Skip to main content
Version: 19.x (unreleased)

teleport Reference

Report an IssueView as Markdown

This guide provides a comprehensive list of commands, arguments, and flags for teleport.

teleport is the CLI tool that supports the Teleport Infrastructure Identity Platform, and allows Teleport services to be managed over the command line.

teleport <command> [<args> ...]

teleport app start

Start application proxy service.

Usage:

teleport app start [<flags>]

Flags:

FlagDefaultDescription
--auth-serverno defaultAddress of the auth server [127.0.0.1:3025].
--ca-pinno defaultCA pin to validate the auth server (can be repeated for multiple pins).
-c, --configno defaultPath to a configuration file [/etc/teleport.yaml].
--cloudno defaultSet to one of [AWS Azure GCP] if application should proxy particular cloud API
--diag-addrno defaultStart diagnostic prometheus and healthz endpoint.
-d, --[no-]debugfalseEnable verbose logging to stderr.
--labelsno defaultComma-separated list of labels for this node, for example env=dev,app=web.
--nameno defaultName of the application to start.
--[no-]fipsfalseStart Teleport in FedRAMP/FIPS 140 mode.
--[no-]insecurefalseInsecure mode disables certificate validation
--[no-]mcp-demo-serverfalseEnables the Teleport demo MCP server that shows current user and session information.
--[no-]no-debug-servicefalseDisables debug service.
--[no-]skip-version-checkfalseSkip version checking between server and client.
--pid-fileno defaultFull path to the PID file. By default no PID file will be created.
--public-addrno defaultPublic address of the application to proxy.
--tokenno defaultInvitation token or path to file with token value to register with an auth server [none].
--urino defaultInternal address of the application to proxy.

teleport backend clone

Clones data from a source to a destination backend.

Usage:

teleport backend clone

teleport backend edit

Modify a single item from the cluster state backend.

Usage:

teleport backend edit <key>

Arguments:

ArgumentDefaultDescription
keyno default (required)The backend key to retrieve.

teleport backend get

Retrieves a single item from the cluster state backend.

Usage:

teleport backend get [<flags>] <key>

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).

Arguments:

ArgumentDefaultDescription
keyno default (required)The backend key to retrieve.

teleport backend ls

Lists the keys in the cluster state backend.

Usage:

teleport backend ls [<flags>] [<prefix>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).

Arguments:

ArgumentDefaultDescription
prefixno default (optional)An optional key prefix to limit listing to.

teleport backend rm

Removes a single item from the cluster state backend.

Usage:

teleport backend rm <key>

Arguments:

ArgumentDefaultDescription
keyno default (required)The backend key to remove.

teleport configure

Generate a simple config file to get started.

Usage:

teleport configure [<flags>]

Flags:

FlagDefaultDescription
--acme-emailno defaultEmail to receive updates from Letsencrypt.org.
--app-nameno defaultName of the application to start when using app role.
--app-urino defaultInternal address of the application to proxy.
--auth-serverno defaultAddress of the auth server.
--cert-fileno defaultPath to a TLS certificate file for the proxy.
--cluster-nameno defaultUnique cluster name, e.g. example.com.
--data-dir/var/lib/teleportPath to a directory where Teleport keep its data.
--join-methodtoken (one of: azure, azure_devops, bitbucket, circleci, ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0)Method to use to join the cluster.
--key-fileno defaultPath to a TLS key file for the proxy.
--[no-]acmefalseGet automatic certificate from Letsencrypt.org using ACME.
--node-labelsno defaultComma-separated list of labels to add to newly created nodes, for example env=staging,cloud=aws.
--node-nameno defaultName for the Teleport node.
--[no-]mcp-demo-serverfalseEnables the Teleport demo MCP server that shows current user and session information.
-o, --outputstdoutWrite to stdout with "--output=stdout", default config file with "--output=file" or custom path with --output=file:///path
--proxyno defaultAddress of the proxy.
--public-addrno defaultThe hostport that the proxy advertises for the HTTP endpoint.
--rolesno defaultComma-separated list of roles to create config with.
--testno defaultPath to a configuration file to test.
--tokenno defaultInvitation token or path to file with token value to register with an auth server.
--versionv3Teleport configuration version.

teleport db configure aws create-iam

Generate, create and attach IAM policies.

