# teleport Reference This guide provides a comprehensive list of commands, arguments, and flags for teleport. `teleport` is the CLI tool that supports the Teleport Infrastructure Identity Platform, and allows Teleport services to be managed over the command line. ``` $ teleport [ ...] ``` ## teleport app start Start application proxy service. Usage: ``` $ teleport app start [] ``` Flags: | Flag | Default | Description | | --------------------------- | ------- | ------------------------------------------------------------------------------------------ | | `--auth-server` | none | Address of the auth server \[127.0.0.1:3025]. | | `--ca-pin` | none | CA pin to validate the auth server (can be repeated for multiple pins). | | `-c`, `--config` | none | Path to a configuration file \[/etc/teleport.yaml]. | | `--cloud` | none | Set to one of \[AWS Azure GCP] if application should proxy particular cloud API | | `--diag-addr` | none | Start diagnostic prometheus and healthz endpoint. | | `-d`, `--[no-]debug` | `false` | Enable verbose logging to stderr. | | `--labels` | none | Comma-separated list of labels for this node, for example env=dev,app=web. | | `--name` | none | Name of the application to start. | | `--[no-]fips` | `false` | Start Teleport in FedRAMP/FIPS 140 mode. | | `--[no-]insecure` | `false` | Insecure mode disables certificate validation | | `--[no-]mcp-demo-server` | `false` | Enables the Teleport demo MCP server that shows current user and session information. | | `--[no-]no-debug-service` | `false` | Disables debug service. | | `--[no-]skip-version-check` | `false` | Skip version checking between server and client. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--public-addr` | none | Public address of the application to proxy. | | `--token` | none | Invitation token or path to file with token value to register with an auth server \[none]. | | `--uri` | none | Internal address of the application to proxy. | ## teleport backend clone Clones data from a source to a destination backend. Usage: ``` $ teleport backend clone ``` ## teleport backend edit Modify a single item from the cluster state backend. Usage: ``` $ teleport backend edit ``` Arguments: | Argument | Default | Description | | -------- | --------------- | ---------------------------- | | key | none (required) | The backend key to retrieve. | ## teleport backend get Retrieves a single item from the cluster state backend. Usage: ``` $ teleport backend get [] ``` Flags: | Flag | Default | Description | | ---------------- | ------- | --------------------------------- | | `-f`, `--format` | `text` | Format output (text, json, yaml). | Arguments: | Argument | Default | Description | | -------- | --------------- | ---------------------------- | | key | none (required) | The backend key to retrieve. | ## teleport backend ls Lists the keys in the cluster state backend. Usage: ``` $ teleport backend ls [] [] ``` Flags: | Flag | Default | Description | | ---------------- | ------- | --------------------------------- | | `-f`, `--format` | `text` | Format output (text, json, yaml). | Arguments: | Argument | Default | Description | | -------- | --------------- | ------------------------------------------- | | prefix | none (optional) | An optional key prefix to limit listing to. | ## teleport backend rm Removes a single item from the cluster state backend. Usage: ``` $ teleport backend rm ``` Arguments: | Argument | Default | Description | | -------- | --------------- | -------------------------- | | key | none (required) | The backend key to remove. | ## teleport configure Generate a simple config file to get started. Usage: ``` $ teleport configure [] ``` Flags: | Flag | Default | Description | | ------------------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--acme-email` | none | Email to receive updates from Letsencrypt.org. | | `--app-name` | none | Name of the application to start when using app role. | | `--app-uri` | none | Internal address of the application to proxy. | | `--auth-server` | none | Address of the auth server. | | `--cert-file` | none | Path to a TLS certificate file for the proxy. | | `--cluster-name` | none | Unique cluster name, e.g. example.com. | | `--data-dir` | `/var/lib/teleport` | Path to a directory where Teleport keep its data. | | `--join-method` | `token` | Method to use to join the cluster (azure, azure\_devops, bitbucket, circleci, ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--key-file` | none | Path to a TLS key file for the proxy. | | `--[no-]acme` | `false` | Get automatic certificate from Letsencrypt.org using ACME. | | `--node-labels` | none | Comma-separated list of labels to add to newly