity center instance ARN | | `--instance-region` | none | AWS Identity Center instance region | | `--[no-]force-scim-url` | `false` | Use the provided SCIM provisioning endpoint even if it fails scim endpoint validation | | `--[no-]use-system-credentials` | `true` | Uses system credentials instead of OIDC. | | `--oidc-integration` | none | Name of the Teleport OIDC integration to use when authenticating with AWS. Must be supplied when --no-use-system-credentials is set. | | `--roles-sync-mode` | `ALL` | Control account-assignment role creation. ALL creates Teleport Roles for all possible account assignments. NONE creates no Teleport Roles, and also implies a totally-exclusive group import filter. | | `--scim-token` | none | AWS Identify Center SCIM provisioning token. | | `--scim-url` | none | AWS Identity Center SCIM provisioning endpoint | | `--user-label` | none | Add user label filter, in the form of a comma-separated list of "name=value" pairs. If no label filters are supplied, all Teleport users will be provisioned to Identity Center | | `--user-origin` | none | Shorthand for "--user-label teleport.dev/origin=ORIGIN" | ## tctl plugins install entraid Install an Microsoft Entra ID integration. Usage: ``` $ tctl plugins install entraid --default-owner=DEFAULT-OWNER [] ``` Flags: | Flag | Default | Description | | ------------------------------- | ------------------ | ----------------------------------------------------------------------------------------------------- | | `--access-list-owners-source` | `plugin` | Source of the Access List owners. | | `--auth-connector-name` | `entra-id-default` | Name of the SAML connector resource to create | | `--default-owner` | none | List of Teleport users that are default owners for the imported Access Lists. Multiple flags allowed. | | `--exclude-group-id` | none | Exclude group matching the specified group ID. | | `--exclude-group-name` | none | Exclude groups matching the specified group name regex. | | `-f`, `--[no-]force` | `false` | Proceed with installation even if plugin already exists. | | `--group-id` | none | Include group matching the specified group ID. | | `--group-name` | none | Include groups matching the specified group name regex. | | `-m`, `--[no-]manual-setup` | `false` | Manually set up the EntraID integration. | | `--name` | `entra-id` | Name of the plugin resource to create | | `--[no-]access-graph` | `true` | Enables Access Graph cache build. | | `--[no-]use-system-credentials` | `false` | Uses system credentials instead of OIDC. | ## tctl plugins install github Install an Access Graph Github integration. Usage: ``` $ tctl plugins install github [] ``` Flags: | Flag | Default | Description | | -------------- | --------- | ------------------------------------------------------------- | | `--start-date` | `` | Start date for the audit log ingest in the YYYY-MM-DD format. | ## tctl plugins install netiq Install an Access Graph NetIQ integration. Usage: ``` $ tctl plugins install netiq [] ``` Flags: | Flag | Default | Description | | ----------------------------- | ------- | -------------------------------------------------------- | | `--[no-]insecure-skip-verify` | `false` | Skip verification of the NetIQ server's SSL certificate. | ## tctl plugins install okta Install an Okta integration. Usage: ``` $ tctl plugins install okta --org=ORG --saml-connector=SAML-CONNECTOR [] ``` Flags: | Flag | Default | Description | | ----------------------------- | ------- | ------------------------------------------------------------------------------------------------ | | `-a`, `--app-filter` | none | Add an app filter. Supports globbing by default. Enclose in `^pattern$` for full regex support. | | `--api-token` | none | Okta API token for the plugin to use | | `--app-id` | none | Okta ID of the APP used for SSO via SAML | | `-g`, `--group-filter` | none | Add a group filter. Supports globbing by default. Enclose in `^pattern$` for full regex support. | | `--name` | `okta` | Name of the plugin resource to create | | `--[no-]accesslist-sync` | `true` | Enable group to Access List synchronization | | `--[no-]appgroup-sync` | `true` | Enable Okta Applications and Groups sync | | `--[no-]assign-default-roles` | `true` | If user synchronization is enabled, assign the builtin okta-requester role to synchronized users | | `--[no-]scim` | `false` | Enable SCIM Okta integration | | `--[no-]system-logs-export` | `false` | Enables the Teleport Identity Security SIEM integration for Okta. | | `--[no-]users-sync` | `true` | Enable user synchronization | | `-o`, `--owner` | none | Add default owners for synced Access Lists | | `--org` | none | URL of Okta organization | | `--saml-connector` | none | SAML connector used for Okta SSO login. | ## tctl plugins install scim Install a Teleport SCIM