Skip to main content
Version: 19.x (unreleased)

tsh Reference

Report an IssueView as Markdown

This guide provides a comprehensive list of commands, arguments, and flags for tsh.

tsh is a CLI client for accessing Teleport-protected resources. It allows users to interact with current and past sessions on the cluster, copy files to and from nodes, and list information about the cluster.

tsh [<flags>] <command> [<args> ...]

Global flags:

FlagDefaultDescription
--authno defaultSpecify the name of authentication connector to use.
--bind-addrno defaultOverride host:port used when opening a browser for cluster logins.
--callbackno defaultOverride the base URL (host:port) of the link shown when opening a browser for cluster logins. Must be used with --bind-addr.
--cert-formatno defaultSSH certificate format.
-d, --[no-]debugfalseVerbose logging to stdout.
-i, --identityno defaultIdentity file.
-J, --jumphostno defaultSSH jumphost.
-k, --add-keys-to-agentautoControls how keys are handled. Valid values are [auto no yes only].
-l, --loginno defaultRemote host login.
--mfa-modeauto (one of: auto, cross-platform, platform, otp, sso, browser)Preferred mode for MFA and Passwordless assertions.
--mlockautoDetermines whether process memory will be locked and whether failure to do so will be accepted (off, auto, best_effort, strict).
--[no-]enable-escape-sequencestrueEnable support for SSH escape sequences. Type '~?' during an SSH session to list supported sequences. Default is enabled.
--[no-]headlessfalseUse headless login. Shorthand for --auth=headless.
--[no-]insecurefalseDo not verify server's certificate and host name. Use only in test environments.
--[no-]os-logfalseVerbose logging to the unified logging system. This flag implies --debug. Also available through the TELEPORT_OS_LOG env var. More details see https://goteleport.com/docs/connect-your-client/tsh/#debug-logs.
--[no-]skip-version-checkfalseSkip version checking between server and client.
--piv-slotno defaultSpecify a PIV slot key to use for Hardware Key support instead of the default. Ex: "9d".
--proxyno defaultTeleport proxy address.
--relayno defaultTeleport relay address, "none" to explicitly disable the use of a relay, or "default" to use the cluster-provided address even if a different address was specified at login time.
--ttlno defaultMinutes to live for a session.
--userno defaultTeleport user, defaults to current local user.

Global environment variables:

VariableDefaultDescription
TELEPORT_ADD_KEYS_TO_AGENTautoControls how keys are handled. Valid values are [auto no yes only].
TELEPORT_AUTHno defaultSpecify the name of authentication connector to use.
TELEPORT_CLUSTERnoneName of a Teleport root or leaf cluster
TELEPORT_GLOBAL_TSH_CONFIGnoneOverride location of global tsh config file from default /etc/tsh.yaml
TELEPORT_HEADLESSfalseUse headless login. Shorthand for --auth=headless.
TELEPORT_HOMEnoneHome location for tsh configuration and data
TELEPORT_IDENTITY_FILEno defaultIdentity file.
TELEPORT_LOGINno defaultRemote host login.
TELEPORT_LOGIN_BIND_ADDRno defaultOverride host:port used when opening a browser for cluster logins.
TELEPORT_MFA_MODEauto (one of: auto, cross-platform, platform, otp, sso, browser)Preferred mode for MFA and Passwordless assertions.
TELEPORT_MLOCK_MODEautoDetermines whether process memory will be locked and whether failure to do so will be accepted (off, auto, best_effort, strict).
TELEPORT_PIV_SLOTno defaultSpecify a PIV slot key to use for Hardware Key support instead of the default. Ex: "9d".
TELEPORT_PROXYno defaultTeleport proxy address.
TELEPORT_RELAYno defaultTeleport relay address, "none" to explicitly disable the use of a relay, or "default" to use the cluster-provided address even if a different address was specified at login time.
TELEPORT_USERno defaultTeleport user, defaults to current local user.

tsh apps config

Print app connection information.

Usage:

tsh apps config [<flags>] [<app>]

Flags:

FlagDefaultDescription
-f, --formatno defaultOptional print format, one of: "uri" to print app address, "ca" to print CA cert path, "cert" to print cert path, "key" print key path, "curl" to print example curl command, "json" or "yaml" to print everything as JSON or YAML.

Arguments:

ArgumentDefaultDescription
appno default (optional)App to print information for. Required when logged into multiple apps.

tsh apps login

Retrieve short-lived certificate for an app.

