Skip to main content
Version: 19.x (unreleased)

tctl Reference

Report an IssueView as Markdown

This guide provides a comprehensive list of commands, arguments, and flags for tctl.

tctl is a CLI tool that allows a cluster administrator to manage all resources in a cluster, including nodes, users, tokens, certificates, and devices.

tctl can also be used to modify the dynamic configuration of the cluster, such as creating new user roles or connecting to trusted clusters.

For a conceptual overview of tctl, see Getting Started with tctl.

tctl [<flags>] <command> [<args> ...]

Global flags:

FlagDefaultDescription
--auth-serverno defaultAttempts to connect to specific auth/proxy address(es) instead of local auth [127.0.0.1:3025]
-c, --configno defaultPath to a configuration file [/etc/teleport.yaml] for an Auth Service instance. Can also be set via the TELEPORT_CONFIG_FILE environment variable. Ignored if the auth_service is disabled.
-d, --[no-]debugfalseEnable verbose logging to stderr
-i, --identityno defaultPath to an identity file. Must be provided to make remote connections to auth. An identity file can be exported with 'tctl auth sign'
--mfa-modeauto (one of: auto, cross-platform, platform, sso, browser)Preferred mode for MFA assertions.
--[no-]insecurefalseWhen specifying a proxy address in --auth-server, do not verify its TLS certificate. Danger: any data you send can be intercepted or modified by an attacker.

Global environment variables:

VariableDefaultDescription
TELEPORT_AUTH_SERVERno defaultAttempts to connect to specific auth/proxy address(es) instead of local auth [127.0.0.1:3025]
TELEPORT_IDENTITY_FILEno defaultPath to an identity file. Must be provided to make remote connections to auth. An identity file can be exported with 'tctl auth sign'
TELEPORT_MFA_MODEauto (one of: auto, cross-platform, platform, sso, browser)Preferred mode for MFA assertions.

tctl acl get

Get detailed information for an Access List.

Usage:

tctl acl get [<flags>] <access-list-name>

Flags:

FlagDefaultDescription
--formatyaml (one of: yaml, json, text)Output format.

Arguments:

ArgumentDefaultDescription
access-list-nameno default (required)The Access List name.

tctl acl ls

List cluster Access Lists.

Usage:

tctl acl ls [<flags>]

Flags:

FlagDefaultDescription
--formatyaml (one of: yaml, json, text)Output format.
--[no-]review-onlyfalseList only access lists that are due for review within the next 2 weeks or past due

tctl acl reviews create

Submit a new review for a given access list.

Usage:

tctl acl reviews create [<flags>] <access-list-name>

Flags:

FlagDefaultDescription
--notesno defaultOptional review notes.
--remove-membersno defaultComma-separated list of members to remove as part of this review.

Arguments:

ArgumentDefaultDescription
access-list-nameno default (required)The access list name to submit review for.

tctl acl reviews ls

List past audit history for a given access list.

Usage:

tctl acl reviews ls [<flags>] <access-list-name>

Flags:

FlagDefaultDescription
--formattext (one of: yaml, json, text)Output format.

Arguments:

ArgumentDefaultDescription
access-list-nameno default (required)The access list name to fetch review history for.

tctl acl summary

Show summary information for access lists, including their members and last review.

Usage:

tctl acl summary [<flags>] [<access-list-name>]

Flags:

FlagDefaultDescription
--formatyaml (one of: yaml, json)Output format.
--[no-]review-onlytrueShow only access lists that are due for review within the next 2 weeks or past due. Defaults to true.

Arguments:

ArgumentDefaultDescription
access-list-nameno default (optional)The access list name to show summary for. If not provided, shows summary for all access lists.

tctl acl users add

Add a user to an Access List.

Usage:

tctl acl users add [<flags>] <access-list-name> <user> [<expires>] [<reason>]

Flags:

FlagDefaultDescription
--kinduser (one of: user, list)Access list member kind.

Arguments:

ArgumentDefaultDescription
access-list-nameno default (required)The Access List name.
expiresno default (optional)When the user's access expires (must be in RFC3339). Defaults to the expiration time of the Access List.
reasonno default (optional)The reason the user has been added to the Access List. Defaults to empty.
userno default (required)The user to add to the Access List.

tctl acl users ls

List users that are members of an Access List.

Usage:

tctl acl users ls [<flags>] <access-list-name>

Flags:

FlagDefaultDescription
--formattext (one of: json, text)Output format.

Arguments:

ArgumentDefaultDescription
access-list-nameno default (required)The Access List name.

tctl acl users rm

Remove a user from an Access List.

Usage:

tctl acl users rm <access-list-name> <user>

Arguments:

ArgumentDefaultDescription
access-list-nameno default (required)The Access List name.
userno default (required)The user to remove from the Access List.

tctl alerts ack

Acknowledge cluster alerts.

Usage:

tctl alerts ack [<flags>] <id>

Flags:

FlagDefaultDescription
--formattext (one of: text, json, yaml)Output format.
--[no-]clearfalseClear the acknowledgment for the cluster alert.
--reasonno defaultThe reason for acknowledging the cluster alert.
--ttlno defaultTime duration to acknowledge the cluster alert for.

Arguments:

ArgumentDefaultDescription
idno default (required)The cluster alert ID.

tctl alerts ack ls

List acknowledged cluster alerts.

Usage:

tctl alerts ack ls

tctl alerts create

Create cluster alerts.

Usage:

tctl alerts create [<flags>] <message>

Flags:

FlagDefaultDescription
--labelsno defaultList of labels to attach to the alert. For example: key1=value1,key2=value2.
--severitylow (one of: low, medium, high)Severity of the alert.
--ttlno defaultTime duration after which the alert expires (default 24h).

Arguments:

ArgumentDefaultDescription
messageno default (required)Alert body message.

tctl alerts delete

Deletes a cluster alert.

Usage:

tctl alerts delete <id>

Arguments:

ArgumentDefaultDescription
idno default (required)The cluster alert ID.

tctl alerts list

List cluster alerts.

Usage:

tctl alerts list [<flags>]

Flags:

FlagDefaultDescription
--formattext (one of: text, json, yaml)Output format.
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2)
-v, --[no-]verbosefalseShow detailed alert info, including acknowledged alerts.

tctl apps ls

List all applications registered with the cluster.

Usage:

tctl apps ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
--formattextOutput format, 'text', 'json', or 'yaml'
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"')
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase")
-v, --[no-]verbosefalseVerbose table output, shows full label output

Arguments:

ArgumentDefaultDescription
labelsno default (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2)

tctl audit query create

Create an audit query.

Usage:

tctl audit query create [<flags>] [<query>]

Flags:

FlagDefaultDescription
--nameno defaultAudit query name

Arguments:

ArgumentDefaultDescription
queryno default (optional)SQL Query

tctl audit query exec

Execute audit query.

Usage:

tctl audit query exec [<query>]

Arguments:

ArgumentDefaultDescription
queryno default (optional)SQL Query

tctl audit query get

Get audit query.

Usage:

tctl audit query get <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)name of the audit query

tctl audit query ls

List audit queries.

Usage:

tctl audit query ls

tctl audit query rm

Remove audit query.

Usage:

tctl audit query rm <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)name of the audit query

tctl audit report get

Get security report.

Usage:

tctl audit report get <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)security name

tctl audit report ls

List security reports.

Usage:

tctl audit report ls

tctl audit report run

Run the security report.