created nodes, for example env=staging,cloud=aws. | | `--node-name` | none | Name for the Teleport node. | | `--[no-]mcp-demo-server` | `false` | Enables the Teleport demo MCP server that shows current user and session information. | | `-o`, `--output` | `stdout` | Write to stdout with "--output=stdout", default config file with "--output=file" or custom path with --output=file:///path | | `--proxy` | none | Address of the proxy. | | `--public-addr` | none | The hostport that the proxy advertises for the HTTP endpoint. | | `--roles` | none | Comma-separated list of roles to create config with. | | `--test` | none | Path to a configuration file to test. | | `--token` | none | Invitation token or path to file with token value to register with an auth server. | | `--version` | `v3` | Teleport configuration version. | ## teleport db configure aws create-iam Generate, create and attach IAM policies. Usage: ``` $ teleport db configure aws create-iam [] ``` Flags: | Flag | Default | Description | | ----------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `--assumes-roles` | none | Comma-separated list of additional IAM roles that the IAM identity should be able to assume. Each role can be either an IAM role ARN or the name of a role in the identity's account. | | `--name` | `DatabaseAccess` | Created policy name. Defaults to empty. Will be auto-generated if not provided. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--role` | none | IAM role name to attach policy to. Mutually exclusive with --user | | `-r`, `--types` | none | Comma-separated list of database types to include in the policy. Any of rds,rdsproxy,redshift,redshift-serverless,elasticache,elasticache-serverless,memorydb,keyspace,dynamodb,opensearch,docdb | | `--user` | none | IAM user name to attach policy to. Mutually exclusive with --role | ## teleport db configure aws print-iam Generate and show IAM policies. Usage: ``` $ teleport db configure aws print-iam [] ``` Flags: | Flag | Default | Description | | ----------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `--assumes-roles` | none | Comma-separated list of additional IAM roles that the IAM identity should be able to assume. Each role can be either an IAM role ARN or the name of a role in the identity's account. | | `--[no-]policy` | `false` | Only print IAM policy document. | | `--policy-name` | `DatabaseAccess` | Name of the Teleport Database agent policy. Default: "DatabaseAccess". | | `--role` | none | IAM role name to attach policy to. Mutually exclusive with --user | | `-r`, `--types` | none | Comma-separated list of database types to include in the policy. Any of rds,rdsproxy,redshift,redshift-serverless,elasticache,elasticache-serverless,memorydb,keyspace,dynamodb,opensearch,docdb | | `--user` | none | IAM user name to attach policy to. Mutually exclusive with --role | ## teleport db configure bootstrap Bootstrap the necessary configuration for the database agent. It reads the provided agent configuration to determine what will be bootstrapped. Usage: ``` $ teleport db configure bootstrap [] ``` Flags: | Flag | Default | Description | | ------------------ | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--assumes-roles` | none | Comma-separated list of additional IAM roles that the IAM identity should be able to assume. Each role can be either an IAM role ARN or the name of a role in the identity's account. | | `--attach-to-role` | none | Role name to attach policy to. Mutually exclusive with --attach-to-user. If none of the attach-to flags is provided, the command will try to attach the policy to the current user/role based on the credentials. | | `--attach-to-user` | none | User name to attach policy to. Mutually exclusive with --attach-to-role. If none of the attach-to flags is provided, the command will try to attach the policy to the current user/role based on the credentials. | | `-c`, `--config` | `/etc/teleport.yaml` | Path to a configuration file \[/etc/teleport.yaml]. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--[no-]manual` | `false` | When executed in "manual" mode, it will print the instructions to complete the configuration instead of applying them directly. | | `--policy-name` | `DatabaseAccess` | Name of the Teleport Database agent policy. Default: "DatabaseAccess". | ## teleport db configure create Creates a sample Database Service configuration. Usage: ``` $ teleport db configure create [] ``` Flags: | Flag | Default | Description | | ----------------------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `--ad-domain` | none | (Only for SQL Server) Active Directory domain. | | `--ad-keytab-file` | none | (Only for SQL Server) Kerberos keytab