Usage:

tsh apps login [<flags>] <app>

Flags:

FlagDefaultDescription
--aws-roleno default(For AWS CLI access only) Amazon IAM role ARN or role name.
--azure-identityno default(For Azure CLI access only) Azure managed identity name.
--gcp-service-accountno default(For GCP CLI access only) GCP service account name.
-q, --[no-]quietfalseQuiet mode.
--target-portno defaultPort to which connections made using this cert should be routed to. Valid only for multi-port TCP apps.

Arguments:

ArgumentDefaultDescription
appno default (required)App name to retrieve credentials for. Can be obtained from tsh apps ls output.

tsh apps logout

Remove app certificate.

Usage:

tsh apps logout [<app>]

Arguments:

ArgumentDefaultDescription
appno default (optional)App to remove credentials for.

tsh apps ls

List available applications.

Usage:

tsh apps ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-R, --[no-]allfalseList apps from all clusters and proxies.
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseShow extra application fields.

Arguments:

ArgumentDefaultDescription
labelsno default (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh aws

Access AWS API.

Usage:

tsh aws [<flags>] [<command>...]

Flags:

FlagDefaultDescription
--appno defaultOptional Name of the AWS application to use if logged into multiple.
--aws-roleno default(For AWS CLI access only) Amazon IAM role ARN or role name.
--execno defaultExecute different commands (e.g. terraform) under Teleport credentials.

Arguments:

ArgumentDefaultDescription
commandno default (optional)AWS command and subcommands arguments that are going to be forwarded to AWS CLI.

tsh aws-profile

Generate AWS config profiles by syncing with your integrated AWS IAM Identity Center account(s). Other profiles in the config file are left untouched.

Usage:

tsh aws-profile [<flags>]

Flags:

FlagDefaultDescription
--aws-sso-regionno defaultAWS region for SSO. Auto-detected from cluster if not specified.
--[no-]dry-runfalsePrint the configuration that will be applied without modifying the AWS config file.

tsh az

Access Azure API.

Usage:

tsh az [<flags>] [<command>...]

Flags:

FlagDefaultDescription
--appno defaultOptional name of the Azure application to use if logged into multiple.
--azure-identityno default(For Azure CLI access only) Azure managed identity name.

Arguments:

ArgumentDefaultDescription
commandno default (optional)az command and subcommands arguments that are going to be forwarded to Azure CLI.

tsh beams add

Start a new beam, and optionally connect to it via SSH.

Usage:

tsh beams add [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--[no-]consoletrueConnect to the beam via SSH after creation.

tsh beams exec

Run a command in a beam, via SSH.

Usage:

tsh beams exec <name> <command>...

Arguments:

ArgumentDefaultDescription
commandno default (required)Command to execute in the instance.
nameno default (required)ID (or UUID) of the beam to target.

tsh beams ls

List beam instances.

Usage:

tsh beams ls [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--[no-]allfalseList all beams. By default, filters to show only beams belonging to the current user.

tsh beams publish

Publish an HTTP or TCP service running in a beam.

Usage:

tsh beams publish [<flags>] <name>

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--[no-]tcpfalsePublish as a TCP app instead of an HTTP app.

Arguments:

ArgumentDefaultDescription
nameno default (required)ID (or UUID) of the beam to target.

tsh beams rm

Delete a beam.

Usage:

tsh beams rm <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)ID (or UUID) of the beam to delete.

tsh beams scp

Copy files between a beam and the local filesystem.

Usage:

tsh beams scp [<flags>] <src> <dest>

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
-q, --[no-]quietfalseQuiet mode.
-r, --[no-]recursivefalseRecursive copy of subdirectories.

Arguments:

ArgumentDefaultDescription
destno default (required)Destination path to copy, in the form BEAM_ID:PATH or LOCAL_PATH.
srcno default (required)Source path to copy, in the form BEAM_ID:PATH or LOCAL_PATH.

tsh beams ssh

Start an interactive shell in a beam, via SSH.

Usage:

tsh beams ssh <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)ID (or UUID) of the beam to connect to.

tsh beams unpublish

Unpublish a previously published service in a beam.

Usage:

tsh beams unpublish <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)ID (or UUID) of the beam to target.

tsh clusters

List available Teleport clusters.

Usage:

tsh clusters [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
-q, --[no-]quietfalseQuiet mode.
-v, --[no-]verbosefalseVerbose table output, shows full label output.

tsh config

Print OpenSSH configuration details.

Usage:

tsh config [<flags>]

Flags:

FlagDefaultDescription
-p, --portno defaultSSH port on a remote host.

tsh db config

Print database connection information. Useful when configuring GUI clients.