Usage:

tctl audit report run <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)security report name

tctl audit report state

Print the state of the security report.

Usage:

tctl audit report state <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)security report name

tctl audit schema

Print audit query schema.

Usage:

tctl audit schema

tctl auth crl

Export empty certificate revocation list (CRL) for Teleport certificate authorities.

Usage:

tctl auth crl --type=TYPE [<flags>]

Flags:

FlagDefaultDescription
--outno defaultIf set, writes exported revocation lists to files with the given path prefix
--typeno default (one of: host, db, db_client, user)Certificate authority type.

tctl auth export

Export public cluster CA certificates to stdout.

Usage:

tctl auth export [<flags>]

Flags:

FlagDefaultDescription
--compatno defaultexport certificates compatible with specific version of Teleport
--fingerprintno defaultfilter authority by fingerprint
--integrationno defaultName of the integration. Only applies to "github" CAs.
--[no-]keysfalseif set, will print private keys
--outno defaultIf set writes exported authorities to files with the given path prefix
--typeno default (one of: user, host, tls-host, tls-user, tls-user-der, tls-spiffe, windows, db, db-der, db-client, db-client-der, openssh, saml-idp, github, awsra, app-client)export certificate type (user, host, tls-host, tls-user, tls-user-der, tls-spiffe, windows, db, db-der, db-client, db-client-der, openssh, saml-idp, github, awsra, app-client)

tctl auth ls

List connected auth servers.

Usage:

tctl auth ls [<flags>]

Flags:

FlagDefaultDescription
--formatyamlOutput format: 'yaml', 'json' or 'text'

tctl auth rotate

Rotate certificate authorities in the cluster. Starts in interactive mode by default, provide --type to manually send rotation requests.

Usage:

tctl auth rotate [<flags>]

Flags:

FlagDefaultDescription
--grace-period30h0m0sGrace period keeps previous certificate authorities signatures valid, if set to 0 will force users to re-login and nodes to re-register.
--[no-]interactivefalseEnable interactive mode
--[no-]manualfalseActivate manual rotation, set rotation phases manually
--phaseno defaultTarget rotation phase to set, used in manual rotation, one of: init, standby, update_clients, update_servers, rollback
--typeno default (one of: host, windows, user, db, db_client, openssh, jwt, saml_idp, oidc_idp, spiffe, okta, awsra, bound_keypair, app_client)Certificate authority to rotate.

tctl auth sign

Create an identity file(s) for a given user.

Usage:

tctl auth sign --out=OUT [<flags>]

Flags:

FlagDefaultDescription
--app-nameno defaultApplication to generate identity file for. Mutually exclusive with "--db-service".
--compatno defaultOpenSSH compatibility flag
--db-nameno defaultDatabase name placed on the identity file. Only used when "--db-service" is set.
--db-serviceno defaultDatabase to generate identity file for. Mutually exclusive with "--app-name".
--db-userno defaultDatabase user placed on the identity file. Only used when "--db-service" is set.
--formatfileIdentity format: file, openssh, tls, kubernetes, db, windows, mongodb, cockroachdb, redis, snowflake, elasticsearch, cassandra, scylla, oracle. file is the default.
--hostno defaultTeleport host name
--kube-cluster-nameno defaultKubernetes cluster to generate identity file for when --format is set to "kubernetes"
--leaf-clusterno defaultLeaf cluster to generate identity file for when --format is set to "kubernetes"
--[no-]omit-cdpfalseOmit CRL Distribution Points from the cert. Only used when --format is set to "windows"
--[no-]overwritefalseWhether to overwrite existing destination files. When not set, user will be prompted before overwriting any existing file.
--[no-]tarfalseCreate a tarball of the resulting certificates and stream to stdout.
-o, --outno defaultIdentity output
--proxyno defaultAddress of the Teleport proxy. When --format is set to "kubernetes", this address will be set as cluster address in the generated kubeconfig file
--ttl12h0m0sTTL (time to live) for the generated certificate.
--userno defaultTeleport user name
--windows-domainno defaultActive Directory domain for which this cert is valid. Only used when --format is set to "windows"
--windows-pki-domainno defaultActive Directory domain where CRLs will be located. Only used when --format is set to "windows"
--windows-sidno defaultOptional Security Identifier to embed in the certificate. Only used when --format is set to "windows"
--windows-userno defaultWindow user placed on the identity file. Only used when --format is set to "windows"

tctl autoupdate agents mark-done

Marks one or many groups as done updating.

Usage:

tctl autoupdate agents mark-done [<groups>...]

Arguments:

ArgumentDefaultDescription
groupsno default (optional)Groups to mark as done updating.

tctl autoupdate agents report

Aggregates the agent autoupdate reports and displays agent count per version and per update group.

Usage:

tctl autoupdate agents report

tctl autoupdate agents rollback

Rolls back one or many groups.

Usage:

tctl autoupdate agents rollback [<groups>...]

Arguments:

ArgumentDefaultDescription
groupsno default (optional)Groups to rollback. When empty, every group already started is rolled back.

tctl autoupdate agents start-update

Starts updating one or many groups.

Usage:

tctl autoupdate agents start-update [<flags>] [<groups>...]

Flags:

FlagDefaultDescription
--[no-]forcefalseSkips progressive deployment mechanism such as canaries or backpressure.

Arguments:

ArgumentDefaultDescription
groupsno default (optional)Groups to start updating.

tctl autoupdate agents status

Prints agents auto update status.

Usage:

tctl autoupdate agents status

tctl autoupdate client-tools disable

Disables client tools auto updates. Clients will not be told to update to the target version.

Usage:

tctl autoupdate client-tools disable

tctl autoupdate client-tools enable

Enables client tools auto updates. Clients will be told to update to the target version.

Usage:

tctl autoupdate client-tools enable

tctl autoupdate client-tools status

Prints if the client tools updates are enabled/disabled, and the target version in specified format.

Usage:

tctl autoupdate client-tools status [<flags>]

Flags:

FlagDefaultDescription
--formatyamlOutput format: 'yaml' or 'json'
--proxyno defaultAddress of the Teleport proxy. When defined this address will be used to retrieve client tools auto update configuration.

tctl autoupdate client-tools target

Sets the client tools target version. This command is not supported on Teleport Cloud.

Usage:

tctl autoupdate client-tools target [<flags>] [<version>]

Flags:

FlagDefaultDescription
--[no-]clearfalseRemoves the target version, Teleport will default to its current proxy version.

Arguments:

ArgumentDefaultDescription
versionno default (optional)Client tools target version. Clients will be told to update to this version.

tctl bots add

Add a new bot to the cluster.

Usage:

tctl bots add [<flags>] <name>

Flags:

FlagDefaultDescription
--formattext (one of: text, json)Output format.
--initial-public-keyno defaultIf set, use the given initial public key in SSH authorized_keys format, instead of generating a registration secret. The value must be quoted. Not compatible with --token or --legacy.
--loginsno defaultList of allowed SSH logins for the bot user
--max-session-ttlno defaultSet a max session TTL for the bot's internal identity. 12h default, 168h maximum.
--[no-]legacyfalseIf set, generate a legacy joining token instead of a bound keypair token. No effect if --token is set.
--recovery-limitno defaultOverrides the recovery limit (default: 1) for the bound keypair token. No effect if --token or --legacy is set, or if --recovery-mode is not standard. Must be greater than 1.
--recovery-modestandard (one of: standard, relaxed, insecure)If set, overrides the recovery mode for the bound keypair token. No effect if --token or --legacy is set.
--registration-secretno defaultSets a registration secret for the bound keypair token. If not set, one will be randomly generated. No effect if --initial-public-key, --token, or --legacy is set.
--rolesno defaultRoles the bot is able to assume.
--tokenno defaultThe token to use, if any. If unset, a new single-use token will be created.
--ttl1h0m0sTTL for the bot join token. For standard bound keypair tokens, this sets must_register_before; for legacy tokens, this sets the resource TTL.

