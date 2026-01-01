Version: 18.x

Kind: app_server

Version: v3

The app_server resource represents an application that has been registered with Teleport.

The Teleport Application Service creates an app_server in two situations:

It reads information about the target application in its configuration file when it first starts. It fetches a dynamically registered app resource from the Teleport backend that matches its dynamic resource watchers.

There can be multiple instances of an app_server for a single application, each corresponding to a different Teleport Application Service instance that proxies the application. Read more about High Availability for the Teleport Application Service. Read the reference guide for the app resource.

Example:

kind: "string" sub_kind: "string" version: "string" metadata: spec: scope: "string"

Field Name Description Type kind The app server resource kind. Always "app_server". string metadata The app server metadata. Metadata scope The advertized scope of the server which can not change once assigned. string spec The app server spec. App Server Spec V3 sub_kind An optional resource subkind. string version The resource version. string

Contains additional options for AWS applications.

Example:

external_id: "string" roles_anywhere_profile:

Field Name Description Type external_id The AWS External ID used when assuming roles in this app. string roles_anywhere_profile Contains the IAM Roles Anywhere fields associated with this Application. These fields are set when performing the synchronization of AWS IAM Roles Anywhere Profiles into Teleport Apps. App AWS Roles Anywhere Profile

Contains the fields that represent an AWS IAM Roles Anywhere Profile.

Example:

profile_arn: "string" accept_role_session_name: true

Field Name Description Type accept_role_session_name Whether this Roles Anywhere Profile accepts a custom role session name. When not supported, the AWS Session Name will be the X.509 certificate's serial number. When supported, the AWS Session Name will be the identity's username. This value comes from: https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_ProfileDetail.html / acceptRoleSessionName Boolean profile_arn The AWS IAM Roles Anywhere Profile ARN that originated this Teleport App. string

Encapsulates information about an AWS Identity Center account application.

Example:

account_id: "string" permission_sets: - - -

Field Name Description Type account_id Account ID is the AWS-assigned ID of the account string permission_sets Lists the available permission sets on the given account []Identity Center Permission Set

The app access server spec.

Example:

version: "string" hostname: "string" host_id: "string" rotation: app: proxy_ids: - "string" - "string" - "string" relay_group: "string" relay_ids: - "string" - "string" - "string" component_features:

Field Name Description Type app The app proxied by this app server. App V3 component_features Component_features contains features supported by this app server. Component Features host_id The app server host uuid. string hostname The app server hostname. string proxy_ids A list of proxy IDs this server is expected to be connected to. []string relay_group The name of the Relay group that the server is connected to string relay_ids The list of Relay host IDs that the server is connected to []string rotation Contains the app server CA rotation information. Rotation version The Teleport version that the server is running. string

The AppV3 resource spec.

Example:

uri: "string" public_addr: "string" dynamic_labels: "string": "string": "string": insecure_skip_verify: true rewrite: aws: cloud: "string" UserGroups: - "string" - "string" - "string" integration: "string" required_app_names: - "string" - "string" - "string" cors: identity_center: tcp_ports: - - - use_any_proxy_public_addr: true mcp:

Field Name Description Type UserGroups A list of user group IDs that this app is associated with. []string aws Contains additional options for AWS applications. App AWS cloud Identifies the cloud instance the app represents. string cors Policy defines the Cross-Origin Resource Sharing settings for the app. CORS Policy dynamic_labels The app's command labels. map[string]Command Label V2 identity_center Encapsulates information specific to AWS IAM Identity Center. Only valid for Identity Center account apps. App Identity Center insecure_skip_verify Disables app's TLS certificate verification. Boolean integration The integration name that must be used to access this Application. Only applicable to AWS App Access. If present, the Application must use the Integration's credentials instead of ambient credentials to access Cloud APIs. string mcp Contains MCP server related configurations. MCP public_addr The public address the application is accessible at. string required_app_names A list of app names that are required for this app to function. Any app listed here will be part of the authentication redirect flow and authenticate alongside this app. []string rewrite A list of rewriting rules to apply to requests and responses. Rewrite tcp_ports A list of ports and port ranges that an app agent can forward connections to. Only applicable to TCP App Access. If this field is not empty, URI is expected to contain no port number and start with the tcp protocol. []Port Range uri The web app endpoint. string use_any_proxy_public_addr Will rebuild this app's fqdn based on the proxy public addr that the request originated from. This should be true if your proxy has multiple proxy public addrs and you want the app to be accessible from any of them. If public_addr is explicitly set in the app spec, setting this value to true will overwrite that public address in the web UI. Boolean

Represents an app resource.

