Version: 15.x

Login Rules Reference

This page provides details on the expression language that powers Login Rules. To learn how to add the first login rule to your cluster, checkout out the Login Rules Guide.

kind: login_rule version: v1 metadata: # name is a unique name for the Login Rule in the cluster. name: example # expires is optional and usually should not be set for deployed login # rules, but it can be useful to set an expiry a short time in the future # while testing new Login Rules to prevent potentially locking yourself out of # your teleport cluster. # expires: "2023-01-31T00:00:00-00:00" spec: # priority can be used to order the evaluation of multiple Login Rules within # a cluster. # # Login Rules with lower numbered priorities will be applied first, followed # by rules with priorities in increasing order. In case of a tie, Login Rules # with the same priority will be ordered by a lexicographical sort of their # names. # # The default value is 0, the supported range is -2147483648 to 2147483647 # (inclusive). priority: 0 # If set, traits_map will determine the traits of all users who log in to the # cluster. # # This is a YAML map where the key must be a static string which will be the # final trait key, and the value is a list of predicate expressions which each # must evaluate to a set of strings. The final trait will be set to the union # of the resulting string sets of all predicate expressions for that trait # key. # # traits_map must contain the complete set of desired traits. Any external # traits not found here will not be included in the user's certificates. # # Exactly one of traits_map or traits_expression must be set. traits_map: groups: - external.groups logins: - strings.lower(external.username) # traits_expression is a string holding a single predicate expression which # must evaluate to a dict. This will set all user's traits during login. # # Exactly one of traits_map or traits_expression must be set. traits_expression: | external.put("logins", strings.lower(external.logins))

Every login rule spec must contain either the traits_map field or a traits_expression field.

They both serve the same purpose of transforming user traits. The logic difference lies only in the syntax you prefer for your use case, since you can write every traits_map as an equivalent traits_expression .

traits_map will remove any traits not specifically included, while the traits_expression syntax allows you add or modify only specific traits while keeping the rest unchanged. The traits_map behavior can be useful if you want to keep only a handful of necessary traits while filtering out all others. If lower priority Login Rules set traits, those traits must be also included with higher priority traits_map to remain populated. For example, the following configuration keeps the groups trait unmodified.

traits_map: groups: - external["groups"]

Here is an example Login Rule that uses a traits_map to implement the following rules:

Every user with the groups: devs trait should receive an extra trait access: [staging] .

trait should receive an extra trait . Every user with the groups: admins trait should receive an extra trait access: [staging, prod] .

trait should receive an extra trait . Every user should receive a logins trait with the value of their incoming username trait converted to lowercase.

trait with the value of their incoming trait converted to lowercase. All traits other than groups , logins , and access should be filtered out.

kind: login_rule version: v1 metadata: name: my_expression_rule spec: priority: 0 traits_map: groups: - external["groups"] logins: - 'strings.lower(external.username)' access: - 'ifelse(external.groups.contains("devs"), set("staging"), set())' - 'ifelse(external.groups.contains("admins"), set("staging", "prod"), set())'

Here is an example login rule using the traits_expression field implementing the same rules as the above example:

kind: login_rule version: v1 metadata: name: my_expression_rule spec: priority: 0 traits_expression: | dict( pair("groups", external.groups), pair("logins", strings.lower(external.username)), pair("access", choose( option(external.groups.contains("devs"), set("staging")), option(external.groups.contains("admins"), set("staging", "prod")), option(true, set()), ), ), )

Every traits expression must return a value of type dict which will be used as the complete set of output traits. It is possible to construct a dict from scratch as shown above, or you can make modifications to the incoming traits stored in the external dict like the following:

kind: login_rule version: v1 metadata: name: uppercase_logins spec: priority: 0 traits_expression: | external.put("logins", strings.lower(external.logins))

dict is a dictionary type mapping from string keys to set values. When Login Rule expressions access input traits with the external.<trait> or external[<trait>] syntax, external is a value of type dict . Values of type dict can also be constructed and accessed within expressions. Expressions used for the traits_expression field must return a value of type dict .

func dict (pairs ...pair) dict

The dict constructor returns a new dict populated with initial key-value pairs from the pairs argument. Each pair must hold a string and a set .