Usage:

teleport db configure aws create-iam [<flags>]

Flags:

FlagDefaultDescription
--assumes-rolesno defaultComma-separated list of additional IAM roles that the IAM identity should be able to assume. Each role can be either an IAM role ARN or the name of a role in the identity's account.
--nameDatabaseAccessCreated policy name. Defaults to empty. Will be auto-generated if not provided.
--[no-]confirmfalseApply changes without confirmation prompt.
--roleno defaultIAM role name to attach policy to. Mutually exclusive with --user
-r, --typesno defaultComma-separated list of database types to include in the policy. Any of rds,rdsproxy,redshift,redshift-serverless,elasticache,elasticache-serverless,memorydb,keyspace,dynamodb,opensearch,docdb
--userno defaultIAM user name to attach policy to. Mutually exclusive with --role

teleport db configure aws print-iam

Generate and show IAM policies.

Usage:

teleport db configure aws print-iam [<flags>]

Flags:

FlagDefaultDescription
--assumes-rolesno defaultComma-separated list of additional IAM roles that the IAM identity should be able to assume. Each role can be either an IAM role ARN or the name of a role in the identity's account.
--[no-]policyfalseOnly print IAM policy document.
--policy-nameDatabaseAccessName of the Teleport Database agent policy. Default: "DatabaseAccess".
--roleno defaultIAM role name to attach policy to. Mutually exclusive with --user
-r, --typesno defaultComma-separated list of database types to include in the policy. Any of rds,rdsproxy,redshift,redshift-serverless,elasticache,elasticache-serverless,memorydb,keyspace,dynamodb,opensearch,docdb
--userno defaultIAM user name to attach policy to. Mutually exclusive with --role

teleport db configure bootstrap

Bootstrap the necessary configuration for the database agent. It reads the provided agent configuration to determine what will be bootstrapped.

Usage:

teleport db configure bootstrap [<flags>]

Flags:

FlagDefaultDescription
--assumes-rolesno defaultComma-separated list of additional IAM roles that the IAM identity should be able to assume. Each role can be either an IAM role ARN or the name of a role in the identity's account.
--attach-to-roleno defaultRole name to attach policy to. Mutually exclusive with --attach-to-user. If none of the attach-to flags is provided, the command will try to attach the policy to the current user/role based on the credentials.
--attach-to-userno defaultUser name to attach policy to. Mutually exclusive with --attach-to-role. If none of the attach-to flags is provided, the command will try to attach the policy to the current user/role based on the credentials.
-c, --config/etc/teleport.yamlPath to a configuration file [/etc/teleport.yaml].
--[no-]confirmfalseApply changes without confirmation prompt.
--[no-]manualfalseWhen executed in "manual" mode, it will print the instructions to complete the configuration instead of applying them directly.
--policy-nameDatabaseAccessName of the Teleport Database agent policy. Default: "DatabaseAccess".

teleport db configure create

Creates a sample Database Service configuration.

Usage:

teleport db configure create [<flags>]

Flags:

