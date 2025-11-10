Version: 18.x

Interactive and non-interactive users (bots) assume one or many roles.

Roles govern access to databases, SSH servers, Kubernetes clusters, web services and applications and Windows Desktops.

kind: role version: v8 metadata: name: example description: This is an example role. spec: options: max_session_ttl: 8h forward_agent: true ssh_port_forwarding: remote: enabled: true local: enabled: true ssh_file_copy: false client_idle_timeout: never disconnect_expired_cert: false max_sessions: 10 enhanced_recording: - command - disk - network permit_x11_forwarding: true device_trust_mode: optional|required|required-for-humans|off require_session_mfa: true mfa_verification_interval: 1h lock: strict request_access: reason request_prompt: Please provide your ticket ID max_connections: 2 max_kubernetes_connections: 1 record_session: desktop: true default: best_effort|strict ssh: best_effort|strict desktop_clipboard: true desktop_directory_sharing: true pin_source_ip: true cert_extensions: - type: ssh mode: extension name: [email protected] value: '{{ external.github_login }}' create_host_user_mode: keep create_host_user_default_shell: bash create_db_user_mode: keep allow: logins: [ root , '{{internal.logins}}' ] windows_desktop_logins: [ Administrator , '{{internal.logins}}' ] node_labels: 'env': 'test' '*': '*' 'region': [ 'us-west-1' , 'eu-central-1' ] 'reg': '^us-west-1|eu-central-1$' host_groups: [ ubuntu , nginx , other ] host_sudoers: [ "ALL = (root) NOPASSWD: /usr/bin/systemctl restart nginx.service" ] kubernetes_groups: [ 'system:masters' , '{{external.trait_name}}' ] kubernetes_users: [ 'IAM#{{external.foo}};' ] kubernetes_labels: 'env': 'prod' 'region': 'us-west-*' 'cluster_name': '^us.*\.example\.com$' kubernetes_resources: - kind: '*' api_group: '*' namespace: '*' name: '^nginx-[a-z0-9-]+$' verbs: [ '*' ] db_users: [ '{{email.local(external.email)}}' ] db_names: [ '{{external.db_names}}' ] db_labels: 'env': '{{regexp.replace(external.env, "^(staging)$", "$1")}}' db_roles: [ '{{external.db_roles}}' ] db_permissions: - match: object_kind: table permissions: - SELECT - INSERT - UPDATE - DELETE - TRUNCATE - REFERENCES - TRIGGER app_labels: 'env': 'prod' 'region': 'us-west-*' 'cluster_name': '^us.*\.example\.com$' group_labels: 'env': 'prod' cluster_labels: 'env': 'prod' workload_identity_labels: 'env': 'prod' 'team': '{{external.team}}' node_labels_expression: | labels["env"] == "staging" || contains(user.spec.traits["teams"] , labels["team"]) app_labels_expression: 'labels["env"] == "staging"' cluster_labels_expression: 'labels["env"] == "staging"' kubernetes_labels_expression: 'labels["env"] == "staging"' db_labels_expression: 'labels["env"] == "staging"' db_service_labels_expression: 'labels["env"] == "staging"' windows_desktop_labels_expression: 'labels["env"] == "staging"' group_labels_expression: 'labels["env"] == "staging"' workload_identity_labels_expression: 'labels["env"] == "staging"' aws_role_arns: - 'arn:aws:iam::1234567890:role/ec2-read-only' - 'arn:aws:iam::1234567890:role/ec2-full-access' - 'arn:aws:iam::0987654321:role/example-role' account_assignments: - account: "<account_id>" name: AdministratorAccess permission_set: arn:aws:sso:::permissionSet/ssoins-1234/ps-5678 impersonate: users: [ '*' ] roles: [ 'jenkins' ] where: > contains(user.spec.traits["group"], impersonate_role.metadata.labels["group"]) && contains(user.spec.traits["group"], impersonate_user.metadata.labels["group"]) review_requests: roles: [ 'dbadmin' ] preview_as_roles: [ 'dbadmin' ] request: roles: [ 'common' , 'dev-*' ] search_as_roles: [ 'access' ] kubernetes_resources: - kind: "namespace" reason: mode: "optional" prompt: I am a reason prompt specific to a requested role or resource thresholds: - approve: 2 deny: 1 max_duration: 7d claims_to_roles: - claim: 'projects' value: '^product-(.*)$' roles: [ '$1-admin' ] annotations: foo: [ 'bar' ] groups: [ '{{external.groups}}' ] require_session_join: - name: Auditor oversight filter: 'contains(user.spec.roles, ' auditor')' kinds: [ 'k8s' , 'ssh' ] modes: [ 'moderator' ] count: 1 on_leave: 'terminate' join_sessions: - name: Auditor oversight roles : [ 'prod-access' ] kinds: [ 'k8s' , 'ssh' ] modes: [ 'moderator' , 'observer' , 'peer' ] spiffe: - path: "/svc/foo" ip_sans: [ "10.0.0.100/32" ] dns_sans: [ "foo.svc.example.com" ] github_permissions: - orgs: - my-org mcp: tools: - search-files - slack_* - ^(get|list|read).*$ - " {{internal.mcp_tools}} " - " {{external.mcp_tools}} " rules: - resources: [ role ] verbs: [ list , create , read , update , delete ] - resources: [ auth_connector ] verbs: [ list , create , read , update , delete ] - resources: [ session ] verbs: [ list , read ] - resources: [ trusted_cluster ] verbs: [ list , create , read , update , delete ] - resources: [ event ] verbs: [ list , read ] - resources: [ user ] verbs: [ list , create , read , update , delete ] - resources: [ token ] verbs: [ list , create , read , update , delete ] deny: {}