Arguments:

ArgumentDefaultDescription
nameno default (required)A name to uniquely identify this bot in the cluster.

tctl bots instances add

Join a new instance onto an existing bot.

Usage:

tctl bots instances add [<flags>] <name>

Flags:

FlagDefaultDescription
--formattext (one of: text, json)Output format.
--initial-public-keyno defaultIf set, use the given initial public key in SSH authorized_keys format, instead of generating a registration secret. The value must be quoted. Not compatible with --token or --legacy.
--[no-]legacyfalseIf set, generate a legacy joining token instead of a bound keypair token. No effect if --token is set.
--recovery-limitno defaultOverrides the recovery limit (default: 1) for the bound keypair token. No effect if --token or --legacy is set, or if --recovery-mode is not standard. Must be greater than 1.
--recovery-modestandard (one of: standard, relaxed, insecure)If set, overrides the recovery mode for the bound keypair token. No effect if --token or --legacy is set.
--registration-secretno defaultSets a registration secret for the bound keypair token. If not set, one will be randomly generated. No effect if --initial-public-key, --token, or --legacy is set.
--tokenno defaultThe token to use, if any. If unset, a new single-use token will be created.
--ttl1h0m0sTTL for the bot join token. For standard bound keypair tokens, this sets must_register_before; for legacy tokens, this sets the resource TTL.

Arguments:

ArgumentDefaultDescription
nameno default (required)The name of the existing bot for which to add a new instance.

tctl bots instances list

List bot instances.

Usage:

tctl bots instances list [<flags>] [<name>]

Flags:

FlagDefaultDescription
--formattext (one of: text, json)Output format.
--queryno defaultAn expression in the Teleport predicate language used to filter bot instances
--searchno defaultFuzzy search query used to filter bot instances
--sort-indexbot_nameRequest sort index, 'bot_name', 'active_at_latest', 'version_latest' or 'host_name_latest'
--sort-orderascendingRequest sort order, 'ascending' or 'descending'

Arguments:

ArgumentDefaultDescription
nameno default (optional)The name of the bot from which to list instances. If unset, lists instances from all bots.

tctl bots instances show

Shows information about a specific bot instance.

Usage:

tctl bots instances show <id>

Arguments:

ArgumentDefaultDescription
idno default (required)The full ID of the bot instance, in the form of [bot name]/[uuid]

tctl bots ls

List all certificate renewal bots registered with the cluster.

Usage:

tctl bots ls

tctl bots rm

Permanently remove a certificate renewal bot from the cluster.

Usage:

tctl bots rm <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)Name of an existing bot to remove.

tctl bots update

Update an existing bot.

Usage:

tctl bots update [<flags>] <name>

Flags:

FlagDefaultDescription
--add-loginsno defaultAdds a comma-separated list of logins to an existing bot.
--add-rolesno defaultAdds a comma-separated list of roles to an existing bot.
--set-loginsno defaultSets the bot's logins to the given comma-separated list, replacing any existing logins.
--set-max-session-ttlno defaultSets the max session TTL. 168h maximum.
--set-rolesno defaultSets the bot's roles to the given comma-separated list, replacing any existing roles.

Arguments:

ArgumentDefaultDescription
nameno default (required)Name of an existing bot to update.

tctl bound-keypair request-rotation

Request a keypair rotation on the next join attempt.

Usage:

tctl bound-keypair request-rotation <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)The name of the token

tctl create

Create or update a Teleport resource from a YAML file.

Usage:

tctl create [<flags>] [<filename>]

Flags:

FlagDefaultDescription
-f, --[no-]forcefalseOverwrite the resource if already exists

Arguments:

ArgumentDefaultDescription
filenameno default (optional)resource definition file, empty for stdin

tctl db ls

List all databases registered with the cluster.

Usage:

tctl db ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
--formattextOutput format, 'text', 'json', or 'yaml'
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"')
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase")
-v, --[no-]verbosefalseVerbose table output, shows full label output

Arguments:

ArgumentDefaultDescription
labelsno default (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2)

tctl desktop bootstrap

Generate a PowerShell script to bootstrap Active Directory.

Usage:

tctl desktop bootstrap

tctl desktop ls

List all desktops registered with the cluster.

Usage:

tctl desktop ls [<flags>]

Flags:

FlagDefaultDescription
--formattextOutput format, 'text', 'json' or 'yaml'
-v, --[no-]verbosefalseVerbose table output, shows full label output

tctl devices add

Register managed devices.

Usage:

tctl devices add [<flags>]

Flags:

FlagDefaultDescription
--asset-tagno defaultInventory identifier for the device (e.g., Mac serial number)
--enroll-ttlno defaultTime duration for the enrollment token
--formattext (one of: text, json, yaml)Output format.
--[no-]current-devicefalseRegisters the current device. Overrides --os and --asset-tag.
--[no-]enrollfalseIf set, creates a device enrollment token
--osno default (one of: linux, macos, windows)Operating system

tctl devices enroll

Creates a new device enrollment token.

Usage:

tctl devices enroll [<flags>]

Flags:

FlagDefaultDescription
--asset-tagno defaultInventory identifier for the device
--device-idno defaultDevice identifier
--[no-]current-devicefalseEnrolls the current device. Overrides --device-id and --asset-tag.
--ttlno defaultTime duration for the enrollment token

tctl devices lock

Locks a device.

Usage:

tctl devices lock [<flags>]

Flags:

FlagDefaultDescription
--asset-tagno defaultInventory identifier for the device
--device-idno defaultDevice identifier
--expiresno defaultTime point (RFC3339) when the lock expires
--messageno defaultMessage to display to locked-out users
--[no-]current-devicefalseLocks the current device. Overrides --device-id and --asset-tag.
--ttlno defaultTime duration after which the lock expires

tctl devices ls

Lists managed devices.

Usage:

tctl devices ls [<flags>]

Flags:

FlagDefaultDescription
--formattext (one of: text, json, yaml)Output format.

tctl devices rm

Removes a managed device.

Usage:

tctl devices rm [<flags>]

Flags:

FlagDefaultDescription
--asset-tagno defaultInventory identifier for the device
--device-idno defaultDevice identifier
--[no-]current-devicefalseRemoves the current device. Overrides --device-id and --asset-tag.

tctl discovery nodes

Report discovered server instances and their enrollment status using Teleport audit log and cluster state.

Usage:

tctl discovery nodes [<flags>]

Flags:

FlagDefaultDescription
--cloud``Comma-separated list of cloud providers to include (allowed: aws, azure). Empty (default) returns all.
--formattext (one of: text, json)Output format.
--last1hTime window to look back for failures in Teleport audit log (e.g. 1h, 24h, 30m).
--[no-]failures-onlyfalseOnly show instances with enrollment failures.

tctl edit

Edit a Teleport resource.

Usage:

tctl edit [<resource type/resource name>]

Arguments:

ArgumentDefaultDescription
resource type/resource nameno default (optional)Resource to update, e.g., "user/myuser"

tctl get

Print a YAML declaration of various Teleport resources.