FlagDefaultDescription
--ad-domainno default(Only for SQL Server) Active Directory domain.
--ad-keytab-fileno default(Only for SQL Server) Kerberos keytab file.
--ad-spnno default(Only for SQL Server) Service Principal Name for Active Directory auth.
--aws-account-idno default(Only for Keyspaces or DynamoDB) AWS Account ID.
--aws-assume-role-arnno defaultOptional AWS IAM role to assume.
--aws-elasticache-group-idno default(Only for ElastiCache) ElastiCache replication group identifier.
--aws-elasticache-serverless-cache-nameno default(Only for ElastiCache Serverless) ElastiCache Serverless cache name.
--aws-external-idno default(Only for AWS-hosted databases) Optional AWS external ID to use when assuming AWS roles.
--aws-memorydb-cluster-nameno default(Only for MemoryDB) MemoryDB cluster name.
--aws-rds-cluster-idno default(Only for RDS Aurora) RDS Aurora database cluster identifier.
--aws-rds-instance-idno default(Only for RDS) RDS database instance identifier.
--aws-redshift-cluster-idno default(Only for Redshift) Redshift database cluster identifier.
--aws-regionno default(Only for AWS-hosted databases) AWS region RDS, Aurora, Redshift, Redshift Serverless, ElastiCache, OpenSearch or MemoryDB database instance is running in.
--aws-tagsno default(Only for AWS discoveries) Comma-separated list of AWS resource tags to match, for example env=dev,dept=it
--azure-mysql-discoveryno defaultList of Azure regions in which the agent will discover MySQL servers.
--azure-postgres-discoveryno defaultList of Azure regions in which the agent will discover PostgreSQL servers.
--azure-redis-discoveryno defaultList of Azure regions in which the agent will discover Azure Cache For Redis servers.
--azure-resource-group*List of Azure resource groups for Azure discoveries. Default is "*".
--azure-sqlserver-discoveryno defaultList of Azure regions in which the agent will discover Azure SQL Databases and Managed Instances.
--azure-subscription*List of Azure subscription IDs for Azure discoveries. Default is "*".
--azure-tagsno default(Only for Azure discoveries) Comma-separated list of Azure resource tags to match, for example env=dev,dept=it
--ca-cert-fileno defaultDatabase CA certificate path.
--ca-pinno defaultCA pin to validate the auth server (can be repeated for multiple pins).
--dynamic-resources-labelsno defaultComma-separated list(s) of labels to match dynamic resources, for example env=dev,dept=it. Required to enable dynamic resources matching.
--elasticache-discoveryno defaultList of AWS regions in which the agent will discover ElastiCache Valkey or Redis clusters.
--elasticache-serverless-discoveryno defaultList of AWS regions in which the agent will discover ElastiCache Serverless Valkey or Redis caches.
--gcp-instance-idno default(Only for Cloud SQL) GCP Cloud SQL instance identifier.
--gcp-project-idno default(Only for Cloud SQL) GCP Cloud SQL project identifier.
--labelsno defaultComma-separated list of labels for the database, for example env=dev,dept=it
--memorydb-discoveryno defaultList of AWS regions in which the agent will discover MemoryDB clusters.
--nameno defaultName of the proxied database.
--[no-]trust-system-cert-poolfalseAllows Teleport to trust certificate authorities available on the host system for self-hosted databases.
-o, --outputstdoutWrite to stdout with "--output=stdout", default config file with "--output=file" or custom path with --output=file:///path
--opensearch-discoveryno defaultList of AWS regions in which the agent will discover OpenSearch domains.
--protocolno defaultProxied database protocol. Supported are: [postgres mysql mongodb oracle cockroachdb redis snowflake sqlserver cassandra elasticsearch opensearch dynamodb clickhouse clickhouse-http spanner].
--proxy0.0.0.0:3080Teleport proxy address to connect to [0.0.0.0:3080].
--rds-discoveryno defaultList of AWS regions in which the agent will discover RDS/Aurora instances.
--rdsproxy-discoveryno defaultList of AWS regions in which the agent will discover RDS Proxies.
--redshift-discoveryno defaultList of AWS regions in which the agent will discover Redshift instances.
--redshift-serverless-discoveryno defaultList of AWS regions in which the agent will discover Redshift Serverless instances.
--token/tmp/tokenInvitation token or path to file with token value to register with an auth server [none].
--urino defaultAddress the proxied database is reachable at.

teleport db start

Start database proxy service.