file. | | `--ad-spn` | none | (Only for SQL Server) Service Principal Name for Active Directory auth. | | `--aws-account-id` | none | (Only for Keyspaces or DynamoDB) AWS Account ID. | | `--aws-assume-role-arn` | none | Optional AWS IAM role to assume. | | `--aws-elasticache-group-id` | none | (Only for ElastiCache) ElastiCache replication group identifier. | | `--aws-elasticache-serverless-cache-name` | none | (Only for ElastiCache Serverless) ElastiCache Serverless cache name. | | `--aws-external-id` | none | (Only for AWS-hosted databases) Optional AWS external ID to use when assuming AWS roles. | | `--aws-memorydb-cluster-name` | none | (Only for MemoryDB) MemoryDB cluster name. | | `--aws-rds-cluster-id` | none | (Only for RDS Aurora) RDS Aurora database cluster identifier. | | `--aws-rds-instance-id` | none | (Only for RDS) RDS database instance identifier. | | `--aws-redshift-cluster-id` | none | (Only for Redshift) Redshift database cluster identifier. | | `--aws-region` | none | (Only for AWS-hosted databases) AWS region RDS, Aurora, Redshift, Redshift Serverless, ElastiCache, OpenSearch or MemoryDB database instance is running in. | | `--aws-tags` | none | (Only for AWS discoveries) Comma-separated list of AWS resource tags to match, for example env=dev,dept=it | | `--azure-mysql-discovery` | none | List of Azure regions in which the agent will discover MySQL servers. | | `--azure-postgres-discovery` | none | List of Azure regions in which the agent will discover PostgreSQL servers. | | `--azure-redis-discovery` | none | List of Azure regions in which the agent will discover Azure Cache For Redis servers. | | `--azure-resource-group` | `*` | List of Azure resource groups for Azure discoveries. Default is "\*". | | `--azure-sqlserver-discovery` | none | List of Azure regions in which the agent will discover Azure SQL Databases and Managed Instances. | | `--azure-subscription` | `*` | List of Azure subscription IDs for Azure discoveries. Default is "\*". | | `--azure-tags` | none | (Only for Azure discoveries) Comma-separated list of Azure resource tags to match, for example env=dev,dept=it | | `--ca-cert-file` | none | Database CA certificate path. | | `--ca-pin` | none | CA pin to validate the auth server (can be repeated for multiple pins). | | `--dynamic-resources-labels` | none | Comma-separated list(s) of labels to match dynamic resources, for example env=dev,dept=it. Required to enable dynamic resources matching. | | `--elasticache-discovery` | none | List of AWS regions in which the agent will discover ElastiCache Valkey or Redis clusters. | | `--elasticache-serverless-discovery` | none | List of AWS regions in which the agent will discover ElastiCache Serverless Valkey or Redis caches. | | `--gcp-instance-id` | none | (Only for Cloud SQL) GCP Cloud SQL instance identifier. | | `--gcp-project-id` | none | (Only for Cloud SQL) GCP Cloud SQL project identifier. | | `--labels` | none | Comma-separated list of labels for the database, for example env=dev,dept=it | | `--memorydb-discovery` | none | List of AWS regions in which the agent will discover MemoryDB clusters. | | `--name` | none | Name of the proxied database. | | `--[no-]trust-system-cert-pool` | `false` | Allows Teleport to trust certificate authorities available on the host system for self-hosted databases. | | `-o`, `--output` | `stdout` | Write to stdout with "--output=stdout", default config file with "--output=file" or custom path with --output=file:///path | | `--opensearch-discovery` | none | List of AWS regions in which the agent will discover OpenSearch domains. | | `--protocol` | none | Proxied database protocol. Supported are: \[postgres mysql mongodb oracle cockroachdb redis snowflake sqlserver cassandra elasticsearch opensearch dynamodb clickhouse clickhouse-http spanner]. | | `--proxy` | `0.0.0.0:3080` | Teleport proxy address to connect to \[0.0.0.0:3080]. | | `--rds-discovery` | none | List of AWS regions in which the agent will discover RDS/Aurora instances. | | `--rdsproxy-discovery` | none | List of AWS regions in which the agent will discover RDS Proxies. | | `--redshift-discovery` | none | List of AWS regions in which the agent will discover Redshift instances. | | `--redshift-serverless-discovery` | none | List of AWS regions in which the agent will discover Redshift Serverless instances. | | `--token` | `/tmp/token` | Invitation token or path to file with token value to register with an auth server \[none]. | | `--uri` | none | Address the proxied database is reachable at. | ## teleport db start Start database proxy service. Usage: ``` $ teleport db start [] ``` Flags: | Flag | Default | Description | | ----------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `--ad-domain` | none | (Only for SQL Server) Active Directory domain. | | `--ad-keytab-file` | none | (Only for SQL Server) Kerberos keytab file. | | `--ad-krb5-file` | `/etc/krb5.conf` | (Only for SQL Server) Kerberos krb5.conf file. | | `--ad-spn` | none | (Only for SQL Server) Service Principal Name for Active Directory auth. | | `--auth-server` | none | Address of the auth server \[127.0.0.1:3025]. | | `--aws-account-id` | none | (Only for Keyspaces or DynamoDB) AWS Account ID. | | `--aws-assume-role-arn` | none | Optional AWS IAM role to assume. | | `--aws-external-id` | none | Optional AWS external ID used when assuming an AWS role. | | `--aws-rds-cluster-id` | none | (Only for Aurora) Aurora cluster identifier. | | `--aws-rds-instance-id` | none | (Only for RDS) RDS instance identifier. | | `--aws-redshift-cluster-id` | none | (Only for Redshift) Redshift database cluster identifier. | | `--aws-region` | none | (Only for RDS, Aurora, Redshift, ElastiCache or MemoryDB) AWS region AWS hosted database instance is running in. | | `--aws-session-tags` | none | (Only for DynamoDB) List of STS tags. | | `--ca-cert` | none | Database CA certificate path. | | `--ca-pin` | none | CA pin to validate the auth server (can be repeated for multiple pins). | | `-c`, `--config` | none | Path to a configuration file \[/etc/teleport.yaml]. | | `--description` | none | Description of the proxied database. | | `--diag-addr` | none | Start diagnostic prometheus and healthz endpoint. | | `-d`, `--[no-]debug` | `false` | Enable verbose logging to stderr. | | `--gcp-alloydb-endpoint-type` | none | (Only for AlloyDB) Endpoint type. One of: \[public private psc] | | `--gcp-instance-id` | none | (Only for Cloud SQL) Instance identifier. | | `--gcp-project-id` | none | (Only for Cloud SQL) Project identifier. | | `--labels` | none | Comma-separated list of labels for this node, for example env=dev,app=web. | | `--name` | none | Name of the proxied database. | | `--[no-]fips` | `false` | Start Teleport in FedRAMP/FIPS 140 mode. | | `--[no-]insecure` | `false` | Insecure mode disables certificate validation | | `--[no-]no-debug-service` | `false` | Disables debug service. | | `--[no-]skip-version-check` | `false` | Skip version checking between server and client. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--protocol` | none | Proxied database protocol. Supported are: \[postgres mysql mongodb oracle cockroachdb redis snowflake sqlserver cassandra elasticsearch opensearch dynamodb clickhouse clickhouse-http spanner]. | | `--token` | none | Invitation token or path to file with token value to register with an auth server \[none]. | | `--uri` | none | Address the proxied database is reachable at. | ## teleport debug get-log-level Fetches current log level. Usage: ``` $ teleport debug get-log-level ``` ## teleport debug metrics Fetches the cluster's Prometheus metrics. Usage: ``` $ teleport debug metrics ``` ## teleport debug profile Export the application profiles (pprof format). Outputs to stdout .tar.gz file contents. Usage: ``` $ teleport debug profile [] [] ``` Flags: | Flag | Default | Description | | ----------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-s`, `--seconds` | `0` | For CPU and trace profiles, profile for the given duration (if set to 0, it returns a profile snapshot). For other profiles, return a delta profile. Default: 0 | Arguments: | Argument | Default | Description | | -------- | --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | PROFILES | none (optional) | Comma-separated profile names to be exported. Supported profiles: allocs,block,cmdline,profile,trace,goroutine,heap,mutex,threadcreate. Default: goroutine,heap,profile | ## teleport debug readyz Checks if the instance is ready to serve requests. Usage: ``` $ teleport debug readyz ``` ## teleport debug set-log-level Changes the log level. Usage: ``` $ teleport debug set-log-level ``` Arguments: | Argument | Default | Description | | -------- | --------------- | ----------------------------------------------------------------- | | LEVEL | none (required) | Log level (case-insensitive). Any of: TRACE,DEBUG,INFO,WARN,ERROR | ## teleport discovery bootstrap Bootstrap the necessary configuration for the discovery agent. It reads the provided agent configuration to determine what will be bootstrapped. Usage: ``` $ teleport discovery bootstrap [] ``` Flags: | Flag | Default | Description | | -------------------------------- | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--assume-role-arn` | none | Optional AWS IAM role to assume while bootstrapping. | | `--assumes-roles` | none | Comma-separated