Usage:

tsh db config [<flags>] [<db>]

Flags:

FlagDefaultDescription
-f, --formatno default (one of: text, cmd, json, yaml)Print format: "text" to print in table format (default), "cmd" to print connect command, "json" or "yaml" to print in JSON or YAML.
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').

Arguments:

ArgumentDefaultDescription
dbno default (optional)Print information for the specified database.

tsh db connect

Connect to a database.

Usage:

tsh db connect [<flags>] [<db>]

Flags:

FlagDefaultDescription
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
-n, --db-nameno defaultDatabase name to log in to.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests.
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-r, --db-rolesno defaultList of comma separate database roles to use for auto-provisioned user.
--request-reasonno defaultReason for requesting access.
-u, --db-userno defaultDatabase user to log in as.

Arguments:

ArgumentDefaultDescription
dbno default (optional)Database service name to connect to.

tsh db env

Print environment variables for the configured database.

Usage:

tsh db env [<flags>] [<db>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').

Arguments:

ArgumentDefaultDescription
dbno default (optional)Print environment for the specified database.

tsh db exec

Execute database commands on target database services.

Usage:

tsh db exec [<flags>] <command>

Flags:

FlagDefaultDescription
--dbsno defaultList of comma separated target database services. Mutually exclusive with --search or --labels.
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
-n, --db-nameno defaultDatabase name to log in to.
--[no-]confirmtrueConfirm selected database services before executing command.
--output-dirno defaultDirectory to store command output per target database service. A summary is saved as "summary.json".
--parallel1Run commands on target databases in parallel. Defaults to 1, and maximum allowed is 10.
-r, --db-rolesno defaultList of comma separate database roles to use for auto-provisioned user.
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-u, --db-userno defaultDatabase user to log in as.

Arguments:

ArgumentDefaultDescription
commandno default (required)Execute this command on target database services.

tsh db login

Retrieve credentials for a database.

Usage:

tsh db login [<flags>] [<db>]

Flags:

FlagDefaultDescription
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
-n, --db-nameno defaultDatabase name to configure as default.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests.
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-r, --db-rolesno defaultList of comma separate database roles to use for auto-provisioned user.
--request-reasonno defaultReason for requesting access.
-u, --db-userno defaultDatabase user to configure as default.

Arguments:

ArgumentDefaultDescription
dbno default (optional)Database to retrieve credentials for. Can be obtained from 'tsh db ls' output.

tsh db logout

Remove database credentials.

Usage:

tsh db logout [<flags>] [<db>]

Flags:

FlagDefaultDescription
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').

Arguments:

ArgumentDefaultDescription
dbno default (optional)Database to remove credentials for.

tsh db ls

List all available databases.

Usage:

tsh db ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-R, --[no-]allfalseList databases from all clusters and proxies.
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseShow extra database fields.

Arguments:

ArgumentDefaultDescription
labelsno default (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh delegation create-session

Create a delegation session, allowing a bot or workload to temporarily act on your behalf.

Usage:

tsh delegation create-session [<flags>]

Flags:

FlagDefaultDescription
--allow-appno defaultAllow access to an application.
--allow-dbno defaultAllow access to a database.
--allow-git-serverno defaultAllow access to a Git server.
--allow-kube-clusterno defaultAllow access to a Kubernetes cluster.
--allow-nodeno defaultAllow access to an SSH node.
--allow-windows-desktopno defaultAllow access to a Windows desktop.
--botno defaultName of a bot allowed to use the delegation session. Repeat to allow multiple bots.
--[no-]allow-allfalseAllow access to all resources, including destructive administrative actions. Mutually exclusive with the other --allow-* flags.
--session-ttlno defaultHow long the delegation session should remain valid.

tsh device enroll

Enroll this device as a trusted device. Requires Teleport Enterprise.

Usage:

tsh device enroll [<flags>]

Flags:

FlagDefaultDescription
--[no-]current-devicefalseAttempts to register and enroll the current device. Requires device admin privileges.
--tokenno defaultDevice enrollment token.

tsh env

Print commands to set Teleport session environment variables.

Usage:

tsh env [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--[no-]unsetfalsePrint commands to clear Teleport session environment variables.

tsh gcloud

Access GCP API with the gcloud command.

Usage:

tsh gcloud [<flags>] [<command>...]

Flags:

FlagDefaultDescription
--appno defaultOptional name of the GCP application to use if logged into multiple.
--gcp-service-accountno default(For GCP CLI access only) GCP service account name.