plugin. Usage: ``` $ tctl plugins install scim --connector=CONNECTOR [] ``` Flags: | Flag | Default | Description | | ------------------ | ------- | -------------------------------------- | | `--auth` | `oauth` | Plugin Authentication type. | | `--connector` | none | Name of the Teleport connector to use. | | `--connector-type` | none | Type of the Teleport connector to use. | ## tctl plugins rotate awsic Rotate the AWS Identity Center SCIM bearer token. Usage: ``` $ tctl plugins rotate awsic [] TOKEN ``` Flags: | Flag | Default | Description | | ----------------------- | --------------------- | ------------------------------------------------------------------------------------ | | `--[no-]validate-token` | `true` | Validate that the supplied token is valid for the configured downstream SCIM service | | `--plugin-name` | `aws-identity-center` | Name of the AWSIC plugin instance to update. Defaults to aws-identity-center. | Arguments: | Argument | Default | Description | | -------- | --------------- | -------------------------- | | token | none (required) | The new SCIM bearer token. | ## tctl proxy ls Lists proxies connected to the cluster. Usage: ``` $ tctl proxy ls [] ``` Flags: | Flag | Default | Description | | ---------- | ------- | --------------------------------------- | | `--format` | `yaml` | Output format: 'yaml', 'json' or 'text' | ## tctl recordings download Download session recordings. Usage: ``` $ tctl recordings download [] ``` Flags: | Flag | Default | Description | | -------------------- | ----------------------------- | -------------------------------------------- | | `-o`, `--output-dir` | `` | Directory to download session recordings to. | Arguments: | Argument | Default | Description | | ---------- | --------------- | --------------------------------------------- | | session-id | none (required) | ID of the session to download recordings for. | ## tctl recordings encryption complete-rotation Completes an in-progress encryption key rotation. Usage: ``` $ tctl recordings encryption complete-rotation ``` ## tctl recordings encryption rollback-rotation Rolls back an in-progress encryption key rotation. Usage: ``` $ tctl recordings encryption rollback-rotation ``` ## tctl recordings encryption rotate Rotate encryption keys used for encrypting session recordings. Usage: ``` $ tctl recordings encryption rotate ``` ## tctl recordings encryption status Show current rotation status. Usage: ``` $ tctl recordings encryption status [] ``` Flags: | Flag | Default | Description | | ---------- | ------- | ------------------------------------------------------ | | `--format` | `text` | Format output (text, json, yaml).. Defaults to 'text'. | ## tctl recordings ls List recorded sessions. Usage: ``` $ tctl recordings ls [] ``` Flags: | Flag | Default | Description | | ------------ | ------- | ------------------------------------------------------------------------------------------------ | | `--format` | `text` | Format output (text, json, yaml).. Defaults to 'text'. | | `--from-utc` | none | Start of time range in which recordings are listed. Format 2006-01-02. Defaults to 24 hours ago. | | `--last` | none | Duration into the past from which session recordings should be listed. Format 5h30m40s | | `--limit` | `50` | Maximum number of recordings to show. Default 50. | | `--to-utc` | none | End of time range in which recordings are listed. Format 2006-01-02. Defaults to current time. | ## tctl requests approve Approve pending Access Request. Usage: ``` $ tctl requests approve [] ``` Flags: | Flag | Default | Description | | --------------------- | ------- | ---------------------------------------------------------------------------------- | | `--annotations` | none | Resolution attributes \=\\[,...] | | `--assume-start-time` | none | Sets time roles can be assumed by requestor (RFC3339 e.g. 2023-12-12T23:20:50.52Z) | | `--delegator` | none | Optional delegating identity | | `--reason` | none | Optional reason message | | `--roles` | none | Override requested roles \\[,...] | Arguments: | Argument | Default | Description | | ---------- | --------------- | ----------------------- | | request-id | none (required) | ID of target request(s) | ## tctl requests create Create pending Access Request. Usage: ``` $ tctl requests create [] ``` Flags: | Flag | Default | Description | | ---------------- | ------- | ------------------------------------------ | | `--[no-]dry-run` | `false` | Don't actually generate the Access Request | | `--reason` | none | Optional reason message | | `--resource` | none | Resource ID to be requested | | `--roles` | none | Roles to be requested | Arguments: | Argument | Default | Description | | -------- | --------------- | ------------------- | | username | none (required) | Name of target user | ## tctl requests