Usage:

tctl get [<flags>] <resources>

Flags:

FlagDefaultDescription
--formatyamlOutput format: 'yaml', 'json' or 'text'
--[no-]with-secretsfalseInclude secrets in resources like certificate authorities or OIDC connectors
-v, --[no-]verbosefalseVerbose table output, shows full label output

Arguments:

ArgumentDefaultDescription
resourcesno default (required)Resource spec: 'type/[name][,...]' or 'all'

tctl help

Show help.

Usage:

tctl help [<command>...]

Arguments:

ArgumentDefaultDescription
commandno default (optional)Show help on command.

tctl idp saml test-attribute-mapping

Test expression evaluation of attribute mapping.

Usage:

tctl idp saml test-attribute-mapping --users=USERS --sp=SP [<flags>]

Flags:

FlagDefaultDescription
--formatno defaultoutput format, 'yaml' or 'json'
--spno defaultname of a file containing service provider spec
-u, --usersno defaultusername or name of a file containing user spec

tctl inventory list

List Teleport instance inventory.

Usage:

tctl inventory list [<flags>]

Flags:

FlagDefaultDescription
--exact-versionno defaultFilter output by teleport version
--formattextOutput format, 'text' or 'json'
--newer-thanno defaultFilter for newer teleport versions
--older-thanno defaultFilter for older teleport versions
--servicesno defaultFilter output by service (node,kube,proxy,etc)
--update-groupno defaultFilter output by update group
--upgraderno defaultFilter output by upgrader (kube,unit,none)

tctl inventory ping

Ping locally connected instance.

Usage:

tctl inventory ping <server-id>

Arguments:

ArgumentDefaultDescription
server-idno default (required)ID of target server

tctl inventory status

Show inventory status summary.

Usage:

tctl inventory status [<flags>]

Flags:

FlagDefaultDescription
--formattextOutput format, 'text' or 'json'
--[no-]connectedfalseShow locally connected instances summary

tctl kube ls

List all Kubernetes clusters registered with the cluster.

Usage:

tctl kube ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
--formattextOutput format, 'text', 'json', or 'yaml'
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"')
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase")
-v, --[no-]verbosefalseVerbose table output, shows full label output

Arguments:

ArgumentDefaultDescription
labelsno default (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2)

tctl list-kinds

Lists all resource kinds supported by this tctl version.

Usage:

tctl list-kinds [<flags>]

Flags:

FlagDefaultDescription
--[no-]widefalseDo not truncate the Description column, even if it exceeds terminal width

tctl lock

Create a new lock.

Usage:

tctl lock [<flags>]

Flags:

FlagDefaultDescription
--access-requestno defaultUUID of an Access Request to disable.
--bot-instance-idno defaultUUID of a bot instance to disable
--deviceno defaultUUID of a trusted device to disable.
--expiresno defaultTime point (RFC3339) when the lock expires.
--join-tokenno defaultBot join token name to disable
--linux-desktopno defaultName of a Linux desktop to disable.
--loginno defaultName of a local UNIX user to disable.
--messageno defaultMessage to display to locked-out users.
--mfa-deviceno defaultUUID of a user MFA device to disable.
--roleno defaultName of a Teleport role to disable.
--server-idno defaultUUID of a Teleport server to disable.
--ttlno defaultTime duration after which the lock expires.
--userno defaultName of a Teleport user to disable.
--windows-desktopno defaultName of a Windows desktop to disable.

tctl login_rule test

Test the parsing and evaluation of login rules.

Usage:

tctl login_rule test [<flags>] [<traits-file>]

Flags:

FlagDefaultDescription
--formatyamlOutput format: 'yaml' or 'json'
--[no-]load-from-clusterfalseload existing login rules from the connected Teleport cluster
--resource-fileno defaultlogin rule resource file name (YAML or JSON)

Arguments:

ArgumentDefaultDescription
traits-fileno default (optional)input user traits file name (YAML or JSON), empty for stdin

tctl nodes add

Generate a node invitation token.

Usage:

tctl nodes add [<flags>]

Flags:

FlagDefaultDescription
--rolesnodeComma-separated list of roles for the new node to assume [node]
--tokenno defaultOverride the default random generated token with a specified value
--ttl30m0sTime to live for a generated token

tctl nodes ls

List all active SSH nodes within the cluster.

Usage:

tctl nodes ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
--formattextOutput format, 'text', or 'yaml'
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"')
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase")
-v, --[no-]verbosefalseVerbose table output, shows full label output

Arguments:

ArgumentDefaultDescription
labelsno default (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2)

tctl notifications create

Create a cluster notification.

Usage:

tctl notifications create --title=TITLE --content=CONTENT [<flags>]

Flags:

FlagDefaultDescription
--contentno defaultSet the notification's content.
--labelsno defaultList of labels to attach to the notification. For example: key1=value1,key2=value2.
--[no-]require-all-rolesfalseSet whether this notification should target users who have all of the provided roles.
--[no-]warningfalseSet whether this notification is a warning notification.
--rolesno defaultTarget a specific set of roles. By default, this will target all users with any of the provided roles, use --require-all-roles to exclusively target users with all of them.
-t, --titleno defaultSet the notification's title.
--ttl30dTime duration after which the notification expires (default 30 days).
--userno defaultTarget a specific user.

tctl notifications ls

List notifications which were manually created using tctl notifications create. By default, this will list notifications capable of targeting multiple users, such as role-based ones. To list notifications directed only at a specific user, use the --user flag. To include notifications generated by Teleport, use --all.

Usage:

tctl notifications ls [<flags>]

Flags:

FlagDefaultDescription
--formattext (one of: yaml, json, text)Output format.
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2)
--[no-]allfalseSet whether all notifications should be included, including those generated by Teleport, as opposed to solely those created using tctl notifications create.
--userno defaultSet which user to list user-specific notifications for, or leave empty to list your own.

tctl notifications rm

Remove a cluster notification.

Usage:

tctl notifications rm [<flags>] <id>

Flags:

FlagDefaultDescription
--userno defaultThe user the notification to remove belongs to, if any.

Arguments:

ArgumentDefaultDescription
idno default (required)The ID of the notification to remove.

tctl plugins cleanup

Cleans up the given plugin type.

Usage:

tctl plugins cleanup [<flags>] <type>

Flags:

FlagDefaultDescription
--[no-]dry-runtrueDry run the cleanup command. Dry run defaults to on.

Arguments:

ArgumentDefaultDescription
typeno default (required)The type of plugin to clean up. Only supports Okta at present.

tctl plugins delete

Remove a plugin instance.

Usage:

tctl plugins delete [<name>]

Arguments:

ArgumentDefaultDescription
nameno default (optional)The name of the SCIM plugin resource to delete

tctl plugins edit awsic

Edit an AWS IAM Identity Center integration's settings.

Usage:

tctl plugins edit awsic [<flags>]

Flags:

FlagDefaultDescription
--plugin-nameaws-identity-centerName of the AWS Identity Center integration instance to update. Defaults to aws-identity-center.
--roles-sync-modeno default (one of: ALL, NONE)Control account-assignment role creation. ALL creates roles for all possible account assignments. NONE creates no roles, and also implies a totally-exclusive group import filter.

tctl plugins install awsic

Install an AWS IAM Identity Center integration.

