Fork me on GitHub

Getting Started with Teleport Application Access

Getting started with Teleport Application Access

Getting started with Teleport Application Access

Length: 08:20

Getting Started

Let's connect to Grafana using Teleport Application Access in three steps:

  • Launch Grafana in a Docker container.
  • Install Teleport and configure it to proxy Grafana.
  • Access Grafana through Teleport.


  • We will use Docker to launch Grafana in a container. Alternatively, if you have another web application you'd like to protect with App Access, you can use that instead.
  • We will assume your Teleport cluster is accessible at and * Configured DNS records are required to automatically fetch a Let's Encrypt certificate.

Step 1/3. Start Grafana

We've picked Grafana for this tutorial since it's very easy to run with zero configuration required. If you have another web application you'd like to expose, skip over to Step 2.

Grafana can be launched in a Docker container with a single command:

docker run -d -p 3000:3000 grafana/grafana

Step 2/3. Install and configure Teleport

Download the latest version of Teleport for your platform from our downloads page.

Teleport requires a valid TLS certificate to operate and can fetch one automatically using Let's Encrypt ACME protocol.

We will assume that you have configured DNS records for and * to point to the Teleport node.

The examples below may include the use of the sudo keyword, token UUIDs, and users with elevated privileges to make following each step easier.

We recommend you follow the best practices to avoid security incidents:

  1. Avoid using sudo in production environments unless it's necessary.
  2. Create new, non-root, users and use test instances for experimenting with Teleport.
  3. You can run many Teleport's services as a non root. For example, auth, proxy, application access, kubernetes access, and database access services can run as a non-root user. Only the SSH/node service requires root access. You will need root permissions (or the CAP_NET_BIND_SERVICE capability) to make Teleport listen on a port numbered < 1024 (e.g. 443)
  4. Follow the "Principle of Least Privilege" (PoLP) and "Zero Admin" best practices. Don't give users permissive roles when giving them more restrictive access,editor roles will do instead.
  5. Save tokens into a file rather than sharing tokens directly as strings.

Let's generate a Teleport config with ACME enabled:

sudo teleport configure --acme [email protected] -o file
Web Proxy Port

Teleport uses TLS-ALPN-01 ACME challenge to validate certificate requests which only works on port 443. Make sure your Teleport proxy is accessible on port 443 when using ACME for certificate management.

Now start Teleport and point it to the application endpoint:

sudo teleport start \ --roles=proxy,auth,app \ --app-name=grafana \ --app-uri=http://localhost:3000

Make sure to update --app-name and --app-uri accordingly if you're using your own web application.

Next, let's create a user to access the application we've just connected. Teleport has a built-in role called access that allows users to access cluster resources. Create a local user assigned this role:

tctl users add --roles=access alice

The command will output a signup link. Use it to choose a password and set up a second factor. After that, it will take you to the Teleport web UI.

Step 3/3. Access the application

There are a couple of ways to access the proxied application.

Every application is assigned a public address which you use to navigate to the application directly. In our sample Grafana application we have provided a public address with the --app-public-addr flag, so go to (replace with your app public address) to access the app. If you're not logged into Teleport, you will need to authenticate before the application will show.

Alternatively, log into the Teleport Web Interface at (replace with your proxy public address). All available applications are displayed on the Applications tab. Click on the Grafana application tile to access it.

Next steps

Dive deeper into the topics relevant to your Application Access use-case:

Have a suggestion or can’t find something?