Argument Type Description pairs ...pair Zero or more key-value pairs to initialize the dict .

Type Description dict A new dict .

Expression Result dict() {} dict(pair("a", set("x", "y"))) {"a": ("x", "y")}

Syntax Example Description dict.key external.username The "dot" accessor returns the set for the given key, or the empty set if there is not value for that key. dict["key"] external["user-name"] The square brace accessor has the same behavior as the "dot" accessor, but supports keys with special characters (including - , . , , etc) which must be quoted for parsing.

func (dict) add_values(key string , values ... string ) dict

dict.add_values returns a copy of the dict with the given values added to the set at dict[key] . If there is no set already present at dict[key] a new one will be created.

Argument Type Description key string Key where the new values should be added. values ...string One or more string values to add at dict[key] .

Type Description dict A copy of the given dict with values added at key key .

Expression Result dict().add_values("logins", "ubuntu", "ec2-user") {"logins": ("ubuntu", "ec2-user")} dict(pair("a", set("x"))).add_values("a", "y", "z") {"a": ("x", "y", "z")}

func (dict) remove(keys ... string ) dict

dict.remove returns a copy of the dict with the given keys removed. Any given keys not present in the dict have no effect.

Argument Type Description keys ...string One or more keys to remove from the dict .

Type Description dict A copy of the given dict with given keys removed.

Expression Result dict(pair("a", set("x"))).remove("a", "b") {} dict(pair("a", set("x")), pair("b", set("c"))).remove("b") {"a": ("x")}

func (dict) put(key string , value set) dict

dict.put returns a copy of the dict with dict[key] set to value . If there is already a value present for the given key it is overwritten.

Argument Type Description key string key at which to set the new value value set set of strings to set at the given key

Type Description dict a copy of the given dict with dict[key] set to value .

Expression Result dict(pair("a", set("x"))).put("a", set("y")) {"a": ("y")} dict().put("b", set("z")) {"b": ("z")}

set holds a set of unique strings.

func set (values ... string ) set

The set constructor returns a new set initialized with the given values .

Argument Type Description values ...string Zero or more strings to initialize the set.

Type Description set A new set initialized with the given values.

Expression Result set() () set("a", "b", "a") ("a", "b")

func (set) contains(value) bool

set.contains returns true if the set contains an exact match for value , else it returns false .

Argument Type Description value string A string to check for in the set.

Type Description bool true if the set contains an exact match for value , else false .

Expression Result set("a", "b").contains("a") true set("a", "b").contains("x") false

func (set) add(values ... string ) set

set.add returns a new set that is a copy of the given set with the new values added.

Argument Type Description values ...string Values to add to the set.

Type Description set A new set that is a copy of the given set with values added.

Expression Result set("a", "b").add("b", "c") ("a", "b", "c")

func (set) remove(values ... string ) set

set.remove returns a new set that is a copy of the given set with all values removed.

Argument Type Description values ...string Values to remove from the set.

Type Description set A new set that is a copy of the given set with values removed.

Expression Result set("a", "b").remove("b", "c") ("a")

pair can hold two values of any type. Currently its only use is in the dict constructor where it must hold key-value pairs of type string and set .

func pair (first, second any) pair

The pair constructor returns a new pair holding first and second .

Argument Type Description first any A value of any type. second any A value of any type.

Type Description pair A new pair holding first and second .

Expression Result pair("logins", set("root", "user")) {"logins", ("root", "user")}

option is meant to be used exclusively as an argument to choose . It holds a Boolean condition that may cause the option to be selected and a value which should be returned by the choose expression if that option is in fact selected.

func option (cond bool , value any) option

Returns a new option holding cond and value .

Argument Type Description cond bool A Boolean condition which may cause this option to be selected. value any A value which should be returned by choose if this option is selected.

Type Description option An option type which should be passed as an argument to choose .

See the examples for choose .

func strings . upper (input set) set

strings.upper returns a copy of the given set of strings converted to uppercase.

Argument Type Description input set set of input strings to convert to uppercase

Type Description set a copy of input where each string has been converted to uppercase

Expression Result strings.upper(set("Alice")) ("ALICE") strings.upper(set("AbCdE", "fGhIj)) ("ABCDE", "FGHIJ")

func strings . lower (input set) set

strings.lower returns a copy of the given set of strings converted to lowercase.