Usage:

tctl plugins install awsic --access-list-default-owner=ACCESS-LIST-DEFAULT-OWNER --scim-url=SCIM-URL --scim-token=SCIM-TOKEN --instance-region=INSTANCE-REGION --instance-arn=INSTANCE-ARN [<flags>]

Flags:

FlagDefaultDescription
--access-list-default-ownerno defaultTeleport user to set as default owner for the imported Access Lists. Multiple flags allowed.
--account-idno defaultAdd AWS Account to account import list by ID. All AWS accounts will be imported if no items are added to account import list.
--account-nameno defaultAdd AWS Account to account import list by name. Can be a glob, or enclosed in ^$ to specify a regular expression. All AWS accounts will be imported if no items are added to account import list.
--assume-role-arnno defaultARN of a role that the system credential should assume.
--exclude-account-idno defaultExclude AWS account from import list by ID.
--exclude-account-nameno defaultExclude AWS account from import list by name. Can be a glob or a regular expression (enclosed in ^$).
--exclude-group-nameno defaultExclude AWS group from import list by name. Can be a glob or a regular expression (enclosed in ^$).
--group-nameno defaultAdd AWS group to group import list by name. Can be a glob, or enclosed in ^$ to specify a regular expression. If no filters are supplied then all AWS groups will be imported.
--instance-arnno defaultAWS Identity center instance ARN
--instance-regionno defaultAWS Identity Center instance region
--[no-]force-scim-urlfalseUse the provided SCIM provisioning endpoint even if it fails scim endpoint validation
--[no-]use-system-credentialstrueUses system credentials instead of OIDC.
--oidc-integrationno defaultName of the Teleport OIDC integration to use when authenticating with AWS. Must be supplied when --no-use-system-credentials is set.
--roles-sync-modeALL (one of: ALL, NONE)Control account-assignment role creation. ALL creates Teleport Roles for all possible account assignments. NONE creates no Teleport Roles, and also implies a totally-exclusive group import filter.
--scim-tokenno defaultAWS Identify Center SCIM provisioning token.
--scim-urlno defaultAWS Identity Center SCIM provisioning endpoint
--user-labelno defaultAdd user label filter, in the form of a comma-separated list of "name=value" pairs. If no label filters are supplied, all Teleport users will be provisioned to Identity Center
--user-originno default (any of (repeatable): defaults, config-file, dynamic, cloud, kubernetes, okta, scim, discovery-kubernetes, entra-id, aws-identity-center, integration_awsrolesanywhere)Shorthand for "--user-label teleport.dev/origin=ORIGIN"

tctl plugins install entraid

Install an Microsoft Entra ID integration.

Usage:

tctl plugins install entraid --default-owner=DEFAULT-OWNER [<flags>]

Flags:

FlagDefaultDescription
--access-list-owners-sourcepluginSource of the Access List owners.
--auth-connector-nameentra-id-defaultName of the SAML connector resource to create
--default-ownerno defaultList of Teleport users that are default owners for the imported Access Lists. Multiple flags allowed.
--exclude-group-idno defaultExclude group matching the specified group ID.
--exclude-group-nameno defaultExclude groups matching the specified group name regex.
-f, --[no-]forcefalseProceed with installation even if plugin already exists.
--group-idno defaultInclude group matching the specified group ID.
--group-nameno defaultInclude groups matching the specified group name regex.
-m, --[no-]manual-setupfalseManually set up the EntraID integration.
--nameentra-idName of the plugin resource to create
--[no-]access-graphtrueEnables Access Graph cache build.
--[no-]use-system-credentialsfalseUses system credentials instead of OIDC.

tctl plugins install github

Install an Access Graph Github integration.

Usage:

tctl plugins install github [<flags>]

Flags:

FlagDefaultDescription
--start-date<today>Start date for the audit log ingest in the YYYY-MM-DD format.

tctl plugins install netiq

Install an Access Graph NetIQ integration.

Usage:

tctl plugins install netiq [<flags>]

Flags:

FlagDefaultDescription
--[no-]insecure-skip-verifyfalseSkip verification of the NetIQ server's SSL certificate.

tctl plugins install okta

Install an Okta integration.

Usage:

tctl plugins install okta --org=ORG --saml-connector=SAML-CONNECTOR [<flags>]

Flags:

FlagDefaultDescription
-a, --app-filterno defaultAdd an app filter. Supports globbing by default. Enclose in ^pattern$ for full regex support.
--api-tokenno defaultOkta API token for the plugin to use
--app-idno defaultOkta ID of the APP used for SSO via SAML
-g, --group-filterno defaultAdd a group filter. Supports globbing by default. Enclose in ^pattern$ for full regex support.
--nameoktaName of the plugin resource to create
--[no-]accesslist-synctrueEnable group to Access List synchronization
--[no-]appgroup-synctrueEnable Okta Applications and Groups sync
--[no-]assign-default-rolestrueIf user synchronization is enabled, assign the builtin okta-requester role to synchronized users
--[no-]scimfalseEnable SCIM Okta integration
--[no-]system-logs-exportfalseEnables the Teleport Identity Security SIEM integration for Okta.
--[no-]users-synctrueEnable user synchronization
-o, --ownerno defaultAdd default owners for synced Access Lists
--orgno defaultURL of Okta organization
--saml-connectorno defaultSAML connector used for Okta SSO login.

tctl plugins install scim

Install a Teleport SCIM plugin.

Usage:

tctl plugins install scim --connector=CONNECTOR [<flags>]

Flags:

FlagDefaultDescription
--authoauth (one of: bearer, oauth)Plugin Authentication type.
--connectorno defaultName of the Teleport connector to use.
--connector-typeno default (one of: oidc, saml)Type of the Teleport connector to use.

tctl plugins rotate awsic

Rotate the AWS Identity Center SCIM bearer token.

Usage:

tctl plugins rotate awsic [<flags>] TOKEN

Flags:

FlagDefaultDescription
--[no-]validate-tokentrueValidate that the supplied token is valid for the configured downstream SCIM service
--plugin-nameaws-identity-centerName of the AWSIC plugin instance to update. Defaults to aws-identity-center.

Arguments:

ArgumentDefaultDescription
tokenno default (required)The new SCIM bearer token.

tctl proxy ls

Lists proxies connected to the cluster.

Usage:

tctl proxy ls [<flags>]

Flags:

FlagDefaultDescription
--formatyamlOutput format: 'yaml', 'json' or 'text'

tctl recordings download

Download session recordings.

Usage:

tctl recordings download [<flags>] <session-id>

Flags:

FlagDefaultDescription
-o, --output-dir<current working directory>Directory to download session recordings to.

Arguments:

ArgumentDefaultDescription
session-idno default (required)ID of the session to download recordings for.

tctl recordings encryption complete-rotation

Completes an in-progress encryption key rotation.

Usage:

tctl recordings encryption complete-rotation

tctl recordings encryption rollback-rotation

Rolls back an in-progress encryption key rotation.

Usage:

tctl recordings encryption rollback-rotation

tctl recordings encryption rotate

Rotate encryption keys used for encrypting session recordings.

Usage:

tctl recordings encryption rotate

tctl recordings encryption status

Show current rotation status.

Usage:

tctl recordings encryption status [<flags>]

Flags:

FlagDefaultDescription
--formattextFormat output (text, json, yaml).. Defaults to 'text'.

tctl recordings ls

List recorded sessions.