deny Deny pending Access Request. Usage: ``` $ tctl requests deny [] ``` Flags: | Flag | Default | Description | | --------------- | ------- | ------------------------------------------- | | `--annotations` | none | Resolution annotations \=\\[,...] | | `--delegator` | none | Optional delegating identity | | `--reason` | none | Optional reason message | Arguments: | Argument | Default | Description | | ---------- | --------------- | ----------------------- | | request-id | none (required) | ID of target request(s) | ## tctl requests get Show Access Request by ID. Usage: ``` $ tctl requests get ``` Arguments: | Argument | Default | Description | | ---------- | --------------- | ----------------------- | | request-id | none (required) | ID of target request(s) | ## tctl requests ls Show active Access Requests. Usage: ``` $ tctl requests ls [] ``` Flags: | Flag | Default | Description | | -------------- | ------------ | ----------------------------------------------- | | `--sort-index` | `created` | Request sort index, 'created' or 'state' | | `--sort-order` | `descending` | Request sort order, 'ascending' or 'descending' | ## tctl requests review Review an Access Request. Usage: ``` $ tctl requests review --author=AUTHOR [] ``` Flags: | Flag | Default | Description | | ---------------- | ------- | ------------------------ | | `--author` | none | Username of reviewer | | `--[no-]approve` | `false` | Review proposes approval | | `--[no-]deny` | `false` | Review proposes denial | Arguments: | Argument | Default | Description | | ---------- | --------------- | -------------------- | | request-id | none (required) | ID of target request | ## tctl requests rm Delete an Access Request. Usage: ``` $ tctl requests rm [] ``` Flags: | Flag | Default | Description | | -------------------- | ------- | ---------------------------------------------- | | `-f`, `--[no-]force` | `false` | Force the deletion of an active Access Request | Arguments: | Argument | Default | Description | | ---------- | --------------- | ----------------------- | | request-id | none (required) | ID of target request(s) | ## tctl rm Delete a resource. Usage: ``` $ tctl rm [] ``` Arguments: | Argument | Default | Description | | -------------------------------------------------------------------------------- | --------------- | ------------------ | | resource type/resource name | none (optional) | Resource to delete | | \ Type of a resource \[for example: connector,user,cluster,token] | | | | \ Resource name to delete | | | Examples: $ tctl rm role/devs $ tctl rm cluster/main| ## tctl saml export Export a SAML signing key in .crt format. Usage: ``` $ tctl saml export ``` Arguments: | Argument | Default | Description | | --------------- | --------------- | ------------------------------------------------- | | connector\_name | none (required) | name of the SAML connector to export the key from | ## tctl scoped status Show the status of scoped resources. Usage: ``` $ tctl scoped status ``` ## tctl scoped tokens add Create a scoped invitation token. Usage: ``` $ tctl scoped tokens add --type=TYPE [] ``` Flags: | Flag | Default | Description | | ---------------- | ------- | ------------------------------------------------------------------------------------------------------- | | `--assign-scope` | none | Scope that should be applied to resources provisioned by this token | | `--format` | none | Output format, 'text', 'json', or 'yaml' | | `--labels` | none | Set token labels, e.g. env=prod,region=us-west | | `--mode` | none | Usage mode of a token (default: unlimited, single\_use) | | `--name` | none | Override the default, randomly generated token name with a specified name | | `--scope` | none | Scope assigned to the token itself | | `--ssh-labels` | none | Set immutable ssh labels the token should assign to provisioned resources, e.g. env=prod,region=us-west | | `--ttl` | `30m0s` | Set expiration time for token, default is 30 minutes | | `--type` | none | Type(s) of token to add, e.g. --type=node | ## tctl scoped tokens ls List invitation tokens. Usage: ``` $ tctl scoped tokens ls [] ``` Flags: | Flag | Default | Description | | --------------------- | ------- | --------------------------------------- | | `--format` | none | Output format, 'text', 'json' or 'yaml' | | `--[no-]with-secrets` | `false` | Do not redact join tokens | ## tctl scoped tokens rm Delete/revoke a scoped invitation token. Usage: ``` $ tctl scoped tokens rm [] ``` Arguments: | Argument | Default | Description | | -------- | --------------- | --------------- | | token | none (optional) | Token to delete | ## tctl sso configure github Configure GitHub auth connector. Usage: ``` $ tctl sso configure github --teams-to-roles=org,team,role1,role2,... --id=ID --secret=SECRET [] ``` Flags: | Flag | Default | Description | | ----------------------------- | ------------------------ | ----------------------------------------------------------------------------------------- | | `--api-endpoint-url` | `https://api.github.com` | API endpoint URL for GitHub instance. | | `--display` | none | Sets the connector display name. | | `--endpoint-url` | `https://github.com` | Endpoint URL for GitHub instance. | | `--id` | none | GitHub app client ID. | | `-n`, `--name` | `github` | Connector name. | | `--[no-]ignore-missing-roles` | `false` | Ignore missing roles referenced in --teams-to-roles. | | `--redirect-url` | none | Authorization callback URL. | | `-r`, `--teams-to-roles` | none | Sets teams-to-roles mapping using format 'organization,name,role1,role2,...'. Repeatable. | | `--secret` | none | GitHub app client secret. | ## tctl sso configure oidc Configure OIDC auth connector, optionally using a preset. Available presets: \[google gitlab okta]. Usage: ``` $ tctl sso configure oidc --claims-to-roles=name,value,role1,role2,... --secret=SECRET [] ``` Flags: | Flag | Default | Description | | ----------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--acr` | none | Authentication Context Class Reference values. | | `--display` | none | Sets the connector display name. | | `--google-acc` | none | Google only. String containing Google service account credentials. | | `--google-acc-uri` | none | Google only. URI pointing at service account credentials. Example: file:///var/lib/teleport/gworkspace-creds.json. | | `--google-admin` | none | Google only. Email of a Google admin to impersonate. | | `--google-id` | none | Shorthand for setting the --id flag to \.apps.googleusercontent.com | | `--id` | none | OIDC app client ID. | | `--issuer-url` | none | Issuer URL. | | `-n`, `--name` | none | Connector name. Required, unless implied from preset. | | `--[no-]google-legacy` | `false` | Google only. Flag to select groups with direct membership filtered by domain (legacy behavior). Disabled by default. More info: | | `--[no-]ignore-missing-roles` | `false` | Ignore missing roles referenced in --claims-to-roles. | | `-p`, `--preset` | none | Preset. One of: \[google gitlab okta] | | `--prompt` | none | Optional OIDC prompt. Example values: none, select\_account, login, consent. | | `--provider` | none | Sets the external identity provider type to enable IdP specific workarounds. Examples: ping, adfs, netiq, okta. | | `-r`, `--claims-to-roles` | none | Sets claim-to-roles mapping using format 'claim\_name,claim\_value,role1,role2,...'. Repeatable. | | `--redirect-url` | none | Authorization callback URL(s). Each repetition of the flag declares one redirectURL. | | `--scope` | none | Scope specifies additional scopes set by provider. Each repetition of the flag declares one scope. Examples: email, groups, openid. | | `--secret` | none | OIDC app client secret. | ## tctl sso configure saml Configure SAML auth connector, optionally using a preset. Available presets: \[okta onelogin ad adfs]. Usage: ``` $ tctl sso configure saml --attributes-to-roles=ATTRIBUTES-TO-ROLES [] ``` Flags: | Flag | Default | Description | | ----------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | `--acs` | none | AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side). | | `--assertion-cert-file` | none | A file with cert used for securing SAML assertions. Must be used together with --assertion-key-file. | | `--assertion-key-file` | none | A file with key used for securing SAML assertions. Must be used together with --assertion-cert-file. | | `--audience` | none | Audience uniquely identifies our service provider. | | `--cert` | none | Cert file with the IdP certificate PEM. IdP signs \ responses using this certificate. | | `--display` | none | Sets the connector display name. | | `-e`, `--entity-descriptor` | none | Set the Entity Descriptor. Valid values: file, URL, XML content. Supplies configuration parameters as single XML instead of individual elements. | | `--issuer` | none | Issuer is the identity provider issuer. | | `-n`, `--name` | none | Connector name. Required, unless implied from preset. | | `--[no-]allow-idp-initiated` | `false` | Allow the IdP to initiate the SSO flow. | | `--[no-]ignore-missing-roles` | `false` | Ignore missing roles referenced in --attributes-to-roles. | | `-p`, `--preset` | none | Preset. One of: \[okta onelogin ad adfs] | | `--provider` | none | Sets the external identity provider type. Examples: ping, adfs. | | `-r`, `--attributes-to-roles` | none | Sets attribute-to-role mapping using format 'attr\_name,attr\_value,role1,role2,...'