Arguments:

ArgumentDefaultDescription
commandno default (optional)gcloud command and subcommands arguments.

tsh git clone

Clone a Git repository.

Usage:

tsh git clone <repository> [<directory>]

Arguments:

ArgumentDefaultDescription
directoryno default (optional)The name of a new directory to clone into.
repositoryno default (required)Git URL of the repository to clone.

tsh git config

Check Teleport config on the working Git directory. Or provide an action ('update' or 'reset') to configure the Git repo.

Usage:

tsh git config [<action>]

Arguments:

ArgumentDefaultDescription
actionno default (optional)Optional action to perform. 'update' to configure the Git repo to proxy Git commands through Teleport. 'reset' to clear Teleport configuration from the Git repo.

tsh git login

Opens a browser and retrieves your login from GitHub.

Usage:

tsh git login --github-org=GITHUB-ORG [<flags>]

Flags:

FlagDefaultDescription
--github-orgno defaultGitHub organization.
--[no-]forcefalseForce a login.

tsh git ls

List Git servers.

Usage:

tsh git ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").

Arguments:

ArgumentDefaultDescription
labelsno default (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh gsutil

Access Google Cloud Storage with the gsutil command.

Usage:

tsh gsutil [<flags>] [<command>...]

Flags:

FlagDefaultDescription
--appno defaultOptional name of the GCP application to use if logged into multiple.
--gcp-service-accountno default(For GCP CLI access only) GCP service account name.

Arguments:

ArgumentDefaultDescription
commandno default (optional)gsutil command and subcommands arguments.

tsh headless approve

Approve a headless authentication request.

Usage:

tsh headless approve [<flags>] [<request id>]

Environment variables:

VariableDefaultDescription
TELEPORT_HEADLESS_SKIP_CONFIRMfalseSkip confirmation and prompt for MFA immediately.

Flags:

FlagDefaultDescription
--[no-]skip-confirmfalseSkip confirmation and prompt for MFA immediately.

Arguments:

ArgumentDefaultDescription
request idno default (optional)Headless authentication request ID.

tsh help

Show help.

Usage:

tsh help [<command>...]

Arguments:

ArgumentDefaultDescription
commandno default (optional)Show help on command.

tsh join

Join the active SSH or Kubernetes session.

Usage:

tsh join [<flags>] <session-id>

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
-m, --modeobserver (one of: observer, moderator, peer)Mode of joining the session.

Arguments:

ArgumentDefaultDescription
session-idno default (required)ID of the session to join.

tsh kube exec

Execute a command in a Kubernetes pod.

Usage:

tsh kube exec [<flags>] <target> <command>...

Flags:

FlagDefaultDescription
-c, --containerno defaultContainer name. If omitted, use the kubectl.kubernetes.io/default-container annotation for selecting the container to be attached or the first container in the pod will be chosen.
-f, --filenameno defaultTo use to exec into the resource.
--inviteno defaultA comma separated list of people to mark as invited for the session.
-n, --namespaceno defaultConfigure the default Kubernetes namespace.
--[no-]participant-reqfalseDisplays a verbose list of required participants in a moderated session.
-q, --[no-]quietfalseOnly print output from the remote session.
--reasonno defaultThe purpose of the session.
-s, --[no-]stdinfalsePass stdin to the container.
-t, --[no-]ttyfalseStdin is a TTY.

Arguments:

ArgumentDefaultDescription
commandno default (required)Command to execute in the container.
targetno default (required)Pod or deployment name.

tsh kube join

Join an active Kubernetes session.

Usage:

tsh kube join [<flags>] <session>

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
-m, --modeobserver (one of: observer, moderator, peer)Mode of joining the session.

Arguments:

ArgumentDefaultDescription
sessionno default (required)The ID of the target session.

tsh kube login

Login to a Kubernetes cluster.

Usage:

tsh kube login [<flags>] [<kube-cluster>]

Flags:

FlagDefaultDescription
--asno defaultConfigure custom Kubernetes user impersonation.
--as-groupsno defaultConfigure custom Kubernetes group impersonation.
-c, --clusterno defaultSpecify the Teleport cluster to connect.
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
-n, --namespaceno defaultConfigure the default Kubernetes namespace.
--[no-]allfalseGenerate a kubeconfig with every cluster the user has access to. Mutually exclusive with --labels or --query.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests.
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
--request-reasonno defaultReason for requesting access.
--set-context-name{{.ClusterName}}-{{.KubeName}}Define a custom context name. To use it with --all include "{{.KubeName}}".