There are currently six supported role versions: v3 , v4 , v5 , v6 , v7 , and v8 .

Different role versions may have varying RBAC applied to resources.

Versions 5, 6, 7 and 8 of the Teleport role resource have different behaviors when accessing Kubernetes resources.

Roles not granting Kubernetes access are equivalent in the four versions.

Roles v5 and v6 can only restrict actions on pods (e.g. executing in them). Role v7 supports restricting some common resource kinds ( see the kubernetes_resource documentation for a complete list). Role v8 supports restricting all resource kinds, including CRDs. It also changes the format of the kind field.

When no kubernetes_resource is set:

Roles v5, v7 and v8 grant all access by default

Roles v6 blocks pod execution by default, this was reverted by roles v7 to improve the user experience.

Allow rule Role v5 Role v6 Role v7 Role v8 kubernetes_groups:

- "system :masters "

kubernetes_labels: {}

kubernetes_resources: []

❌ no access ❌ no access ❌ no access ❌ no access kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources: []

✅ full access to dev clusters ❌ cannot exec in pods

✅ can access other

resources like secrets ✅ full access to dev clusters ✅ full access to dev clusters kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- name: "*"

kind: pod

namespace: "foo" ✅ can exec in pods in foo

✅ can access secrets in all namespaces.

❌ cannot exec in other namespaces ✅ can exec in pods in foo

✅ can access secrets in all namespaces.

❌ cannot exec in other namespaces ✅ can exec in pods in foo

❌ cannot access secrets in all namespaces

❌ cannot exec in other namespaces ⚠️ invalid, v8 uses plural kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- name: "*"

kind: pod

namespace: "foo"

- name: "*"

kind: secret

namespace: "foo" ⚠️ not supported ⚠️ not supported ✅ can exec in pods in foo

✅ can access secrets in foo

❌ cannot exec in other namespaces

❌ cannot access secrets in other namespaces

❌ cannot access configmaps in foo ⚠️ invalid, v8 uses plural kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- kind: "namespace"

name: "foo" ⚠️ not supported ⚠️ not supported ✅ full access in namespace foo including all its resources

❌ cannot access other namespaces

❌ cannot access cluster-wide resources ⚠️ invalid, v8 uses plural kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- kind: "*"

namespace: "foo"

name: "*" ⚠️ not supported ⚠️ not supported ✅ full access in namespace foo including all its resources

❌ cannot access other namespaces

✅ full access to cluster-wide resources ⚠️ invalid, v8 requires api_group for '*' kind kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- kind: "*"

namespace: "*"

name: "*" ⚠️ not supported ⚠️ not supported ✅ full access to dev clusters ⚠️ invalid, v8 requires api_group for '*' kind kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- name: "*"

kind: pods

namespace: "foo"

- name: "*"

kind: deployments

api_group: apps

namespace: "foo" ⚠️ not supported ⚠️ not supported ⚠️ not supported ✅ can exec in pods in foo

✅ can access deployments in foo

❌ cannot exec in other namespaces

❌ cannot access deployments in other namespaces

❌ cannot access configmaps in foo