Usage:

teleport db start [<flags>]

Flags:

FlagDefaultDescription
--ad-domainno default(Only for SQL Server) Active Directory domain.
--ad-keytab-fileno default(Only for SQL Server) Kerberos keytab file.
--ad-krb5-file/etc/krb5.conf(Only for SQL Server) Kerberos krb5.conf file.
--ad-spnno default(Only for SQL Server) Service Principal Name for Active Directory auth.
--auth-serverno defaultAddress of the auth server [127.0.0.1:3025].
--aws-account-idno default(Only for Keyspaces or DynamoDB) AWS Account ID.
--aws-assume-role-arnno defaultOptional AWS IAM role to assume.
--aws-external-idno defaultOptional AWS external ID used when assuming an AWS role.
--aws-rds-cluster-idno default(Only for Aurora) Aurora cluster identifier.
--aws-rds-instance-idno default(Only for RDS) RDS instance identifier.
--aws-redshift-cluster-idno default(Only for Redshift) Redshift database cluster identifier.
--aws-regionno default(Only for RDS, Aurora, Redshift, ElastiCache or MemoryDB) AWS region AWS hosted database instance is running in.
--aws-session-tagsno default(Only for DynamoDB) List of STS tags.
--ca-certno defaultDatabase CA certificate path.
--ca-pinno defaultCA pin to validate the auth server (can be repeated for multiple pins).
-c, --configno defaultPath to a configuration file [/etc/teleport.yaml].
--descriptionno defaultDescription of the proxied database.
--diag-addrno defaultStart diagnostic prometheus and healthz endpoint.
-d, --[no-]debugfalseEnable verbose logging to stderr.
--gcp-alloydb-endpoint-typeno default (one of: public, private, psc)(Only for AlloyDB) Endpoint type.
--gcp-instance-idno default(Only for Cloud SQL) Instance identifier.
--gcp-project-idno default(Only for Cloud SQL) Project identifier.
--labelsno defaultComma-separated list of labels for this node, for example env=dev,app=web.
--nameno defaultName of the proxied database.
--[no-]fipsfalseStart Teleport in FedRAMP/FIPS 140 mode.
--[no-]insecurefalseInsecure mode disables certificate validation
--[no-]no-debug-servicefalseDisables debug service.
--[no-]skip-version-checkfalseSkip version checking between server and client.
--pid-fileno defaultFull path to the PID file. By default no PID file will be created.
--protocolno defaultProxied database protocol. Supported are: [postgres mysql mongodb oracle cockroachdb redis snowflake sqlserver cassandra elasticsearch opensearch dynamodb clickhouse clickhouse-http spanner].
--tokenno defaultInvitation token or path to file with token value to register with an auth server [none].
--urino defaultAddress the proxied database is reachable at.

teleport debug check-session-helper

Checks if the embedded session helper is working, if available in this build.

Usage:

teleport debug check-session-helper

teleport debug get-log-level

Fetches current log level.

Usage:

teleport debug get-log-level

teleport debug metrics

Fetches the cluster's Prometheus metrics.

Usage:

teleport debug metrics

teleport debug profile

Export the application profiles (pprof format). Outputs to stdout .tar.gz file contents.

Usage:

teleport debug profile [<flags>] [<PROFILES>]

Flags:

FlagDefaultDescription
-s, --seconds0For CPU and trace profiles, profile for the given duration (if set to 0, it returns a profile snapshot). For other profiles, return a delta profile. Default: 0

Arguments:

ArgumentDefaultDescription
PROFILESno default (optional)Comma-separated profile names to be exported. Supported profiles: allocs,block,cmdline,goroutine,heap,mutex,profile,threadcreate,trace. Default: goroutine,heap,profile

teleport debug readyz

Checks if the instance is ready to serve requests.

Usage:

teleport debug readyz

teleport debug require-session-helper

Checks if the embedded session helper is working, failing if not available in this build.

Usage:

teleport debug require-session-helper

teleport debug set-log-level

Changes the log level.

Usage:

teleport debug set-log-level <LEVEL>

Arguments:

ArgumentDefaultDescription
LEVELno default (required)Log level (case-insensitive). Any of: TRACE,DEBUG,INFO,WARN,ERROR

teleport discovery bootstrap

Bootstrap the necessary configuration for the discovery agent. It reads the provided agent configuration to determine what will be bootstrapped.