Arguments:

ArgumentDefaultDescription
kube-clusterno default (optional)Name of the Kubernetes cluster to login to. Check 'tsh kube ls' for a list of available clusters.

tsh kube ls

Get a list of Kubernetes clusters.

Usage:

tsh kube ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
-q, --[no-]quietfalseQuiet mode.
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-R, --[no-]allfalseList Kubernetes clusters from all clusters and proxies.
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseShow an untruncated list of labels.

Arguments:

ArgumentDefaultDescription
labelsno default (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh kube sessions

Get a list of active Kubernetes sessions. (DEPRECATED: use tsh sessions ls --kind=kube instead.)

Usage:

tsh kube sessions [<flags>]

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).

tsh kubectl

Runs a kubectl command on a Kubernetes cluster.

Usage:

tsh kubectl [args...]

Arguments:

ArgumentDefaultDescription
argsno default (optional)Arbitrary arguments

tsh latency ssh

Measure latency to a particular SSH host.

Usage:

tsh latency ssh [<flags>] <[user@]host>

Environment variables:

VariableDefaultDescription
TELEPORT_NO_RESUMEfalseDisable SSH connection resumption.

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
--[no-]no-resumefalseDisable SSH connection resumption.

Arguments:

ArgumentDefaultDescription
[user@]hostno default (required)Remote hostname and the login to use.

tsh login

Log in to a cluster and retrieve the session certificate.

Usage:

tsh login [<flags>] [<cluster>]

Flags:

FlagDefaultDescription
--browserno defaultSet to 'none' to suppress browser opening on login.
-f, --formatfileIdentity format: file, openssh (for OpenSSH compatibility) or kubernetes (for kubeconfig).
--kube-clusterno defaultName of the Kubernetes cluster to login to.
--[no-]overwritefalseWhether to overwrite the existing identity file.
--[no-]request-nowaitfalseFinish without waiting for request resolution.
-o, --outno defaultIdentity output.
--request-idno defaultLogin with the roles requested in the given request.
--request-reasonno defaultReason for requesting additional roles.
--request-reviewersno defaultSuggested reviewers for role request.
--request-rolesno defaultRequest one or more extra roles.
--scopeno defaultScope pins credentials to a given scope. Use "" to explicitly remove scoping.
-v, --[no-]verbosefalseShow extra status information.

Arguments:

ArgumentDefaultDescription
clusterno default (optional)Specify the Teleport cluster to connect.

tsh logout

Delete a cluster certificate.

Usage:

tsh logout

tsh ls

List remote SSH nodes.

Usage:

tsh ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
-f, --formattext (one of: text, json, yaml, names)Format output (text, json, yaml, names).
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-R, --[no-]allfalseList nodes from all clusters and proxies.
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseOne-line output (for text format), including node UUIDs.

Arguments:

ArgumentDefaultDescription
labelsno default (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh mcp config

Print client configuration details.

Usage:

tsh mcp config [<flags>] [<name>]

Environment variables:

VariableDefaultDescription
TELEPORT_MCP_CLIENT_CONFIGno defaultIf specified, update the specified client config, assuming its format. "claude" for default Claude Desktop config, "cursor" for global Cursor MCP servers config, or specify a JSON file path. Can also be set with environment variable TELEPORT_MCP_CLIENT_CONFIG.
TELEPORT_MCP_CONFIG_JSON_FORMATauto (one of: pretty, compact, auto, none)Format the JSON file (pretty, compact, auto, none). auto saves in compact if the file is already compact, otherwise pretty. Can also be set with environment variable TELEPORT_MCP_CONFIG_JSON_FORMAT. Default is auto.

Flags:

FlagDefaultDescription
--client-configno defaultIf specified, update the specified client config, assuming its format. "claude" for default Claude Desktop config, "cursor" for global Cursor MCP servers config, or specify a JSON file path. Can also be set with environment variable TELEPORT_MCP_CLIENT_CONFIG.
--formatno defaultFormat specifies the configuration format (claude, vscode, cursor). If not provided it will assume format from the configuration file, When no configuration file is provided it defaults to "claude".
-H, --headerno defaultExtra custom headers used for streamable HTTP MCP servers.
--json-formatauto (one of: pretty, compact, auto, none)Format the JSON file (pretty, compact, auto, none). auto saves in compact if the file is already compact, otherwise pretty. Can also be set with environment variable TELEPORT_MCP_CONFIG_JSON_FORMAT. Default is auto.
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--[no-]auto-reconnectfalseAutomatically starts a new remote MCP session when the previous remote session is interrupted by network issues or tsh session expirations. Recommended for stateless MCP sessions. Defaults to true.
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-R, --[no-]allfalseSelect all MCP servers. Mutually exclusive with --labels or --query.