. Repeatable. | | `--service-provider-issuer` | none | ServiceProviderIssuer is the issuer of the service provider (Teleport). | | `--signing-cert-file` | none | A file with request certificate. Must be used together with --signing-key-file. | | `--signing-key-file` | none | A file with request signing key. Must be used together with --signing-cert-file. | | `--sso` | none | SSO is the URL of the identity provider's SSO service. | ## tctl sso test Perform end-to-end test of SSO flow using provided auth connector definition. Usage: ``` $ tctl sso test [] [] ``` Flags: | Flag | Default | Description | | ----------- | ------- | --------------------------------------------------- | | `--browser` | none | Set to 'none' to suppress browser opening on login. | Arguments: | Argument | Default | Description | | -------- | --------------- | -------------------------------------------------------- | | filename | none (optional) | Connector resource definition filename. Empty for stdin. | ## tctl stable-unix-users ls List the stable UNIX users currently persisted in the cluster. Usage: ``` $ tctl stable-unix-users ls [] ``` Flags: | Flag | Default | Description | | ---------- | ------- | -------------------------------- | | `--format` | `text` | Output format, 'text', or 'json' | ## tctl status Report cluster status. Usage: ``` $ tctl status ``` ## tctl terraform env Obtain certificates and load them into environments variables. This creates a temporary MachineID bot. Usage: ``` $ tctl terraform env [] ``` Flags: | Flag | Default | Description | | ------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------- | | `--bot-ttl` | `1h` | Time-to-live of the Bot resource. The bot will be removed after this period. Defaults to \[1h] | | `--resource-prefix` | `tctl-terraform-env-` | Resource prefix to use when creating the Terraform role and bots. Defaults to \[tctl-terraform-env-] | | `--role` | none | Role used by Terraform. The role must already exist in Teleport. When not specified, uses the default role "terraform-provider" | ## tctl tokens add Create a invitation token. Usage: ``` $ tctl tokens add --type=TYPE [] ``` Flags: | Flag | Default | Description | | --------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--app-name` | `example-app` | Name of the application to add | | `--app-uri` | `http://localhost:8080` | URI of the application to add | | `--db-name` | none | Name of the database to add | | `--db-protocol` | none | Database protocol to use. Supported are: \[postgres mysql mongodb oracle cockroachdb redis snowflake sqlserver cassandra elasticsearch opensearch dynamodb clickhouse clickhouse-http spanner] | | `--db-uri` | none | Address the database is reachable at | | `--format` | none | Output format, 'text', 'json', or 'yaml' | | `--labels` | none | Set token labels, e.g. env=prod,region=us-west | | `--ttl` | `30m0s` | Set expiration time for token, default is 30 minutes | | `--type` | none | Type(s) of token to add, e.g. --type=node,app,db,proxy,etc | | `--value` | none | Override the default random generated token with a specified value | ## tctl tokens configure-kube Creates a token allowing workload from the Kubernetes cluster to join the Teleport cluster. Usage: ``` $ tctl tokens configure-kube --service-account=SERVICE-ACCOUNT [] ``` Flags: | Flag | Default | Description | | ------------------------- | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--bot` | none | Name of the bot that this token will grant access to. When set, creates a bot token. Overrides --type | | `--cluster-name` | none | Name of the Kubernetes cluster. When not set, defaults to the context name. | | `--context` | none | Kubernetes context to use. When not set, defaults to the active context. | | `-f`, `--[no-]force` | `false` | Force the token creation, even if the token already exists | | `-j`, `--join-with` | `auto` | Kubernetes joining type, possible values are 'oidc', 'jwks', and 'auto'. See for more details. | | `-n`, `--namespace` | `teleport` | Namespace of the Kubernetes Service Account using the token. For 'teleport-kube-agent' and 'tbot' Helm charts, this is release namespace. | | `-o`, `--out` | `./values.yaml` | Path of the output file. | | `-s`, `--service-account` | none | Name of the Kubernetes Service Account using the token. For 'teleport-kube-agent' and 'tbot' Helm charts, this is the release name. | | `--token-name` | none | Optional name of the created join token. When not set, default to '\(-\)' | | `--type` | `kube,app,discovery` | Type(s) of token to add, e.g. --type=kube,app,db,discovery,proxy,etc | | `--update-group` | none | Optional update group used for version detection and agent updater configuration | ## tctl tokens ls List node and user invitation tokens. Usage: ``` $ tctl tokens ls [] ``` Flags: | Flag | Default | Description | | --------------------- | ------- | --------------------------------------------------------------------------------- | | `--format` | none | Output format, 'text', 'json' or 