Argument Type Description input set set of input strings to convert to lowercase

Type Description set a copy of input where each string has been converted to lowercase

Expression Result strings.lower(set("Alice")) ("alice") strings.lower(set("AbCdE", "fGhIj)) ("abcde", "fghij")

func strings . replaceall (input set, match string , replacement string ) set

strings.replaceall implements substring replacement on sets of strings. The return value is a copy of input where each substring match of match found in each element of input will be replaced with replacement . The matching is literal and does not support regular expressions.

Argument Type Description input set set of input strings where replacements are needed match string literal substring to be replaced replacement string literal string to replace all instances of match

Type Description set a copy of input where each instance of match found in each element of input has been replaced with replacement .

Expression Result strings.replaceall(set("user-name"), "-", "_") ("user_name") strings.replaceall(set("user-alice", "user-bob"), "user-", "") ("alice", "bob")

note The strings.split helper was introduced in Teleport v13.3.0. All Auth Service instances must be running this version or greater before it can be used.

func strings . split (input set, separator string ) set

strings.split splits each element of input at each match of separator and returns a set containing the union of all split strings. This may be useful when an IdP does not have the ability to pass multi-valued claims, a Login Rule with this helper function can split a single claim value into a Teleport trait with multiple values.

Argument Type Description input set set of input strings which should be split sep string literal string separator

Type Description set the union of all split strings

Expression Result strings.split(set("alice,bob,charlie"), ",") ("alice", "bob", "charlie") strings.split(set("devs security"), " ") ("devs", "security")

note The email.local helper was introduced in Teleport v13.3.0. All Auth Service instances must be running this version or greater before it can be used.

func email . local (input set) set

email.local maps each email in the input set to its local part.

Argument Type Description input set set of input emails

Type Description set a copy of input where each email has been converted to its local part.

note The regexp.replace helper was introduced in Teleport v13.3.0. All Auth Service instances must be running this version or greater before it can be used.

func regexp . replace (input set, expression string , replacement string ) set

regexp.replace finds all matches of expression in each element of input and replaces them with replacement . Values which do not match the expression will be filtered out. The replacement supports expansion of capture groups from expression . $N is used to refer to the Nth captured group, starting at $1 .

Argument Type Description input set set of input strings

Type Description set a copy of input where each string has had all matches of expression replaced with replacement .

Expression Result regexp.replace(set("team-devs"), "^team-(.*)$", "$1") ("devs") regexp.replace(set("team-dev-security"), "^team-(.*)-(.*)$", "$1.$2") ("dev.security")

func ifelse (cond bool , valueIfTrue any, valueIfFalse any) any

ifelse implements the classic if-else branch in a pure functional style. If the first argument evaluates to true the second argument is returned, else the third argument is returned.

Argument Type Description cond bool A Boolean condition that determines which of the following two arguments is returned. valueIfTrue any The value to return if cond is true, of any type. valueIfFalse any The value to return if cond is false, of any type.

Type Description any The second or third argument will be returned.

Expression Result ifelse(set("a", "b").contains("a"), set("x", "y"), set("z")) ("x", "y") ifelse(set("a", "b").contains("c"), set("x", "y"), set("z")) ("z")

func choose (options ...option) any

choose implements a functional style of switch statement, returning the first option argument with a condition evaluating to true .

If no option can be selected at runtime, this will return an error and the login will not succeed. It is recommended to add a final option with the condition hardcoded to true to implement a default option and avoid this scenario. For example choose(..., option(true, set())) would return the empty set if no other option can be selected.

Argument Type Description options ...option One or more option s.

Type Description any The value of the first option argument with a condition evaluating to true , which may be of any type.

Expression Result choose(option(false, set("x")), option(true, set("y")), option(true, set("z"))) ("y") choose(option(set("a", "b").contains("a"), set("x")), option(true, set("y"))) ("x")

func union (sets ...set) set

union returns a new set containing the union of all elements in the given sets.

Argument Type Description sets ...set Zero or more sets to union.

Type Description set A new set containing the union of all given set s.