Arguments:

ArgumentDefaultDescription
nameno default (optional)Name of the MCP server.

tsh mcp db config

Print client configuration details.

Usage:

tsh mcp db config [<flags>] [<name>]

Environment variables:

VariableDefaultDescription
TELEPORT_MCP_CLIENT_CONFIGno defaultIf specified, update the specified client config, assuming its format. "claude" for default Claude Desktop config, "cursor" for global Cursor MCP servers config, or specify a JSON file path. Can also be set with environment variable TELEPORT_MCP_CLIENT_CONFIG.
TELEPORT_MCP_CONFIG_JSON_FORMATauto (one of: pretty, compact, auto, none)Format the JSON file (pretty, compact, auto, none). auto saves in compact if the file is already compact, otherwise pretty. Can also be set with environment variable TELEPORT_MCP_CONFIG_JSON_FORMAT. Default is auto.

Flags:

FlagDefaultDescription
--client-configno defaultIf specified, update the specified client config, assuming its format. "claude" for default Claude Desktop config, "cursor" for global Cursor MCP servers config, or specify a JSON file path. Can also be set with environment variable TELEPORT_MCP_CLIENT_CONFIG.
--formatno defaultFormat specifies the configuration format (claude, vscode, cursor). If not provided it will assume format from the configuration file, When no configuration file is provided it defaults to "claude".
--json-formatauto (one of: pretty, compact, auto, none)Format the JSON file (pretty, compact, auto, none). auto saves in compact if the file is already compact, otherwise pretty. Can also be set with environment variable TELEPORT_MCP_CONFIG_JSON_FORMAT. Default is auto.
-n, --db-nameno defaultDatabase name to log in to.
--[no-]overwritefalseOverwrites command and environment variable from the config file.
-u, --db-userno defaultDatabase user to log in as.

Arguments:

ArgumentDefaultDescription
nameno default (optional)Database service name.

tsh mcp ls

List available MCP server applications.

Usage:

tsh mcp ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseShow extra MCP server fields.

Arguments:

ArgumentDefaultDescription
labelsno default (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh mfa add

Add a new MFA device.

Usage:

tsh mfa add [<flags>]

Flags:

FlagDefaultDescription
--nameno defaultName of the new MFA device.
--typeno default (one of: TOTP, WEBAUTHN)Type of the new MFA device (TOTP, WEBAUTHN).

tsh mfa ls

Get a list of registered MFA devices.

Usage:

tsh mfa ls [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
-v, --[no-]verbosefalsePrint more information about MFA devices.

tsh mfa rm

Remove a MFA device.

Usage:

tsh mfa rm <name>

Arguments:

ArgumentDefaultDescription
nameno default (required)Name or ID of the MFA device to remove.

tsh piv agent

Start PIV key agent.

Usage:

tsh piv agent

tsh play

Replay the recorded session (SSH, Kubernetes, App, DB).

Usage:

tsh play [<flags>] <session-id>

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
-f, --formatpty (one of: pty, json, yaml, text)Format output (pty, json, yaml, text).
--[no-]skip-idle-timefalseQuickly skip over idle time, applicable when streaming SSH or Kubernetes sessions.
--speed1x (one of: 0.5x, 1x, 2x, 4x, 8x)Playback speed, applicable when streaming SSH or Kubernetes sessions.

Arguments:

ArgumentDefaultDescription
session-idno default (required)ID or path to session file to play.

tsh proxy app

Start local TLS proxy for app connection when using Teleport in single-port mode.

Usage:

tsh proxy app [<flags>] <app>

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
-p, --portno defaultSpecifies the listening port used by the proxy app listener. Accepts an optional target port of a multi-port TCP app after a colon, e.g. "1234:5678".

Arguments:

ArgumentDefaultDescription
appno default (required)The name of the application to start local proxy for.

tsh proxy aws

Start local proxy for AWS access.

Usage:

tsh proxy aws [<flags>]

Flags:

FlagDefaultDescription
--appno defaultOptional Name of the AWS application to use if logged into multiple.
-f, --formatunix (one of: unix, command-prompt, powershell, text, athena-odbc, athena-jdbc)Optional format to print the commands for setting environment variables, one of: unix, command-prompt, powershell, text. Default is unix. Or specify a service format, one of: athena-odbc, athena-jdbc.
-p, --portno defaultSpecifies the source port used by the proxy listener.

tsh proxy azure

Start local proxy for Azure access.