'yaml' | | `--labels` | none | List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2) | | `--[no-]with-secrets` | `false` | Do not redact join tokens | ## tctl tokens rm Delete/revoke an invitation token. Usage: ``` $ tctl tokens rm [] ``` Arguments: | Argument | Default | Description | | -------- | --------------- | --------------- | | token | none (optional) | Token to delete | ## tctl top Report diagnostic information. Usage: ``` $ tctl top [] [] ``` Arguments: | Argument | Default | Description | | --------- | --------------- | ------------------- | | diag-addr | none (optional) | Diagnostic HTTP URL | | refresh | `5s` (optional) | Refresh period | ## tctl update Update resource fields. Usage: ``` $ tctl update [] [] ``` Flags: | Flag | Default | Description | | -------------- | ------- | ----------- | | `--set-labels` | none | Set labels | | `--set-ttl` | none | Set TTL | Arguments: | Argument | Default | Description | | ------------------------------------------------------ | --------------- | ------------------ | | resource type/resource name | none (optional) | Resource to update | | \ Type of a resource \[for example: rc] | | | | \ Resource name to update | | | Example: $ tctl update rc/remote| ## tctl users add Generate a user invitation token \[Teleport local users only]. Usage: ``` $ tctl users add --roles=ROLES [] ``` Flags: | Flag | Default | Description | | ------------------------ | -------- | -------------------------------------------------------------------- | | `--aws-role-arns` | none | List of allowed AWS role ARNs for the new user | | `--azure-identities` | none | List of allowed Azure identities for the new user | | `--db-names` | none | List of allowed database names for the new user | | `--db-roles` | none | List of database roles for automatic database user provisioning | | `--db-users` | none | List of allowed database users for the new user | | `--default-relay-addr` | none | Relay address that clients should use by default | | `--gcp-service-accounts` | none | List of allowed GCP service accounts for the new user | | `--host-user-gid` | none | GID for auto provisioned host users to use | | `--host-user-uid` | none | UID for auto provisioned host users to use | | `--kubernetes-groups` | none | List of allowed Kubernetes groups for the new user | | `--kubernetes-users` | none | List of allowed Kubernetes users for the new user | | `--logins` | none | List of allowed SSH logins for the new user | | `--mcp-tools` | none | List of allowed MCP tools for the new user | | `--roles` | none | List of roles for the new user to assume | | `--ttl` | `1h0m0s` | Set expiration time for token, default is 1h0m0s, maximum is 48h0m0s | | `--windows-logins` | none | List of allowed Windows logins for the new user | Arguments: | Argument | Default | Description | | -------- | --------------- | -------------------------- | | account | none (required) | Teleport user account name | ## tctl users ls Lists all user accounts. Usage: ``` $ tctl users ls ``` ## tctl users reset Reset user password and generate a new token \[Teleport local users only]. Usage: ``` $ tctl users reset [] ``` Flags: | Flag | Default | Description | | ------- | -------- | -------------------------------------------------------------------- | | `--ttl` | `8h0m0s` | Set expiration time for token, default is 8h0m0s, maximum is 24h0m0s | Arguments: | Argument | Default | Description | | -------- | --------------- | -------------------------- | | account | none (required) | Teleport user account name | ## tctl users rm Deletes user accounts. Usage: ``` $ tctl users rm ``` Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------------------------------- | | logins | none (required) | Comma-separated list of user logins to delete | ## tctl users update Update user account. Usage: ``` $ tctl users update [] ``` Flags: | Flag | Default | Description | | ---------------------------- | ------- | -------------------------------------------------------------------------------------------------------- | | `--set-aws-role-arns` | none | List of allowed AWS role ARNs for the user, replaces current AWS role ARNs | | `--set-azure-identities` | none | List of allowed Azure identities for the user, replaces current Azure identities | | `--set-db-names` | none | List of allowed database names for the user, replaces current database names | | `--set-db-roles` | none | List of allowed database roles for automatic database user provisioning, replaces current database roles | | `--set-db-users` | none | List of allowed database users for the user, replaces current database users | | `--set-default-relay-addr` | none | Relay address that clients should use by default. Value can be reset by providing an empty string | | `--set-gcp-service-accounts` | none | List of allowed GCP