Simplifying FedRAMP Compliance with Teleport
Jun 27
Register Today
Teleport logoTry For Free
Fork me on GitHub


teleport CLI Reference

The CLI tool that supports the Teleport Access Platform is called teleport, and allows Teleport services to be managed over the command line:

The primary commands for the teleport CLI are as follows:

teleport app startStarts the Teleport Application Service.
teleport configureGenerates and writes a configuration YAML file for the Teleport service. This file should be customized in production to suit the needs of your environment, and the default output should only be used when testing.
teleport db configure aws create-iamGenerates, creates, and attaches desired IAM policies to a Teleport-managed database.
teleport db configure aws print-iamGenerates and outputs current IAM policies for a Teleport-managed database.
teleport db configure bootstrapUsed to bootstrap a configuration to the Teleport Database Service by reading a provided configuration.
teleport db configure createGenerates a configuration YAML file for the Database Service. This file should be customized in production to suit the needs of your environment, and the default output should only be used when testing.
teleport db startStarts the Teleport Database Service.
teleport helpOutputs guidance for using Teleport commands.
teleport install systemdCreates a systemd unit file, used to configure and install a teleport service daemon.
teleport join opensshRegisters an OpenSSH server with Teleport.
teleport node configureGenerates a configuration YAML file for a Teleport Node accessed via SSH. This file should be customized in production to suit the needs of your environment, and the default output should only be used when testing.
teleport startStarts the teleport process in the foreground using the current shell session, including any services configured by the configuration YAML file.
teleport statusPrints the status of the current active Teleport SSH session.
teleport versionPrints the current release version of the Teleport binary installed on your system.
teleport debug set-log-levelChanges instance log level.
teleport debug get-log-levelFetches instance current log level.
teleport debug debug profileExport the application profiles (pprof format).

For more information on subcommands when working with the teleport cli, use the --help option or teleport <subcommand> --help.

teleport start

The teleport start command includes a large number of optional configuration flags.

While configuration flags for teleport start can be used to set parameters for Teleport's configuration, we recommend using a configuration file in production.


NameDefault Value(s)Allowed Value(s)Description
-d, --debugnonenoneenable verbose logging to stderr
--insecure-no-tlsfalsetrue or falseTells proxy to not generate default self-signed TLS certificates. This is useful when running Teleport on kubernetes (behind reverse proxy) or behind things like AWS ELBs, GCP LBs or Azure Load Balancers where SSL termination is provided externally.
-r, --rolesproxy, node, authstring comma-separated list of proxy, node, auth, db, or appstart listed services/roles. These roles are explained in the Core Concepts document.
--pid-filenonestring filepathcreate a PID file at the path
--advertise-ipnonestring IPadvertise IP to clients, often used behind NAT
-l, --listen-ip0.0.0.0net. IPbinds services to IP
--auth-servernonestring IPproxy attempts to connect to a specified auth server instead of local auth, disables --roles=auth if set
--tokennonestringset invitation token to register with an auth server on start, used once and ignored afterwards. Obtain it by running tctl nodes add on the auth server.We recommend to use tools like pwgen to generate sufficiently random tokens of 32+ byte length.
--ca-pinnonestring sha256:<hash>set CA pin to validate the Auth Server. Generated by tctl status
--nodenamevalue returned by the hostname command on the machinestringassigns an alternative name for the node which can be used by clients to log in.
-c, --config/etc/teleport.yamlstring .yaml filepathstarts services with config specified in the YAML file, overrides CLI flags if set
--apply-on-startupnonestring .yaml filepathOn startup, always apply resources described in the file at the given path. Only supports the following kinds: token, role, user, cluster-auth-preference, cluster-networking-config.
--bootstrapnonestring .yaml filepathbootstrap configured YAML resources
--labelsnonestring comma-separated listassigns a set of labels to a node, for example env=dev,app=web. See the explanation of labeling mechanism in the Labeling Nodes section.
--insecurenonenonedisable certificate validation on Proxy Service, validation still occurs on Auth Service.
--fipsnonenonestart Teleport in FedRAMP/FIPS 140-2 mode.
--skip-version-checkfalsetrue or falseSkips version checks between the Auth Server this Teleport instance
--diag-addrnonenoneEnable diagnostic endpoints
--permit-user-envnonenoneflag reads in environment variables from ~/.tsh/environment when creating a session.
--app-namenonenoneName of the application to start
--app-urinonenoneInternal address of the application to proxy
--app-public-addrnonenonePublic address fo the application to proxy

teleport start --roles

The --roles flag when used with teleport --start instructs Teleport on which specific Teleport services to start. Below is a more cohesive table of roles and their associated services that teleport start supports:

ServiceRole NameDescription
NodenodeAllows SSH connections from authenticated clients.
AuthauthAuthenticates and authorizes hosts and users who want access to Teleport-managed resources or information about a cluster.
ProxyproxyThe gateway that clients use to connect to the Auth Service or resources managed by Teleport.
AppappProvides access to applications.
DatabasedbProvides access to databases.

Teleport Cloud manages Teleport instances with the auth and proxy roles. Use the remaining roles to manage access to specific resources and other Teleport clusters.


# By default without any configuration, teleport starts running as a single-node
# cluster. It's the equivalent of running with --roles=node,proxy,auth
sudo teleport start

# Starts a node named 'db' running in strictly SSH mode role, joining the cluster
# serviced by the auth server running on
sudo teleport start --roles=node --auth-server= --token=xyz --nodename=db

# Same as the above, but the node runs with db=master label and can be connected
# to using that label in addition to its name.
sudo teleport start --roles=node --auth-server= --labels=db=master

# Starts an app server that proxies the application "example-app" running at http://localhost:8080.
sudo teleport start --roles=app --token=xyz \
    --app-name="example-app" \
    --app-uri="http://localhost:8080" \