Fork me on GitHub


Dynamic App Registration

  • Available for:
  • OpenSource
  • Team
  • Cloud
  • Enterprise

Dynamic app registration allows Teleport administrators to register new apps (or update/unregister existing ones) without having to update the static configuration and restarting Teleport Application Service instances.

To enable dynamic registration, include a resources section in your Application Service configuration with a list of resource label selectors you'd like this service to monitor for registering:

  enabled: "yes"
  - labels:
      "*": "*"

You can use a wildcard selector to register all dynamic app resources in the cluster on the Application Service or provide a specific set of labels for a subset:

- labels:
    "env": "prod"
- labels:
    "env": "test"

Next define an application resource:

kind: app
version: v3
  name: example
  description: "Example app"
    env: test
  uri: http://localhost:4321

See the full app resource spec reference.

The user creating the dynamic registration needs to have a role with access to the application labels and the app resource. In this example role the user can only create and maintain application services labeled env: test.

kind: role
  name: dynamicappregexample
      env: test
    - resources:
      - app
      - list
      - create
      - read
      - update
      - delete
version: v5

To create an application resource, run:

Log in to your cluster with tsh so you can use tctl from your local machine.

You can also run tctl on your Auth Service host without running "tsh login"


tsh login --user=myuser
tctl create app.yaml
Cloud is not available for Teleport v.
Please use the latest version of Teleport Enterprise documentation.

After the resource has been created, it will appear among the list of available apps (in tsh apps ls or UI) as long as at least one Application Service instance picks it up according to its label selectors.

To update an existing application resource, run:

tctl create -f app.yaml

If the updated resource's labels no longer match a particular app agent, it will unregister and stop proxying it.

To delete an application resource, run:

tctl rm app/example