Usage:

tctl recordings ls [<flags>]

Flags:

FlagDefaultDescription
--formattextFormat output (text, json, yaml).. Defaults to 'text'.
--from-utcno defaultStart of time range in which recordings are listed. Format 2006-01-02. Defaults to 24 hours ago.
--lastno defaultDuration into the past from which session recordings should be listed. Format 5h30m40s
--limit50Maximum number of recordings to show. Default 50.
--to-utcno defaultEnd of time range in which recordings are listed. Format 2006-01-02. Defaults to current time.

Search session recordings using semantic and keyword queries.

Usage:

tctl recordings search [<flags>] [<query>...]

Flags:

FlagDefaultDescription
--access-requestno defaultFilter by access request ID. Can be specified multiple times.
--database-nameno defaultFilter database sessions by database name.
--formattextFormat output (text, json, yaml).. Defaults to 'text'.
--fromno defaultStart of time range. Format 2006-01-02. Defaults to 24 hours ago.
--kindno defaultFilter by session kind (ssh, db, k8s, desktop). Can be specified multiple times.
--labelno defaultFilter by resource labels (key=value pairs), e.g. env/prod=true,db/type=postgres.
--limit50Maximum number of results to return.
--pod-nameno defaultFilter Kubernetes sessions by pod name.
--pod-namespaceno defaultFilter Kubernetes sessions by pod namespace.
--resource-kindno defaultFilter by Teleport resource type (node, kube_cluster, db).
--resource-nameno defaultFilter by resource name.
--roleno defaultFilter by role held during the session. Can be specified multiple times.
--search-modehybrid (one of: hybrid, keyword, embeddings)Search strategy to use when search queries are provided.
--server-addrno defaultFilter SSH sessions by server address.
--server-hostnameno defaultFilter SSH sessions by server hostname.
--severityno defaultMinimum severity level to include (low, medium, high, critical).
--tono defaultEnd of time range. Format 2006-01-02. Defaults to current time.
--usernameno defaultFilter by the Teleport username that initiated the session.

Arguments:

ArgumentDefaultDescription
queryno default (optional)Natural language description of the sessions to find (e.g. "SSH sessions exfiltrating data to external endpoints").

tctl requests approve

Approve pending Access Request.

Usage:

tctl requests approve [<flags>] <request-id>

Flags:

FlagDefaultDescription
--annotationsno defaultResolution attributes <key>=<val>[,...]
--assume-start-timeno defaultSets time roles can be assumed by requestor (RFC3339 e.g 2023-12-12T23:20:50.52Z)
--delegatorno defaultOptional delegating identity
--reasonno defaultOptional reason message
--rolesno defaultOverride requested roles <role>[,...]

Arguments:

ArgumentDefaultDescription
request-idno default (required)ID of target request(s)

tctl requests create

Create pending Access Request.

Usage:

tctl requests create [<flags>] <username>

Flags:

FlagDefaultDescription
--[no-]dry-runfalseDon't actually generate the Access Request
--reasonno defaultOptional reason message
--resourceno defaultResource ID to be requested
--rolesno defaultRoles to be requested

Arguments:

ArgumentDefaultDescription
usernameno default (required)Name of target user

tctl requests deny

Deny pending Access Request.

Usage:

tctl requests deny [<flags>] <request-id>

Flags:

FlagDefaultDescription
--annotationsno defaultResolution annotations <key>=<val>[,...]
--delegatorno defaultOptional delegating identity
--reasonno defaultOptional reason message

Arguments:

ArgumentDefaultDescription
request-idno default (required)ID of target request(s)

tctl requests get

Show Access Request by ID.

Usage:

tctl requests get <request-id>

Arguments:

ArgumentDefaultDescription
request-idno default (required)ID of target request(s)

tctl requests ls

Show active Access Requests.

Usage:

tctl requests ls [<flags>]

Flags:

FlagDefaultDescription
--sort-indexcreatedRequest sort index, 'created' or 'state'
--sort-orderdescendingRequest sort order, 'ascending' or 'descending'

tctl requests review

Review an Access Request.

Usage:

tctl requests review --author=AUTHOR [<flags>] <request-id>

Flags:

FlagDefaultDescription
--authorno defaultUsername of reviewer
--[no-]approvefalseReview proposes approval
--[no-]denyfalseReview proposes denial

Arguments:

ArgumentDefaultDescription
request-idno default (required)ID of target request

tctl requests rm

Delete an Access Request.

Usage:

tctl requests rm [<flags>] <request-id>

Flags:

FlagDefaultDescription
-f, --[no-]forcefalseForce the deletion of an active Access Request

Arguments:

ArgumentDefaultDescription
request-idno default (required)ID of target request(s)

tctl rm

Delete a resource.

Usage:

tctl rm [<resource type/resource name>]

Arguments:

ArgumentDefaultDescription
resource type/resource nameno default (optional)Resource to delete
<resource type> Type of a resource [for example: connector,user,cluster,token]
<resource name> Resource name to delete

Examples: $ tctl rm role/devs $ tctl rm cluster/main|

tctl saml export

Export a SAML signing key in .crt format.

Usage:

tctl saml export <connector_name>

Arguments:

ArgumentDefaultDescription
connector_nameno default (required)name of the SAML connector to export the key from

tctl scoped assignments list

List scoped role assignments

Usage:

tctl scoped assignments list [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--roleno defaultFilter by assigned role.
--userno defaultFilter by user.

tctl scoped status

Show the status of scoped resources.

Usage:

tctl scoped status

tctl scoped tokens add

Create a scoped invitation token.

Usage:

tctl scoped tokens add --type=TYPE [<flags>]

Flags:

FlagDefaultDescription
--assign-scopeno defaultScope that should be applied to resources provisioned by this token
--formatno default (one of: text, json, yaml)Format output (text, json, yaml).
--labelsno defaultSet token labels, e.g. env=prod,region=us-west
--modeno defaultUsage mode of a token (default: unlimited, single_use)
--nameno defaultOverride the default, randomly generated token name with a specified name
--scopeno defaultScope assigned to the token itself
--ssh-labelsno defaultSet immutable ssh labels the token should assign to provisioned resources, e.g. env=prod,region=us-west
--ttl30m0sSet expiration time for token, default is 30 minutes
--typeno defaultType(s) of token to add, e.g. --type=node

tctl scoped tokens ls

List invitation tokens.

Usage:

tctl scoped tokens ls [<flags>]

Flags:

FlagDefaultDescription
-f, --formatno default (one of: text, json, yaml)Format output (text, json, yaml).
--[no-]with-secretsfalseDo not redact join tokens

tctl scoped tokens rm

Delete/revoke a scoped invitation token.

Usage:

tctl scoped tokens rm [<token>]

Arguments:

ArgumentDefaultDescription
tokenno default (optional)Token to delete

tctl sso configure github

Configure GitHub auth connector.

Usage:

tctl sso configure github --teams-to-roles=org,team,role1,role2,... --id=ID --secret=SECRET [<flags>]

Flags:

FlagDefaultDescription
--api-endpoint-urlhttps://api.github.comAPI endpoint URL for GitHub instance.
--displayno defaultSets the connector display name.
--endpoint-urlhttps://github.comEndpoint URL for GitHub instance.
--idno defaultGitHub app client ID.
-n, --namegithubConnector name.
--[no-]ignore-missing-rolesfalseIgnore missing roles referenced in --teams-to-roles.
--redirect-urlno defaultAuthorization callback URL.
-r, --teams-to-rolesno defaultSets teams-to-roles mapping using format 'organization,name,role1,role2,...'. Repeatable.
--secretno defaultGitHub app client secret.

tctl sso configure oidc

Configure OIDC auth connector, optionally using a preset. Available presets: [google gitlab okta].