Usage:

tsh proxy azure [<flags>]

Flags:

FlagDefaultDescription
--appno defaultOptional Name of the Azure application to use if logged into multiple.
-f, --formatunix (one of: unix, command-prompt, powershell, text)Optional format to print the commands for setting environment variables, one of: unix, command-prompt, powershell, text. Default is unix.
-p, --portno defaultSpecifies the source port used by the proxy listener.

tsh proxy db

Start local TLS proxy for database connections when using Teleport in single-port mode.

Usage:

tsh proxy db [<flags>] [<db>]

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--listenno defaultSpecifies the source address used by proxy db listener. Mutually exclusive with --port.
-n, --db-nameno defaultDatabase name to log in to.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests.
--[no-]insecure-listen-anywherefalseAllows the local proxy to listen on any address without restrictions. WARNING: this will expose unsecured listener to anyone in the network. Only use when network access is otherwise restricted.
--[no-]tunnelfalseOpen authenticated tunnel using database's client certificate so clients don't need to authenticate.
-p, --portno defaultSpecifies the source port used by proxy db listener.
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-r, --db-rolesno defaultList of comma separate database roles to use for auto-provisioned user.
--request-reasonno defaultReason for requesting access.
-u, --db-userno defaultDatabase user to log in as.

Arguments:

ArgumentDefaultDescription
dbno default (optional)The name of the database to start local proxy for.

tsh proxy gcloud

Start local proxy for GCP access.

Usage:

tsh proxy gcloud [<flags>]

Flags:

FlagDefaultDescription
--appno defaultOptional Name of the GCP application to use if logged into multiple.
-f, --formatunix (one of: unix, command-prompt, powershell, text)Optional format to print the commands for setting environment variables, one of: unix, command-prompt, powershell, text. Default is unix.
-p, --portno defaultSpecifies the source port used by the proxy listener.

tsh proxy kube

Start local proxy for Kubernetes access.

Usage:

tsh proxy kube [<flags>] [<kube-cluster>...]

Flags:

FlagDefaultDescription
--asno defaultConfigure custom Kubernetes user impersonation.
--as-groupsno defaultConfigure custom Kubernetes group impersonation.
-c, --clusterno defaultSpecify the Teleport cluster to connect.
--exec-argno defaultArguments to pass to the executed command (can be specified multiple times).
--exec-cmdno defaultCommand to execute when --exec is enabled. If not specified, defaults to $SHELL or /bin/bash. Implicitly enables exec mode.
-f, --formatunix (one of: unix, command-prompt, powershell, text)Optional format to print the commands for setting environment variables, one of: unix, command-prompt, powershell, text. Default is unix.
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
-n, --namespaceno defaultConfigure the default Kubernetes namespace.
--[no-]execfalseRun the proxy in the background and reexec into a new shell with $KUBECONFIG already pointed to our config file.
-p, --portno defaultSpecifies the source port used by the proxy listener.
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
--set-context-name{{.ClusterName}}-{{.KubeName}}Define a custom context name or template.

Arguments:

ArgumentDefaultDescription
kube-clusterno default (optional)Name of the Kubernetes cluster to proxy. Check 'tsh kube ls' for a list of available clusters. If not specified, all clusters previously logged in through tsh kube login will be used.

tsh proxy mcp

Start local proxy for MCP access.

Usage:

tsh proxy mcp [<flags>] <app>

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
-p, --portno defaultSpecifies the listening port used by the proxy app listener.

Arguments:

ArgumentDefaultDescription
appno default (required)The name of the MCP application to start local proxy for.

tsh proxy ssh

Start local TLS proxy for ssh connections when using Teleport in single-port mode.

Usage:

tsh proxy ssh [<flags>] <[user@]host>

Environment variables:

VariableDefaultDescription
TELEPORT_NO_RESUMEfalseDisable SSH connection resumption.

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
--[no-]no-resumefalseDisable SSH connection resumption.
--[no-]relogintruePermit performing an authentication attempt on a failed command.

Arguments:

ArgumentDefaultDescription
[user@]hostno default (required)Remote hostname and the login to use.

tsh recordings export

Export recorded desktop sessions to video.

Usage:

tsh recordings export [<flags>] <session-id>

Flags:

FlagDefaultDescription
--outno defaultOverride output file name.

Arguments:

ArgumentDefaultDescription
session-idno default (required)ID of the session to export.

tsh recordings ls

List recorded sessions.

