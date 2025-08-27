Version: 17.x

On this page

Run Teleport Identity Security on Self-Hosted Clusters Report an issue with this page

This guide shows you how to set up Teleport Access Graph in a self-hosted Teleport cluster.

Unlike Teleport services like the Auth Service, Proxy Service, and agent services, Teleport Access Graph does not run from the teleport binary, but as a separate piece of software available from Teleport as a container image. Teleport Access Graph uses TLS credentials to authenticate to the Teleport Auth Service. It must also connect to PostgreSQL for its backing storage. After obtaining credentials from your Teleport cluster, you create a configuration file for Teleport Access Graph and start a container that loads the configuration file and Teleport credentials.

A running Teleport Enterprise cluster.

An updated Teleport Enterprise license file with Teleport Identity Security enabled.

Docker version v20.10.7 or later.

A PostgreSQL database server v14 or later. Access Graph needs a dedicated database to store its data. The user that Access Graph connects to the database with needs to be the owner of this database, or have similar broad permissions: at least the CREATE TABLE privilege on the public schema, and the CREATE SCHEMA privilege. Amazon RDS for PostgreSQL is supported.

A TLS certificate for the Access Graph service The TLS certificate must be issued for "server authentication" key usage, and must list the IP or DNS name of the Access Graph service in an X.509 v3 subjectAltName extension. Starting from version 1.20.4 of the Access Graph service, the container runs as a non-root user by default. Make sure the certificate files are readable by the user running the container. You can set correct permissions with the following command: sudo chown 65532 /etc/access_graph/tls.key

The node running the Access Graph service must be reachable from Teleport Auth Service and Proxy Service.

warning The deployment with Docker is suitable for testing and development purposes. For production deployments, consider using the Access Graph Helm chart to deploy this service on Kubernetes. Refer to Helm chart for Access Graph for instructions.

You will need a copy of your Teleport cluster's host certificate authority (CA) on the machine that hosts the Access Graph service. The service requires incoming connections to be authenticated via host certificates that the host CA issues to the Auth Service and Proxy Service.

The host CA can be retrieved and saved into a file in one of the following ways:

Via curl

Via tctl sudo mkdir /etc/access_graph curl -s 'https:// teleport.example.com /webapi/auth/export?type=tls-host' | sudo tee /etc/access_graph/teleport_host_ca.pem sudo mkdir /etc/access_graph tsh login --proxy= teleport.example.com tctl get cert_authorities --format=json \ | jq -r '.[] | select(.spec.type == "host") | .spec.active_keys.tls[].cert' \ | base64 -d | sudo tee /etc/access_graph/teleport_host_ca.pem

Then, on the same machine, create a configuration file for the Access Graph service, similar to this:

Finally, start the Access Graph service using Docker as follows:

$ docker run -p 50051:50051 -v <path-to-config>:/app/config.yaml -v /etc/access_graph:/etc/access_graph public.ecr.aws/gravitational/access-graph:1.28.1

In the YAML config for the Auth Service, add a new top-level section for Access Graph configuration.

access_graph: enabled: true endpoint: access-graph.example.com:50051 ca: /etc/access_graph_ca.pem

Then, restart Auth Service instances, followed by Proxy Service instances.

In order to visualize the data from the Access Graph service, use the Graph Explorer in the Web UI. Click Identity Security --> Graph Explorer and then select a resource to view in the Graph Explorer.

To access the interface, your user must have a role that allows list and read verbs on the access_graph resource, e.g.:

kind: role version: v7 metadata: name: my-role spec: allow: rules: - resources: - access_graph verbs: - list - read