Usage:

teleport discovery bootstrap [<flags>]

Flags:

FlagDefaultDescription
--assume-role-arnno defaultOptional AWS IAM role to assume while bootstrapping.
--assumes-rolesno defaultComma-separated list of additional IAM roles that the IAM identity should be able to assume. Each role can be either an IAM role ARN or the name of a role in the identity's account.
--attach-to-roleno defaultRole name to attach policy to. Mutually exclusive with --attach-to-user. If none of the attach-to flags is provided, the command will try to attach the policy to the current user/role based on the credentials.
--attach-to-userno defaultUser name to attach policy to. Mutually exclusive with --attach-to-role. If none of the attach-to flags is provided, the command will try to attach the policy to the current user/role based on the credentials.
-c, --config/etc/teleport.yamlPath to a configuration file [/etc/teleport.yaml].
--database-service-policy-nameDatabaseAccessName of the policy for bootstrapping database service when database-service-role is provided.
--database-service-roleno defaultRole name to attach database access policies to. If specified, bootstrap for the database service that accesses the databases discovered by this discovery service.
--external-idno defaultOptional AWS external ID used when assuming an AWS role.
--[no-]confirmfalseApply changes without confirmation prompt.
--[no-]manualfalseWhen executed in "manual" mode, it will print the instructions to complete the configuration instead of applying them directly.
--policy-nameTeleportEC2DiscoveryName of the Teleport Discovery service policy. Default: "TeleportEC2Discovery".
--proxyno defaultTeleport proxy address to connect to

teleport help

Show help.

Usage:

teleport help [<command>...]

Arguments:

ArgumentDefaultDescription
commandno default (optional)Show help on command.

teleport install systemd

Creates a systemd unit file configuration.

Usage:

teleport install systemd [<flags>]

Flags:

FlagDefaultDescription
--env-file/etc/default/teleportFull path to the environment file.
--fd-limit524288Maximum number of open file descriptors.
-o, --outputstdoutWrite to stdout with "--output=stdout" or custom path with --output=file:///path
--pid-file/run/teleport.pidFull path to the PID file.
--teleport-pathno defaultFull path to the Teleport binary.

teleport integration configure access-graph aws-iam

Adds required AWS IAM permissions for syncing AWS resources into Access Graph service.

Usage:

teleport integration configure access-graph aws-iam --role=ROLE [<flags>]

Flags:

FlagDefaultDescription
--aws-account-idno defaultThe AWS account ID.
--cloud-trail-bucketno defaultARN of the S3 bucket where CloudTrail writes events to.
--kms-keyno defaultList of KMS Keys used to decrypt SQS and S3 bucket data.
--[no-]confirmfalseApply changes without confirmation prompt.
--[no-]eks-audit-logsfalseEnable collection of EKS audit logs
--roleno defaultThe AWS Role used by the AWS OIDC Integration.
--sqs-queue-urlno defaultSQS Queue URL used to receive notifications from CloudTrail.

teleport integration configure access-graph azure

Adds required Azure permissions for syncing Azure resources into Access Graph service.

Usage:

teleport integration configure access-graph azure --managed-identity=MANAGED-IDENTITY --role-name=ROLE-NAME [<flags>]

Flags:

FlagDefaultDescription
--managed-identityno defaultThe ID of the managed identity to run the Discovery service.
--[no-]confirmfalseApply changes without confirmation prompt.
--role-nameno defaultThe name of the Azure Role to create and assign to the managed identity
--subscription-idno defaultThe subscription ID in which to discovery resources.

teleport integration configure aws-app-access-iam

Adds required IAM permissions to connect to AWS using App Access.

Usage:

teleport integration configure aws-app-access-iam --role=ROLE [<flags>]

Flags:

FlagDefaultDescription
--aws-account-idno defaultThe AWS account ID.
--[no-]confirmfalseApply changes without confirmation prompt.
--roleno defaultThe AWS Role name used by the AWS OIDC Integration.

teleport integration configure awsoidc-idp

Creates an IAM IdP (OIDC) in your AWS account to allow the AWS OIDC Integration to access AWS APIs.