list of additional IAM roles that the IAM identity should be able to assume. Each role can be either an IAM role ARN or the name of a role in the identity's account. | | `--attach-to-role` | none | Role name to attach policy to. Mutually exclusive with --attach-to-user. If none of the attach-to flags is provided, the command will try to attach the policy to the current user/role based on the credentials. | | `--attach-to-user` | none | User name to attach policy to. Mutually exclusive with --attach-to-role. If none of the attach-to flags is provided, the command will try to attach the policy to the current user/role based on the credentials. | | `-c`, `--config` | `/etc/teleport.yaml` | Path to a configuration file \[/etc/teleport.yaml]. | | `--database-service-policy-name` | `DatabaseAccess` | Name of the policy for bootstrapping database service when database-service-role is provided. | | `--database-service-role` | none | Role name to attach database access policies to. If specified, bootstrap for the database service that accesses the databases discovered by this discovery service. | | `--external-id` | none | Optional AWS external ID used when assuming an AWS role. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--[no-]manual` | `false` | When executed in "manual" mode, it will print the instructions to complete the configuration instead of applying them directly. | | `--policy-name` | `TeleportEC2Discovery` | Name of the Teleport Discovery service policy. Default: "TeleportEC2Discovery". | | `--proxy` | none | Teleport proxy address to connect to | ## teleport help Show help. Usage: ``` $ teleport help [...] ``` Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------- | | command | none (optional) | Show help on command. | ## teleport install systemd Creates a systemd unit file configuration. Usage: ``` $ teleport install systemd [] ``` Flags: | Flag | Default | Description | | ----------------- | ----------------------- | -------------------------------------------------------------------------------- | | `--env-file` | `/etc/default/teleport` | Full path to the environment file. | | `--fd-limit` | `524288` | Maximum number of open file descriptors. | | `-o`, `--output` | `stdout` | Write to stdout with "--output=stdout" or custom path with --output=file:///path | | `--pid-file` | `/run/teleport.pid` | Full path to the PID file. | | `--teleport-path` | none | Full path to the Teleport binary. | ## teleport integration configure access-graph aws-iam Adds required AWS IAM permissions for syncing AWS resources into Access Graph service. Usage: ``` $ teleport integration configure access-graph aws-iam --role=ROLE [] ``` Flags: | Flag | Default | Description | | ----------------------- | ------- | ------------------------------------------------------------ | | `--aws-account-id` | none | The AWS account ID. | | `--cloud-trail-bucket` | none | ARN of the S3 bucket where CloudTrail writes events to. | | `--kms-key` | none | List of KMS Keys used to decrypt SQS and S3 bucket data. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--[no-]eks-audit-logs` | `false` | Enable collection of EKS audit logs | | `--role` | none | The AWS Role used by the AWS OIDC Integration. | | `--sqs-queue-url` | none | SQS Queue URL used to receive notifications from CloudTrail. | ## teleport integration configure access-graph azure Adds required Azure permissions for syncing Azure resources into Access Graph service. Usage: ``` $ teleport integration configure access-graph azure --managed-identity=MANAGED-IDENTITY --role-name=ROLE-NAME [] ``` Flags: | Flag | Default | Description | | -------------------- | ------- | ----------------------------------------------------------------------- | | `--managed-identity` | none | The ID of the managed identity to run the Discovery service. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--role-name` | none | The name of the Azure Role to create and assign to the managed identity | | `--subscription-id` | none | The subscription ID in which to discovery resources. | ## teleport integration configure aws-app-access-iam Adds required IAM permissions to connect to AWS using App Access. Usage: ``` $ teleport integration configure aws-app-access-iam --role=ROLE [] ``` Flags: | Flag | Default | Description | | ------------------ | ------- | --------------------------------------------------- | | `--aws-account-id` | none | The AWS account ID. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--role` | none | The AWS Role name used by the AWS OIDC Integration. | ## teleport integration configure awsoidc-idp Creates an IAM IdP (OIDC) in your AWS account to allow the AWS OIDC Integration to access AWS APIs. Usage: ``` $ teleport integration configure awsoidc-idp --cluster=CLUSTER --name=NAME --role=ROLE --proxy-public-url=PROXY-PUBLIC-URL [] ``` Flags: | Flag | Default | Description | | -------------------- | ------- | ------------------------------------------------------------- | | `--cluster` | none | Teleport Cluster name. | | `--name` | none | Integration name. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--[no-]insecure` | `false` | Insecure mode disables certificate validation. | | `--policy-preset` | none | Policy that will be applied to the AWS OIDC integration role. | | `--proxy-public-url` | none | Proxy Public URL (eg ). | | `--role` | none | The AWS Role used by the AWS OIDC Integration. | ## teleport integration configure awsra-trust-anchor Configure AWS IAM Roles Anywhere Integration by creating resources in AWS. Usage: ``` $ teleport integration configure awsra-trust-anchor --cluster=CLUSTER --name=NAME --trust-anchor=TRUST-ANCHOR --trust-anchor-cert-b64=TRUST-ANCHOR-CERT-B64 --sync-profile=SYNC-PROFILE --sync-role=SYNC-ROLE [] ``` Flags: | Flag | Default | Description | | ------------------------- | ------- | ----------------------------------------------------------------------------------------------- | | `--cluster` | none | Teleport Cluster's name. | | `--name` | none | Integration name. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--sync-profile` | none | The AWS IAM Roles Anywhere Profile name to create, which will be used to sync profiles as apps. | | `--sync-role` | none | The AWS IAM Role name to create, which will be used to sync profiles as apps. | | `--trust-anchor` | none | AWS Roles Anywhere Trust Anchor name. | | `--trust-anchor-cert-b64` | none | AWS Roles Anywhere Trust Anchor's certificate, encoded in base64. | ## teleport integration configure azure-oidc Configures Azure / Entra ID OIDC integration. Usage: ``` $ teleport integration configure azure-oidc --proxy-public-addr=PROXY-PUBLIC-ADDR --auth-connector-name=AUTH-CONNECTOR-NAME [] ``` Flags: | Flag | Default | Description | | ------------------------------ | ------- | ----------------------------------------------------- | | `--auth-connector-name` | none | The name of Entra ID SAML Auth connector in Teleport. | | `--[no-]access-graph` | `false` | Enable Access Graph integration. | | `--[no-]skip-oidc-integration` | `false` | Skip OIDC integration. | | `--proxy-public-addr` | none | The public address of Teleport Proxy Service | ## teleport integration configure deployservice-iam Create the required IAM Roles for the AWS OIDC Deploy Service. Usage: ``` $ teleport integration configure deployservice-iam --cluster=CLUSTER --name=NAME --aws-region=AWS-REGION --role=ROLE --task-role=TASK-ROLE [] ``` Flags: | Flag | Default | Description | | ------------------ | ------- | ------------------------------------------------ | | `--aws-account-id` | none | The AWS account ID. | | `--aws-region` | none | AWS Region. | | `--cluster` | none | Teleport Cluster's name. | | `--name` | none | Integration name. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--role` | none | The AWS Role used by the AWS OIDC Integration. | | `--task-role` | none | The AWS Role to be used by the deployed service. | ## teleport integration configure ec2-ssm-iam Adds required IAM permissions and SSM Document to enable EC2 Auto Discover using SSM. Usage: ``` $ teleport integration configure ec2-ssm-iam --role=ROLE --aws-region=AWS-REGION --cluster=CLUSTER --name=NAME [] ``` Flags: | Flag | Default | Description | | --------------------- | ------- | -------------------------------------------------------------------------- | | `--aws-account-id` | none | The AWS account ID. | | `--aws-region` | none | AWS Region. | | `--cluster` | none | Teleport Cluster's name. | | `--name` | none | Integration name. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--proxy-public-url` | none | Proxy Public URL (eg ). | | `--role` | none | The AWS Role name used by the AWS OIDC Integration. | | `--ssm-document-name` | none | The AWS SSM Document name to create that will be used to install teleport. | ## teleport integration configure eks-iam Adds required IAM permissions for enrollment of EKS clusters to Teleport. Usage: ``` $ teleport integration configure eks-iam --aws-region=AWS-REGION --role=ROLE [] ``` Flags: | Flag | Default | Description | | ------------------ | ------- | ---------------------------------------------- | | `--aws-account-id` | none | The AWS account ID. | | `--aws-region` | none | AWS Region. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--role` | none | The AWS Role used by the AWS OIDC Integration. | ## teleport integration configure externalauditstorage Bootstraps required infrastructure and adds required IAM permissions for External Audit Storage logs. Usage: ``` $ teleport integration configure externalauditstorage --aws-region=AWS-REGION --cluster-name=CLUSTER-NAME --integration=INTEGRATION --role=ROLE --policy=POLICY --session-recordings=SESSION-RECORDINGS --audit-events=AUDIT-EVENTS --athena-results=ATHENA-RESULTS --athena-workgroup=ATHENA-WORKGROUP --glue-database=GLUE-DATABASE --glue-table=GLUE-TABLE [] ``` Flags: | Flag | Default | Description | | ---------------------- | ------- | -------------------------------------------------- | | `--athena-results` | none | The S3 URI where athena results are stored. | | `--athena-workgroup` | none | The name of the Athena workgroup used. | | `--audit-events` | none | The S3 URI where audit events are stored. | | `--aws-account-id` | none | The AWS account ID. | | `--aws-partition` | `aws` | AWS partition (default: aws). | | `--aws-region` | none | AWS region. | | `--cluster-name` | none | Teleport Cluster name. | | `--glue-database` | none | The name of the Glue database used. | | `--glue-table` | none | The name of the Glue table used. | | `--integration` | none | AWS OIDC Integration name. | | `--[no-]bootstrap` | `false` | Bootstrap required infrastructure. | | `--policy` | none | The name for the Policy to attach to the IAM role. | | `--role` | none | The IAM Role used by the AWS OIDC Integration. | | `--session-recordings` | none | The S3 URI where session recordings are stored. | ## teleport integration configure listdatabases-iam Adds required IAM permissions to List RDS Databases (Instances and Clusters). Usage: ``` $ teleport integration configure listdatabases-iam --aws-region=AWS-REGION --role=ROLE [] ``` Flags: | Flag | Default | Description | | ------------------ | ------- | ---------------------------------------------- | | `--aws-account-id` | none | The AWS account ID. | | `--aws-region` | none | AWS Region. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--role` | none | The AWS Role used by the AWS OIDC Integration. | ## teleport integration configure samlidp gcp-workforce Configures GCP Workforce Identity Federation pool and SAML provider. Usage: ``` $ teleport integration configure samlidp gcp-workforce --org-id=ORG-ID --pool-name=POOL-NAME --pool-provider-name=POOL-PROVIDER-NAME --idp-metadata-url=IDP-METADATA-URL ``` Flags: | Flag | Default | Description | | ---------------------- | ------- | -------------------------------------------------- | | `--idp-metadata-url` | none | Teleport SAML IdP metadata endpoint. | | `--org-id` | none | GCP organization ID. | | `--pool-name` | none | Name for the new workforce identity pool. | | `--pool-provider-name` | none | Name for the new workforce identity pool provider. | ## teleport integration configure session-summaries bedrock Adds required IAM permissions for Session Summaries feature using Amazon Bedrock. Usage: ``` $ teleport integration configure session-summaries bedrock --role=ROLE [] ``` Flags: | Flag | Default | Description | | ------------------ | ------- | ------------------------------------------------------------------------------------------------------------------------------------- | | `--aws-account-id` | none | The AWS account ID. | | `--[no-]confirm` | `false` | Apply changes without confirmation prompt. | | `--resource` | `*` | The Amazon Bedrock resource to grant access to. Can be a full ARN or a model ID (e.g., 'anthropic.claude-v2' or '\*' for all models). | | `--role` | none | The AWS Role name used by the AWS OIDC Integration. | ## teleport join openssh Join an SSH server to a Teleport cluster. Usage: ``` $ teleport join openssh [] ``` Flags: | Flag | Default | Description | | --------------------------- | ---------------------- | -------------------------------------------------------------------------------------- | | `--additional-principals` | none | Additional principal to include, can be specified multiple times. | | `--address` | none | Hostname or IP address of this OpenSSH node. | | `--data-dir` | `/var/lib/teleport` | Path to directory to store teleport data \[/var/lib/teleport]. | | `-d`, `--[no-]debug` | `false` | Enable verbose logging to stderr. | | `--join-method` | none | Method to use to join the cluster (token, iam, ec2). | | `--labels` | none | Comma-separated list of labels for this OpenSSH node, for example env=dev,app=web. | | `--[no-]insecure` | `false` | Insecure mode disables certificate validation. | | `--[no-]restart-sshd` | `true` | Restart OpenSSH. | | `--[no-]skip-version-check` | `false` | Skip version checking between server and