Teleport
API Getting Started Guide
- Version 15.x
- Version 14.x
- Version 13.x
- Version 12.x
- Older Versions
- Available for:
- OpenSource
- Team
- Cloud
- Enterprise
In this getting started guide we will use the Teleport API Go client to connect to a Teleport Auth Service.
Here are the steps we'll walkthrough:
- Create an API user using a simple role-based authentication method.
- Generate credentials for that user.
- Create and connect a Go client to interact with Teleport's API.
Prerequisites
- Install Go 1.21+ and Go development environment.
-
A running Teleport cluster. For details on how to set this up, see the Getting Started guide.
-
The
tctladmin tool andtshclient tool version >= 14.2.1.See Installation for details.
To check version information, run the tctl version and tsh version commands.
For example:
tctl versionTeleport v14.2.1 git:api/14.0.0-gd1e081e go1.21
tsh versionTeleport v14.2.1 go1.21
Proxy version: 14.2.1Proxy: teleport.example.com
-
A Teleport Team account. If you don't have an account, sign up to begin your free trial.
-
The Enterprise
tctladmin tool andtshclient tool, version >= 14.1.3.You can download these tools from the Cloud Downloads page.
To check version information, run the tctl version and tsh version commands.
For example:
tctl versionTeleport Enterprise v14.1.3 git:api/14.0.0-gd1e081e go1.21
tsh versionTeleport v14.1.3 go1.21
Proxy version: 14.1.3Proxy: teleport.example.com
-
A running Teleport Enterprise cluster. For details on how to set this up, see the Enterprise Getting Started guide.
-
The Enterprise
tctladmin tool andtshclient tool version >= 14.2.1.You can download these tools by visiting your Teleport account workspace.
To check version information, run the tctl version and tsh version commands.
For example:
tctl versionTeleport Enterprise v14.2.1 git:api/14.0.0-gd1e081e go1.21
tsh versionTeleport v14.2.1 go1.21
Proxy version: 14.2.1Proxy: teleport.example.com
-
A Teleport Enterprise Cloud account. If you don't have an account, sign up to begin a free trial of Teleport Team and upgrade to Teleport Enterprise Cloud.
-
The Enterprise
tctladmin tool andtshclient tool version >= 14.1.3.You can download these tools from the Cloud Downloads page.
To check version information, run the tctl version and tsh version commands.
For example:
tctl versionTeleport Enterprise v14.1.3 git:api/14.0.0-gd1e081e go1.21
tsh versionTeleport v14.1.3 go1.21
Proxy version: 14.1.3Proxy: teleport.example.com
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can runtctlcommands using your current credentials.tctlis supported on macOS and Linux machines. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl statusCluster teleport.example.com
Version 14.2.1
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequenttctlcommands from your workstation. If you host your own Teleport cluster, you can also runtctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
Step 1/3. Create a user
When running Teleport in production, you should adhere to the following best practices to avoid security incidents:
- Avoid using
sudoin production environments unless it's necessary. - Create new, non-root, users and use test instances for experimenting with Teleport.
- Run Teleport's services as a non-root user unless required. Only the SSH
Service requires root access. Note that you will need root permissions (or
the
CAP_NET_BIND_SERVICEcapability) to make Teleport listen on a port numbered <1024(e.g.443). - Follow the principle of least privilege. Don't give users
permissive roles when more a restrictive role will do.
For example, don't assign users the built-in
access,editorroles, which give them permissions to access and edit all cluster resources. Instead, define roles with the minimum required permissions for each user and configure access requests to provide temporary elevated permissions. - When you enroll Teleport resources—for example, new databases or applications—you
should save the invitation token to a file.
If you enter the token directly on the command line, a malicious user could view
it by running the
historycommand on a compromised system.
You should note that these practices aren't necessarily reflected in the examples used in documentation. Examples in the documentation are primarily intended for demonstration and for development environments.
Read API authorization to learn more about defining custom roles for your API client.
Create a user api-admin with the built-in role editor:
Run this directly on your Auth Server unless you are using Teleport Cloud
Add a user and login via the Proxy Service
sudo tctl users add api-admin --roles=editor
Step 2/3. Generate client credentials
Log in as the newly created user with tsh.
generate tsh profile
tsh login --user=api-admin --proxy=tele.example.com
The Profile Credentials loader will automatically retrieve Credentials from the current profile in the next step.
Step 3/3. Create a Go project
Set up a new Go module and import the client package:
mkdir client-demo && cd client-demogo mod init client-demogo get github.com/gravitational/teleport/api/client
To ensure compatibility, you should use a version of Teleport's API library that matches the major version of Teleport running in your cluster.
To find the pseudoversion appropriate for a go.mod file for a specific git tag,
run the following command from the teleport repository:
go list -f '{{.Version}}' -m "github.com/gravitational/teleport/api@$(git rev-parse v12.1.0)"v0.0.0-20230307032901-49a6de744a3a
Create a file called main.go, modifying the Addrs strings as needed:
package main
import (
"context"
"log"
"github.com/gravitational/teleport/api/client"
)
func main() {
ctx := context.Background()
clt, err := client.New(ctx, client.Config{
Addrs: []string{
// Teleport Cloud customers should use <tenantname>.teleport.sh
"tele.example.com:443",
"tele.example.com:3025",
"tele.example.com:3024",
"tele.example.com:3080",
},
Credentials: []client.Credentials{
client.LoadProfile("", ""),
},
})
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
defer clt.Close()
resp, err := clt.Ping(ctx)
if err != nil {
log.Fatalf("failed to ping server: %v", err)
}
log.Printf("Example success!")
log.Printf("Example server response: %s", resp)
log.Printf("Server version: %s", resp.ServerVersion)
}
Now you can run the program and connect the client to the Teleport Auth Server to fetch the server version.
go run main.go
Next steps
- Learn about pkg.go.dev
- Learn how to use the client
- Learn how to work with credentials
- Read about Teleport API architecture for an in-depth overview of the API and API clients.
- Read API authorization to learn more about defining custom roles for your API client.
- Review the
clientpkg.go reference documentation for more information about working with the Teleport API programmatically. - Familiarize yourself with the admin manual to make the best use of the API.