Usage:

teleport integration configure awsoidc-idp --cluster=CLUSTER --name=NAME --role=ROLE --proxy-public-url=PROXY-PUBLIC-URL [<flags>]

Flags:

FlagDefaultDescription
--clusterno defaultTeleport Cluster name.
--nameno defaultIntegration name.
--[no-]confirmfalseApply changes without confirmation prompt.
--[no-]insecurefalseInsecure mode disables certificate validation.
--policy-presetno defaultPolicy that will be applied to the AWS OIDC integration role.
--proxy-public-urlno defaultProxy Public URL (eg https://mytenant.teleport.sh).
--roleno defaultThe AWS Role used by the AWS OIDC Integration.

teleport integration configure awsra-trust-anchor

Configure AWS IAM Roles Anywhere Integration by creating resources in AWS.

Usage:

teleport integration configure awsra-trust-anchor --cluster=CLUSTER --name=NAME --trust-anchor=TRUST-ANCHOR --trust-anchor-cert-b64=TRUST-ANCHOR-CERT-B64 --sync-profile=SYNC-PROFILE --sync-role=SYNC-ROLE [<flags>]

Flags:

FlagDefaultDescription
--clusterno defaultTeleport Cluster's name.
--nameno defaultIntegration name.
--[no-]confirmfalseApply changes without confirmation prompt.
--sync-profileno defaultThe AWS IAM Roles Anywhere Profile name to create, which will be used to sync profiles as apps.
--sync-roleno defaultThe AWS IAM Role name to create, which will be used to sync profiles as apps.
--trust-anchorno defaultAWS Roles Anywhere Trust Anchor name.
--trust-anchor-cert-b64no defaultAWS Roles Anywhere Trust Anchor's certificate, encoded in base64.

teleport integration configure azure-oidc

Configures Azure / Entra ID OIDC integration.

Usage:

teleport integration configure azure-oidc --proxy-public-addr=PROXY-PUBLIC-ADDR --auth-connector-name=AUTH-CONNECTOR-NAME [<flags>]

Flags:

FlagDefaultDescription
--auth-connector-nameno defaultThe name of Entra ID SAML Auth connector in Teleport.
--[no-]access-graphfalseEnable Access Graph integration.
--[no-]skip-oidc-integrationfalseSkip OIDC integration.
--proxy-public-addrno defaultThe public address of Teleport Proxy Service

teleport integration configure deployservice-iam

Create the required IAM Roles for the AWS OIDC Deploy Service.

Usage:

teleport integration configure deployservice-iam --cluster=CLUSTER --name=NAME --aws-region=AWS-REGION --role=ROLE --task-role=TASK-ROLE [<flags>]

Flags:

FlagDefaultDescription
--aws-account-idno defaultThe AWS account ID.
--aws-regionno defaultAWS Region.
--clusterno defaultTeleport Cluster's name.
--nameno defaultIntegration name.
--[no-]confirmfalseApply changes without confirmation prompt.
--roleno defaultThe AWS Role used by the AWS OIDC Integration.
--task-roleno defaultThe AWS Role to be used by the deployed service.

teleport integration configure ec2-ssm-iam

Adds required IAM permissions and SSM Document to enable EC2 Auto Discover using SSM.

Usage:

teleport integration configure ec2-ssm-iam --role=ROLE --aws-region=AWS-REGION --cluster=CLUSTER --name=NAME [<flags>]

Flags:

FlagDefaultDescription
--aws-account-idno defaultThe AWS account ID.
--aws-regionno defaultAWS Region.
--clusterno defaultTeleport Cluster's name.
--nameno defaultIntegration name.
--[no-]confirmfalseApply changes without confirmation prompt.
--proxy-public-urlno defaultProxy Public URL (eg https://mytenant.teleport.sh).
--roleno defaultThe AWS Role name used by the AWS OIDC Integration.
--ssm-document-nameno defaultThe AWS SSM Document name to create that will be used to install teleport.

teleport integration configure eks-iam

Adds required IAM permissions for enrollment of EKS clusters to Teleport.

Usage:

teleport integration configure eks-iam --aws-region=AWS-REGION --role=ROLE [<flags>]

Flags:

FlagDefaultDescription
--aws-account-idno defaultThe AWS account ID.
--aws-regionno defaultAWS Region.
--[no-]confirmfalseApply changes without confirmation prompt.
--roleno defaultThe AWS Role used by the AWS OIDC Integration.

teleport integration configure externalauditstorage

Bootstraps required infrastructure and adds required IAM permissions for External Audit Storage logs.