Usage:

tctl sso configure oidc --claims-to-roles=name,value,role1,role2,... --secret=SECRET [<flags>]

Flags:

FlagDefaultDescription
--acrno defaultAuthentication Context Class Reference values.
--displayno defaultSets the connector display name.
--google-accno defaultGoogle only. String containing Google service account credentials.
--google-acc-urino defaultGoogle only. URI pointing at service account credentials. Example: file:///var/lib/teleport/gworkspace-creds.json.
--google-adminno defaultGoogle only. Email of a Google admin to impersonate.
--google-idno defaultShorthand for setting the --id flag to <GOOGLE_WORKSPACE_CLIENT_ID>.apps.googleusercontent.com
--idno defaultOIDC app client ID.
--issuer-urlno defaultIssuer URL.
-n, --nameno defaultConnector name. Required, unless implied from preset.
--[no-]google-legacyfalseGoogle only. Flag to select groups with direct membership filtered by domain (legacy behavior). Disabled by default. More info: https://goteleport.com/docs/enterprise/sso/google-workspace/#how-teleport-uses-google-workspace-apis
--[no-]ignore-missing-rolesfalseIgnore missing roles referenced in --claims-to-roles.
-p, --presetno default (one of: google, gitlab, okta)Preset.
--promptno defaultOptional OIDC prompt. Example values: none, select_account, login, consent.
--providerno defaultSets the external identity provider type to enable IdP specific workarounds. Examples: ping, adfs, netiq, okta.
-r, --claims-to-rolesno defaultSets claim-to-roles mapping using format 'claim_name,claim_value,role1,role2,...'. Repeatable.
--redirect-urlno defaultAuthorization callback URL(s). Each repetition of the flag declares one redirectURL.
--scopeno defaultScope specifies additional scopes set by provider. Each repetition of the flag declares one scope. Examples: email, groups, openid.
--secretno defaultOIDC app client secret.

tctl sso configure saml

Configure SAML auth connector, optionally using a preset. Available presets: [okta onelogin ad adfs].

Usage:

tctl sso configure saml --attributes-to-roles=ATTRIBUTES-TO-ROLES [<flags>]

Flags:

FlagDefaultDescription
--acsno defaultAssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side).
--assertion-cert-fileno defaultA file with cert used for securing SAML assertions. Must be used together with --assertion-key-file.
--assertion-key-fileno defaultA file with key used for securing SAML assertions. Must be used together with --assertion-cert-file.
--audienceno defaultAudience uniquely identifies our service provider.
--certno defaultCert file with the IdP certificate PEM. IdP signs <Response> responses using this certificate.
--displayno defaultSets the connector display name.
-e, --entity-descriptorno defaultSet the Entity Descriptor. Valid values: file, URL, XML content. Supplies configuration parameters as single XML instead of individual elements.
--issuerno defaultIssuer is the identity provider issuer.
-n, --nameno defaultConnector name. Required, unless implied from preset.
--[no-]allow-idp-initiatedfalseAllow the IdP to initiate the SSO flow.
--[no-]ignore-missing-rolesfalseIgnore missing roles referenced in --attributes-to-roles.
-p, --presetno default (one of: okta, onelogin, ad, adfs)Preset.
--providerno defaultSets the external identity provider type. Examples: ping, adfs.
-r, --attributes-to-rolesno defaultSets attribute-to-role mapping using format 'attr_name,attr_value,role1,role2,...'. Repeatable.
--service-provider-issuerno defaultServiceProviderIssuer is the issuer of the service provider (Teleport).
--signing-cert-fileno defaultA file with request certificate. Must be used together with --signing-key-file.
--signing-key-fileno defaultA file with request signing key. Must be used together with --signing-cert-file.
--ssono defaultSSO is the URL of the identity provider's SSO service.

tctl sso test

Perform end-to-end test of SSO flow using provided auth connector definition.

Usage:

tctl sso test [<flags>] [<filename>]

Flags:

FlagDefaultDescription
--browserno defaultSet to 'none' to suppress browser opening on login.

Arguments:

ArgumentDefaultDescription
filenameno default (optional)Connector resource definition filename. Empty for stdin.

tctl stable-unix-users ls

List the stable UNIX users currently persisted in the cluster.

Usage:

tctl stable-unix-users ls [<flags>]

Flags:

FlagDefaultDescription
--formattext (one of: text, json, yaml)Output format.

tctl status

Report cluster status.

Usage:

tctl status

tctl terraform env

Obtain certificates and load them into environment variables. This creates a temporary MachineID bot.

Usage:

tctl terraform env [<flags>]

Flags:

FlagDefaultDescription
--bot-ttl1hTime-to-live of the Bot resource. The bot will be removed after this period. Defaults to [1h]
--resource-prefixtctl-terraform-env-Resource prefix to use when creating the Terraform role and bots. Defaults to [tctl-terraform-env-]
--roleno defaultRole used by Terraform. The role must already exist in Teleport. When not specified, uses the default role "terraform-provider"

tctl tokens add

Create a invitation token.

Usage:

tctl tokens add --type=TYPE [<flags>]

Flags:

FlagDefaultDescription
--app-nameexample-appName of the application to add
--app-urihttp://localhost:8080URI of the application to add
--db-nameno defaultName of the database to add
--db-protocolno defaultDatabase protocol to use. Supported are: [postgres mysql mongodb oracle cockroachdb redis snowflake sqlserver cassandra elasticsearch opensearch dynamodb clickhouse clickhouse-http spanner]
--db-urino defaultAddress the database is reachable at
--formatno default (one of: text, json, yaml)Output format.
--labelsno defaultSet token labels, e.g. env=prod,region=us-west
--ttl30m0sSet expiration time for token, default is 30 minutes
--typeno defaultType(s) of token to add, e.g. --type=node,app,db,proxy,etc
--valueno defaultOverride the default random generated token with a specified value

tctl tokens configure-kube

Creates a token allowing workload from the Kubernetes cluster to join the Teleport cluster.

Usage:

tctl tokens configure-kube --service-account=SERVICE-ACCOUNT [<flags>]

Flags:

FlagDefaultDescription
--botno defaultName of the bot that this token will grant access to. When set, creates a bot token. Overrides --type
--cluster-nameno defaultName of the Kubernetes cluster. When not set, defaults to the context name.
--contextno defaultKubernetes context to use. When not set, defaults to the active context.
-f, --[no-]forcefalseForce the token creation, even if the token already exists
-j, --join-withautoKubernetes joining type, possible values are 'oidc', 'jwks', and 'auto'. See https://goteleport.com/docs/reference/join-methods/#kubernetes-kubernetes for more details.
-n, --namespaceteleportNamespace of the Kubernetes Service Account using the token. For 'teleport-kube-agent' and 'tbot' Helm charts, this is the release namespace.
-o, --out./values.yamlPath of the output file.
-s, --service-accountno defaultName of the Kubernetes Service Account using the token. For 'teleport-kube-agent' and 'tbot' Helm charts, this is the release name.
--token-nameno defaultOptional name of the created join token. When not set, default to '<CLUSTER_NAME>(-<BOT_NAME>)'
--typekube,app,discoveryType(s) of token to add, e.g. --type=kube,app,db,discovery,proxy,etc
--update-groupno defaultOptional update group used for version detection and agent updater configuration

tctl tokens ls

List node and user invitation tokens.