service accounts for the user, replaces current service accounts | | `--set-host-user-gid` | none | GID for auto provisioned host users to use. Value can be reset by providing an empty string | | `--set-host-user-uid` | none | UID for auto provisioned host users to use. Value can be reset by providing an empty string | | `--set-kubernetes-groups` | none | List of allowed Kubernetes groups for the user, replaces current Kubernetes groups | | `--set-kubernetes-users` | none | List of allowed Kubernetes users for the user, replaces current Kubernetes users | | `--set-logins` | none | List of allowed SSH logins for the user, replaces current logins | | `--set-mcp-tools` | none | List of allowed MCP tools for the user, replaces current allowed MCP tools. | | `--set-roles` | none | List of roles for the user to assume, replaces current roles | | `--set-windows-logins` | none | List of allowed Windows logins for the user, replaces current Windows logins | Arguments: | Argument | Default | Description | | -------- | --------------- | -------------------------- | | account | none (required) | Teleport user account name | ## tctl version Print the version of your tctl binary. Usage: ``` $ tctl version ``` ## tctl workload-identity ls List workload identity configurations. Usage: ``` $ tctl workload-identity ls ``` ## tctl workload-identity revocations add Create a new revocation. Usage: ``` $ tctl workload-identity revocations add --serial=SERIAL --type=TYPE --reason=REASON [] ``` Flags: | Flag | Default | Description | | -------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--expires-at` | none | Time that the revocation should expire, usually this should match the expiry time of the credential. This should be specified using RFC3339 e.g. '2024-02-05T15:04:00Z'. If unspecified, the time 1 week from now is used. | | `--reason` | none | Reason for revocation. | | `--serial` | none | Serial number of the certificate to revoke. | | `--type` | none | Type of credential to revoke (x509) | ## tctl workload-identity revocations crl Fetch the signed CRL for existing revocations. Usage: ``` $ tctl workload-identity revocations crl [] ``` Flags: | Flag | Default | Description | | --------------- | ------- | ------------------------------------------------------------------------ | | `--[no-]follow` | `false` | Follow the stream of CRL updates. | | `--out` | none | Path to write the CRL as a file to. If unspecified, STDOUT will be used. | ## tctl workload-identity revocations ls List revocations. Usage: ``` $ tctl workload-identity revocations ls ``` ## tctl workload-identity revocations rm Delete a revocation. Usage: ``` $ tctl workload-identity revocations rm --serial=SERIAL --type=TYPE ``` Flags: | Flag | Default | Description | | ---------- | ------- | -------------------------------------------------------------- | | `--serial` | none | Serial number of the certificate to remove the revocation for. | | `--type` | none | Type of credential to remove the revocation for (x509). | ## tctl workload-identity rm Delete a workload identity configuration. Usage: ``` $ tctl workload-identity rm ``` Arguments: | Argument | Default | Description | | -------- | --------------- | ------------------------------------------------------ | | name | none (required) | Name of the workload identity configuration to delete. | ## tctl workload-identity x509-issuer-overrides create Create an issuer override from the given certificate chains. Usage: ``` $ tctl workload-identity x509-issuer-overrides create [] ... ``` Flags: | Flag | Default | Description | | -------------------- | --------- | ---------------------------------------------------------------------------------------------------------------- | | `-f`, `--[no-]force` | `false` | Overwrite the existing override if it exists. | | `--name` | `default` | The name of the override resource to write. | | `--[no-]dry-run` | `false` | Print the workload\_identity\_x509\_issuer\_override that would have been created, without actually creating it. | Arguments: | Argument | Default | Description | | ------------- | --------------- | ----------------------------------------------------------- | | fullchain.pem | none (required) | PEM files containing an issuer and its optional chain each. | ## tctl workload-identity x509-issuer-overrides sign-csrs Sign CSRs with the SPIFFE X.509 CA keys. Usage: ``` $ tctl workload-identity x509-issuer-overrides sign-csrs [] ``` Flags: | Flag | Default | Description | | -------------------- | ------- | ------------------------------------------------------------------------- | | `--creation-mode` | `same` | How the attributes of the issuer are encoded in the CSR: "same", "empty". | | `-f`, `--[no-]force` | `false` | Attempt to sign as many CSRs as possible even in the presence of errors. |