client. | | `--openssh-config` | `/etc/ssh/sshd_config` | Path to the OpenSSH config file \[/etc/ssh/sshd\_config]. | | `--proxy-server` | none | Address of the proxy server. | | `--sshd-check-command` | `sshd -t -f` | Command to use when checking OpenSSH config for validity. (sshd -t -f \) | | `--sshd-restart-command` | none | Command to use when restarting openssh. | | `--token` | none | Invitation token or path to file with token value to register with an auth server. | ## teleport node configure Generate a configuration file for an SSH node. Usage: ``` $ teleport node configure [] ``` Flags: | Flag | Default | Description | | ------------------- | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--auth-server` | none | Address of the auth server. | | `--azure-client-id` | none | Sets the client ID of the managed identity to join with. Only applies to the 'azure' join method. | | `--ca-pin` | none | Comma-separated list of SKPI hashes for the CA used to verify the auth server. | | `--cluster-name` | none | Unique cluster name, e.g. example.com. | | `--data-dir` | `/var/lib/teleport` | Path to a directory where Teleport keep its data. | | `--join-method` | `token` | Method to use to join the cluster (azure, azure\_devops, bitbucket, circleci, ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--labels` | none | Comma-separated list of labels to add to newly created nodes ex) env=staging,cloud=aws. | | `--node-name` | none | Name for the Teleport node. | | `--[no-]silent` | `false` | Suppress user hint message. | | `-o`, `--output` | `stdout` | Write to stdout with "--output=stdout", default config file with "--output=file" or custom path with --output=file:///path | | `--proxy` | none | Address of the proxy server. | | `--public-addr` | none | The hostport that the node advertises for the SSH endpoint. | | `--token` | none | Invitation token or path to file with token value to register with an auth server. | | `--version` | `v3` | Teleport configuration version. | ## teleport start Starts the Teleport service. Usage: ``` $ teleport start [] ``` Flags: | Flag | Default | Description | | --------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--advertise-ip` | none | IP to advertise to clients if running behind NAT | | `--apply-on-startup` | none | Path to a non-empty YAML file containing resources to apply on startup. Works on initialized clusters, unlike --bootstrap. Only supports the following kinds: \[user token cluster\_networking\_config cluster\_auth\_preference bot role, workload\_identity]. | | `--auth-server` | none | Address of the auth server \[127.0.0.1:3025] | | `--bootstrap` | none | Path to a non-empty YAML file containing bootstrap resources (ignored if already initialized) | | `--ca-pin` | none | CA pin to validate the Auth Server (can be repeated for multiple pins) | | `-c`, `--config` | none | Path to a configuration file \[/etc/teleport.yaml] | | `--diag-addr` | none | Start diagnostic prometheus and healthz endpoint. | | `-d`, `--[no-]debug` | `false` | Enable verbose logging to stderr | | `--labels` | none | Comma-separated list of labels for this node, for example env=dev,app=web | | `-l`, `--listen-ip` | none | IP address to bind to \[0.0.0.0] | | `--nodename` | none | Name of this node, defaults to hostname | | `--[no-]fips` | `false` | Start Teleport in FedRAMP/FIPS 140 mode. | | `--[no-]insecure` | `false` | Insecure mode disables certificate validation | | `--[no-]insecure-no-tls` | `false` | Disable TLS for the web socket | | `--[no-]no-debug-service` | `false` | Disables debug service. | | `--[no-]permit-user-env` | `false` | Enables reading of \~/.tsh/environment when creating a session | | `--[no-]skip-version-check` | `false` | Skip version checking between server and client. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created | | `-r`, `--roles` | none | Comma-separated list of roles to start with \[proxy,node,auth,app,db] | | `--token` | none | Invitation token or path to file with token value. Used to register with an auth server \[none] | | `--token-secret` | none | Invitation token secret or path to file with secret value. Used to register with an auth server \[none] | ## teleport status Print the status of the current SSH session. Usage: ``` $ teleport status ``` ## teleport tpm identify Output identifying information related to the TPM detected on the system. Usage: ``` $ teleport tpm identify ``` ## teleport version Print the version of your teleport binary. Usage: ``` $ teleport version [] ``` Flags: | Flag | Default | Description | | ------------ | ------- | -------------------------------------- | | `--[no-]raw` | `false` | Print the raw teleport version string. |