Example:

kind: "string" sub_kind: "string" version: "string" metadata: spec:

Field Name Description Type kind The app resource kind. Always "app". string metadata The app resource metadata. Metadata spec The app resource spec. App Spec V3 sub_kind An optional resource subkind. string version The resource version. It must be specified. Supported values are: v3 . string

Defines the CORS policy for AppSpecV3

Example:

allowed_origins: - "string" - "string" - "string" allowed_methods: - "string" - "string" - "string" allowed_headers: - "string" - "string" - "string" allow_credentials: true max_age: 1 exposed_headers: - "string" - "string" - "string"

Field Name Description Type allow_credentials Allow_credentials indicates whether credentials are allowed. Boolean allowed_headers Allowed_headers specifies which headers can be used when accessing the app. []string allowed_methods Allowed_methods specifies which methods are allowed when accessing the app. []string allowed_origins Allowed_origins specifies which origins are allowed to access the app. []string exposed_headers Exposed_headers indicates which headers are made available to scripts via the browser. []string max_age Max_age indicates how long (in seconds) the results of a preflight request can be cached. number

A label that has a value as a result of the output generated by running a command, e.g. hostname

Example:

period: command: - "string" - "string" - "string" result: "string"

Field Name Description Type command A command to run []string period A time between command runs Duration result Captures standard output string

An identifier for a specific feature supported by a Teleport component.

Represents a set of features supported by a given Teleport component.

Example:

features: - - -

Field Name Description Type features Features is a list of supported feature identifiers. []Component Feature ID

A wrapper around duration to set up custom marshal/unmarshal

Represents a single HTTP header passed over to the proxied application.

Example:

name: "string" value: "string"

Field Name Description Type name The http header name. string value The http header value. string

Defines a permission set that is available on an IdentityCenter account app

Example:

arn: "string" name: "string" assignment_name: "string"

Field Name Description Type arn The fully-formed ARN of the Permission Set. string assignment_name The ID of the Teleport Account Assignment resource that represents this permission being assigned on the enclosing Account. string name The human-readable name of the Permission Set. string

Contains MCP server-related configurations.

Example:

command: "string" args: - "string" - "string" - "string" run_as_host_user: "string"

Field Name Description Type args To execute with the command. []string command To launch stdio-based MCP servers. string run_as_host_user The host user account under which the command will be executed. Required for stdio-based MCP servers. string

Resource metadata

Example:

name: "string" description: "string" labels: "string": "string" "string": "string" "string": "string" expires: revision: "string"

Field Name Description Type description Object description string expires A global expiry time header can be set on any resource in the system. labels A set of labels map[string]string name An object name string revision An opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. string

Describes a port range for TCP apps. The range starts with Port and ends with EndPort. PortRange can be used to describe a single port in which case the Port field is the port and the EndPort field is 0.

Example:

port: 1 end_port: 1

Field Name Description Type end_port Describes the end of the range, inclusive. If set, it must be between 2 and 65535 and be greater than Port when describing a port range. When omitted or set to zero, it signifies that the port range defines a single port. number port Describes the start of the range. It must be between 1 and 65535. number

A list of rewriting rules to apply to requests and responses.

Example:

redirect: - "string" - "string" - "string" headers: - - - jwt_claims: "string"

Field Name Description Type headers A list of headers to inject when passing the request over to the application. []Header jwt_claims Configures whether roles/traits are included in the JWT token. string redirect Defines a list of hosts which will be rewritten to the public address of the application if they occur in the "Location" header. []string

A status of the rotation of the certificate authority

Example:

state: "string" phase: "string" mode: "string" current_id: "string" started: grace_period: last_rotated: schedule:

Field Name Description Type current_id The ID of the rotation operation to differentiate between rotation attempts. string grace_period A period during which old and new CA are valid for checking purposes, but only new CA is issuing certificates. Duration last_rotated Specifies the last time of the completed rotation. mode Sets manual or automatic rotation mode. string phase The current rotation phase. string schedule A rotation schedule - used in automatic mode to switch between phases. Rotation Schedule started Set to the time when rotation has been started in case if the state of the rotation is "in_progress". state Could be one of "init" or "in_progress". string

A rotation schedule setting time switches for different phases.

Example:

update_clients: update_servers: standby:

Field Name Description Type standby Specifies time to switch to the "Standby" phase. update_clients Specifies time to switch to the "Update clients" phase update_servers Specifies time to switch to the "Update servers" phase.