Usage:

tctl tokens ls [<flags>]

Flags:

FlagDefaultDescription
--formatno default (one of: text, json, yaml)Output format.
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2)
--[no-]with-secretsfalseDo not redact join tokens

tctl tokens rm

Delete/revoke an invitation token.

Usage:

tctl tokens rm [<token>]

Arguments:

ArgumentDefaultDescription
tokenno default (optional)Token to delete

tctl top

Report diagnostic information.

Usage:

tctl top [<diag-addr>] [<refresh>]

Arguments:

ArgumentDefaultDescription
diag-addrno default (optional)Diagnostic HTTP URL
refresh5s (optional)Refresh period

tctl update

Update resource fields.

Usage:

tctl update [<flags>] [<resource type/resource name>]

Flags:

FlagDefaultDescription
--set-labelsno defaultSet labels
--set-ttlno defaultSet TTL

Arguments:

ArgumentDefaultDescription
resource type/resource nameno default (optional)Resource to update
<resource type> Type of a resource [for example: rc]
<resource name> Resource name to update

Example: $ tctl update rc/remote|

tctl users add

Generate a user invitation token [Teleport local users only].

Usage:

tctl users add --roles=ROLES [<flags>] <account>

Flags:

FlagDefaultDescription
--aws-role-arnsno defaultList of allowed AWS role ARNs for the new user
--azure-identitiesno defaultList of allowed Azure identities for the new user
--db-namesno defaultList of allowed database names for the new user
--db-rolesno defaultList of database roles for automatic database user provisioning
--db-usersno defaultList of allowed database users for the new user
--default-relay-addrno defaultRelay address that clients should use by default
--gcp-service-accountsno defaultList of allowed GCP service accounts for the new user
--host-user-gidno defaultGID for auto provisioned host users to use
--host-user-uidno defaultUID for auto provisioned host users to use
--kubernetes-groupsno defaultList of allowed Kubernetes groups for the new user
--kubernetes-usersno defaultList of allowed Kubernetes users for the new user
--loginsno defaultList of allowed SSH logins for the new user
--mcp-toolsno defaultList of allowed MCP tools for the new user
--rolesno defaultList of roles for the new user to assume
--ttl1h0m0sSet expiration time for token, default is 1h0m0s, maximum is 48h0m0s
--windows-loginsno defaultList of allowed Windows logins for the new user

Arguments:

ArgumentDefaultDescription
accountno default (required)Teleport user account name

tctl users ls

Lists all user accounts.

Usage:

tctl users ls

tctl users reset

Reset user password and generate a new token [Teleport local users only].

Usage:

tctl users reset [<flags>] <account>

Flags:

FlagDefaultDescription
--ttl8h0m0sSet expiration time for token, default is 8h0m0s, maximum is 24h0m0s

Arguments:

ArgumentDefaultDescription
accountno default (required)Teleport user account name

tctl users rm

Deletes user accounts.

Usage:

tctl users rm <logins>

Arguments:

ArgumentDefaultDescription
loginsno default (required)Comma-separated list of user logins to delete

tctl users update

Update user account.

Usage:

tctl users update [<flags>] <account>

Flags:

FlagDefaultDescription
--set-aws-role-arnsno defaultList of allowed AWS role ARNs for the user, replaces current AWS role ARNs
--set-azure-identitiesno defaultList of allowed Azure identities for the user, replaces current Azure identities
--set-db-namesno defaultList of allowed database names for the user, replaces current database names
--set-db-rolesno defaultList of allowed database roles for automatic database user provisioning, replaces current database roles
--set-db-usersno defaultList of allowed database users for the user, replaces current database users
--set-default-relay-addrno defaultRelay address that clients should use by default. Value can be reset by providing an empty string
--set-gcp-service-accountsno defaultList of allowed GCP service accounts for the user, replaces current service accounts
--set-host-user-gidno defaultGID for auto provisioned host users to use. Value can be reset by providing an empty string
--set-host-user-uidno defaultUID for auto provisioned host users to use. Value can be reset by providing an empty string
--set-kubernetes-groupsno defaultList of allowed Kubernetes groups for the user, replaces current Kubernetes groups
--set-kubernetes-usersno defaultList of allowed Kubernetes users for the user, replaces current Kubernetes users
--set-loginsno defaultList of allowed SSH logins for the user, replaces current logins
--set-mcp-toolsno defaultList of allowed MCP tools for the user, replaces current allowed MCP tools.
--set-rolesno defaultList of roles for the user to assume, replaces current roles
--set-windows-loginsno defaultList of allowed Windows logins for the user, replaces current Windows logins

Arguments:

ArgumentDefaultDescription
accountno default (required)Teleport user account name

tctl version

Print the version of your tctl binary.

Usage:

tctl version

tctl workload-identity ls

List workload identity configurations.

Usage:

tctl workload-identity ls

tctl workload-identity revocations add

Create a new revocation.

Usage:

tctl workload-identity revocations add --serial=SERIAL --type=TYPE --reason=REASON [<flags>]

Flags:

FlagDefaultDescription
--expires-atno defaultTime that the revocation should expire, usually this should match the expiry time of the credential. This should be specified using RFC3339 e.g '2024-02-05T15:04:00Z'. If unspecified, the time 1 week from now is used.
--reasonno defaultReason for revocation.
--serialno defaultSerial number of the certificate to revoke.
--typeno default (one of: x509)Type of credential to revoke (x509)

tctl workload-identity revocations crl

Fetch the signed CRL for existing revocations.

Usage:

tctl workload-identity revocations crl [<flags>]

Flags:

FlagDefaultDescription
--[no-]followfalseFollow the stream of CRL updates.
--outno defaultPath to write the CRL as a file to. If unspecified, STDOUT will be used.

tctl workload-identity revocations ls

List revocations.

Usage:

tctl workload-identity revocations ls

tctl workload-identity revocations rm

Delete a revocation.

Usage:

tctl workload-identity revocations rm --serial=SERIAL --type=TYPE

Flags:

FlagDefaultDescription
--serialno defaultSerial number of the certificate to remove the revocation for.
--typeno default (one of: x509)Type of credential to remove the revocation for (x509).

tctl workload-identity rm

Delete a workload identity configuration.

Usage:

tctl workload-identity rm <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)Name of the workload identity configuration to delete.

tctl workload-identity x509-issuer-overrides create

Create an issuer override from the given certificate chains.

Usage:

tctl workload-identity x509-issuer-overrides create [<flags>] <fullchain.pem>...

Flags:

FlagDefaultDescription
-f, --[no-]forcefalseOverwrite the existing override if it exists.
--namedefaultThe name of the override resource to write.
--[no-]dry-runfalsePrint the workload_identity_x509_issuer_override that would have been created, without actually creating it.

Arguments:

ArgumentDefaultDescription
fullchain.pemno default (required)PEM files containing an issuer and its optional chain each.

tctl workload-identity x509-issuer-overrides sign-csrs

Sign CSRs with the SPIFFE X.509 CA keys.

Usage:

tctl workload-identity x509-issuer-overrides sign-csrs [<flags>]

Flags:

FlagDefaultDescription
--creation-modesameHow the attributes of the issuer are encoded in the CSR: "same", "empty".
-f, --[no-]forcefalseAttempt to sign as many CSRs as possible even in the presence of errors.