Usage:

teleport integration configure externalauditstorage --aws-region=AWS-REGION --cluster-name=CLUSTER-NAME --integration=INTEGRATION --role=ROLE --policy=POLICY --session-recordings=SESSION-RECORDINGS --audit-events=AUDIT-EVENTS --athena-results=ATHENA-RESULTS --athena-workgroup=ATHENA-WORKGROUP --glue-database=GLUE-DATABASE --glue-table=GLUE-TABLE [<flags>]

Flags:

FlagDefaultDescription
--athena-resultsno defaultThe S3 URI where athena results are stored.
--athena-workgroupno defaultThe name of the Athena workgroup used.
--audit-eventsno defaultThe S3 URI where audit events are stored.
--aws-account-idno defaultThe AWS account ID.
--aws-partitionawsAWS partition (default: aws).
--aws-regionno defaultAWS region.
--cluster-nameno defaultTeleport Cluster name.
--glue-databaseno defaultThe name of the Glue database used.
--glue-tableno defaultThe name of the Glue table used.
--integrationno defaultAWS OIDC Integration name.
--[no-]bootstrapfalseBootstrap required infrastructure.
--policyno defaultThe name for the Policy to attach to the IAM role.
--roleno defaultThe IAM Role used by the AWS OIDC Integration.
--session-recordingsno defaultThe S3 URI where session recordings are stored.

teleport integration configure listdatabases-iam

Adds required IAM permissions to List RDS Databases (Instances and Clusters).

Usage:

teleport integration configure listdatabases-iam --aws-region=AWS-REGION --role=ROLE [<flags>]

Flags:

FlagDefaultDescription
--aws-account-idno defaultThe AWS account ID.
--aws-regionno defaultAWS Region.
--[no-]confirmfalseApply changes without confirmation prompt.
--roleno defaultThe AWS Role used by the AWS OIDC Integration.

teleport integration configure samlidp gcp-workforce

Configures GCP Workforce Identity Federation pool and SAML provider.

Usage:

teleport integration configure samlidp gcp-workforce --org-id=ORG-ID --pool-name=POOL-NAME --pool-provider-name=POOL-PROVIDER-NAME --idp-metadata-url=IDP-METADATA-URL

Flags:

FlagDefaultDescription
--idp-metadata-urlno defaultTeleport SAML IdP metadata endpoint.
--org-idno defaultGCP organization ID.
--pool-nameno defaultName for the new workforce identity pool.
--pool-provider-nameno defaultName for the new workforce identity pool provider.

teleport integration configure session-summaries bedrock

Adds required IAM permissions for Session Summaries feature using Amazon Bedrock.

Usage:

teleport integration configure session-summaries bedrock --role=ROLE [<flags>]

Flags:

FlagDefaultDescription
--aws-account-idno defaultThe AWS account ID.
--[no-]confirmfalseApply changes without confirmation prompt.
--resource*The Amazon Bedrock resource to grant access to. Can be a full ARN or a model ID (e.g., 'anthropic.claude-v2' or '*' for all models).
--roleno defaultThe AWS Role name used by the AWS OIDC Integration.

teleport join openssh

Join an SSH server to a Teleport cluster.

Usage:

teleport join openssh [<flags>]

Flags:

FlagDefaultDescription
--additional-principalsno defaultAdditional principal to include, can be specified multiple times.
--addressno defaultHostname or IP address of this OpenSSH node.
--data-dir/var/lib/teleportPath to directory to store teleport data [/var/lib/teleport].
-d, --[no-]debugfalseEnable verbose logging to stderr.
--join-methodno default (one of: token, iam, ec2)Method to use to join the cluster.
--labelsno defaultComma-separated list of labels for this OpenSSH node, for example env=dev,app=web.
--[no-]insecurefalseInsecure mode disables certificate validation.
--[no-]restart-sshdtrueRestart OpenSSH.
--[no-]skip-version-checkfalseSkip version checking between server and client.
--openssh-config/etc/ssh/sshd_configPath to the OpenSSH config file [/etc/ssh/sshd_config].
--proxy-serverno defaultAddress of the proxy server.
--sshd-check-commandsshd -t -fCommand to use when checking OpenSSH config for validity. (sshd -t -f <sshd_config>)
--sshd-restart-commandno defaultCommand to use when restarting openssh.
--tokenno defaultInvitation token or path to file with token value to register with an auth server.

teleport node configure

Generate a configuration file for an SSH node.

