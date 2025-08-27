Version: 17.x

Application Access Reference Documentation

This guide describes interfaces and options for interacting with the Teleport Application Service, including the static configuration file for the teleport binary, the dynamic app resource, and tsh apps commands.

Warning Backing up production instances, environments, and/or settings before making permanent modifications is encouraged as a best practice. Doing so allows you to roll back to an existing state if needed.

The following snippet shows the full YAML configuration of an Application Service appearing in the teleport.yaml configuration file:

app_service: enabled: true debug_app: true resources: - labels: "*": "*" apps: - name: "grafana" description: "This is an internal Grafana instance" uri: "http://localhost:3000" public_addr: "grafana.teleport.example.com" rewrite: redirect: - "grafana.internal.dev" headers: - "X-Custom-Header: example" - "X-External-Trait: {{external.env}} " insecure_skip_verify: true labels: env: "prod" commands: - name: "hostname" command: [ "hostname" ] period: 1m0s aws: external_id: "example-external-id" - name: "azure-cli" cloud: "Azure"

For full details on configuring Teleport roles, including how Teleport populates the external traits, see the Access Controls Reference.

Full YAML spec of application resources managed by tctl resource commands:

kind: app version: v3 metadata: name: example description: "Example application" labels: env: local spec: uri: http://localhost:4321 public_addr: test.example.com insecure_skip_verify: true rewrite: redirect: - "grafana.internal.dev" headers: - name: "X-Custom-Header" value: "example" - name: "X-External-Trait" value: " {{external.env}} " dynamic_labels: - name: "hostname" command: [ "hostname" ] period: 1m0s

You can create a new app resource by running the following commands, which assume that you have created a YAML file called app.yaml with your configuration:

Self-Hosted

Teleport Enterprise Cloud tsh login --proxy=teleport.example.com --user=myuser tctl create -f app.yaml tsh login --proxy=mytenant.teleport.sh --user=myuser tctl create -f app.yaml

This section shows CLI commands relevant for application access.

Lists available applications.

tsh apps ls

Retrieves short-lived X.509 certificate for CLI application access.

tsh apps login grafana

Flag Description --aws-role For AWS CLI access, the role ARN or role name of an AWS IAM role. --azure-identity For Azure CLI access, the name or URI of an Azure managed identity to use for accessing the Azure CLI.

Removes CLI application access certificate.

tsh apps logout grafana

tsh apps logout

Prints application connection information.

tsh apps config

tsh apps config grafana

tsh apps config --format=curl

curl $(tsh apps config --format=uri) \ --cacert $(tsh apps config --format=ca) \ --cert $(tsh apps config --format=cert) \ --key $(tsh apps config --format=key)

Flag Description --format Optional print format, one of: uri to print app address, ca to print CA cert path, cert to print cert path, key print key path, curl to print example curl command.

Run an Azure CLI command via the Teleport Application Service:

tsh az <command>

<command> : A valid command within the az CLI, including arguments and flags. See the Azure documentation for the full list of az CLI commands.