Usage:

teleport node configure [<flags>]

Flags:

FlagDefaultDescription
--auth-serverno defaultAddress of the auth server.
--azure-client-idno defaultSets the client ID of the managed identity to join with. Only applies to the 'azure' join method.
--ca-pinno defaultComma-separated list of SKPI hashes for the CA used to verify the auth server.
--cluster-nameno defaultUnique cluster name, e.g. example.com.
--data-dir/var/lib/teleportPath to a directory where Teleport keep its data.
--join-methodtoken (one of: azure, azure_devops, bitbucket, circleci, ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0)Method to use to join the cluster.
--labelsno defaultComma-separated list of labels to add to newly created nodes ex) env=staging,cloud=aws.
--node-nameno defaultName for the Teleport node.
--[no-]silentfalseSuppress user hint message.
-o, --outputstdoutWrite to stdout with "--output=stdout", default config file with "--output=file" or custom path with --output=file:///path
--proxyno defaultAddress of the proxy server.
--public-addrno defaultThe hostport that the node advertises for the SSH endpoint.
--tokenno defaultInvitation token or path to file with token value to register with an auth server.
--versionv3Teleport configuration version.

teleport start

Starts the Teleport service.

Usage:

teleport start [<flags>]

Flags:

FlagDefaultDescription
--advertise-ipno defaultIP to advertise to clients if running behind NAT
--apply-on-startupno defaultPath to a non-empty YAML file containing resources to apply on startup. Works on initialized clusters, unlike --bootstrap. Only supports the following kinds: bot,cluster_auth_preference,cluster_networking_config,inference_model,inference_policy,inference_secret,retrieval_model,role,token,user,workload_identity.
--auth-serverno defaultAddress of the auth server [127.0.0.1:3025]
--bootstrapno defaultPath to a non-empty YAML file containing bootstrap resources (ignored if already initialized)
--ca-pinno defaultCA pin to validate the Auth Server (can be repeated for multiple pins)
-c, --configno defaultPath to a configuration file [/etc/teleport.yaml]
--diag-addrno defaultStart diagnostic prometheus and healthz endpoint.
-d, --[no-]debugfalseEnable verbose logging to stderr
--labelsno defaultComma-separated list of labels for this node, for example env=dev,app=web
-l, --listen-ipno defaultIP address to bind to [0.0.0.0]
--nodenameno defaultName of this node, defaults to hostname
--[no-]fipsfalseStart Teleport in FedRAMP/FIPS 140 mode.
--[no-]insecurefalseInsecure mode disables certificate validation
--[no-]insecure-no-tlsfalseDisable TLS for the web socket
--[no-]no-debug-servicefalseDisables debug service.
--[no-]permit-user-envfalseEnables reading of ~/.tsh/environment when creating a session
--[no-]skip-version-checkfalseSkip version checking between server and client.
--pid-fileno defaultFull path to the PID file. By default no PID file will be created
-r, --rolesno defaultComma-separated list of roles to start with [proxy,node,auth,app,db]
--tokenno defaultInvitation token or path to file with token value. Used to register with an auth server [none]
--token-secretno defaultInvitation token secret or path to file with secret value. Used to register with an auth server [none]

teleport status

Print the status of the current SSH session.

Usage:

teleport status

teleport tpm identify

Output identifying information related to the TPM detected on the system.

Usage:

teleport tpm identify

teleport version

Print the version of your teleport binary.

Usage:

teleport version [<flags>]

Flags:

FlagDefaultDescription
--[no-]rawfalsePrint the raw teleport version string.