Usage:

tsh recordings ls [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).. Defaults to 'text'.
--from-utcno defaultStart of time range in which recordings are listed. Format 2006-01-02. Defaults to 24 hours ago.
--lastno defaultDuration into the past from which session recordings should be listed. Format "5h30m40s".
--limit50Maximum number of recordings to show. Default 50.
--to-utcno defaultEnd of time range in which recordings are listed. Format 2006-01-02. Defaults to current time.

tsh request create

Create a new Access Request.

Usage:

tsh request create [<flags>]

Flags:

FlagDefaultDescription
--assume-start-timeno defaultSets time roles can be assumed by requestor (RFC3339 e.g 2023-12-12T23:20:50.52Z).
--max-durationno defaultHow long the access should be granted for.
--[no-]nowaitfalseFinish without waiting for request resolution.
--reasonno defaultReason for requesting.
--request-ttlno defaultExpiration time for the Access Request.
--resourceno defaultResource ID to be requested.
--reviewersno defaultSuggested reviewers.
--rolesno defaultRoles to be requested.
--session-ttlno defaultExpiration time for the elevated certificate.

tsh request drop

Drop one or more Access Requests from current identity.

Usage:

tsh request drop [<request-id>...]

Arguments:

ArgumentDefaultDescription
request-id* (optional)IDs of requests to drop (default drops all requests).

tsh request ls

List Access Requests.

Usage:

tsh request ls [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--[no-]my-requestsfalseOnly show requests created by current user.
--[no-]reviewablefalseOnly show requests reviewable by current user.
--[no-]suggestedfalseOnly show requests that suggest current user as reviewer.

tsh request review

Review an Access Request.

Usage:

tsh request review [<flags>] <request-id>

Flags:

FlagDefaultDescription
--assume-start-timeno defaultSets time roles can be assumed by requestor (RFC3339 e.g 2023-12-12T23:20:50.52Z).
--[no-]approvefalseReview proposes approval.
--[no-]denyfalseReview proposes denial.
--reasonno defaultReview reason message.

Arguments:

ArgumentDefaultDescription
request-idno default (required)ID of target request.

Search for resources to request access to.

Usage:

tsh request search [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--kindno defaultResource kind to search for (node, kube_cluster, kube_resource, db, app, windows_desktop, user_group, saml_idp_service_provider, aws_ic_account, aws_ic_account_assignment, git_server). Mutually exclusive with --roles.
--kube-api-groupno defaultKubernetes API group to search for resources.
--kube-clusterno defaultKubernetes Cluster to search for Pods.
--kube-kindno defaultKubernetes resource kind name (plural) to search for. Required with --kind="kube_resource" Ex: pods, deployments, namespaces, etc.
--labelsno defaultList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--namespacedefaultKubernetes Namespace to search for Pods.
--[no-]all-kube-namespacesfalseSearch Pods in every namespace.
--[no-]rolesfalseList requestable roles instead of searching for resources. Mutually exclusive with --kind.
--queryno defaultQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
--searchno defaultList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseVerbose table output, shows full label output.

tsh request show

Show request details.

Usage:

tsh request show [<flags>] <request-id>

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).

Arguments:

ArgumentDefaultDescription
request-idno default (required)ID of the target request.

tsh resolve

Resolves an SSH host.

Usage:

tsh resolve [<flags>] <host>

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
-q, --[no-]quietfalseQuiet mode.

Arguments:

ArgumentDefaultDescription
hostno default (required)Remote hostname to resolve.

tsh scan keys

Scan the local machine for SSH private keys and report findings to Teleport.

Usage:

tsh scan keys [<flags>]

Flags:

FlagDefaultDescription
--dirsno defaultDirectories to scan. Defaults to /home/ on Linux, /Users/ on macOS, and C:\Users\ on Windows.
--skip-pathsno defaultPaths to directories or files to skip. Supports for matching patterns.

tsh scopes ls

List scopes at which user has assigned privileges.

Usage:

tsh scopes ls [<flags>]

Flags:

FlagDefaultDescription
-v, --[no-]verbosefalseShow table with details of per-scope privileges.

tsh scp

Transfer files to a remote SSH node.

Usage:

tsh scp [<flags>] <from, to>...

Environment variables:

VariableDefaultDescription
TELEPORT_NO_RESUMEfalseDisable SSH connection resumption.

Flags:

FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect.
--[no-]no-resumefalseDisable SSH connection resumption.
--[no-]relogintruePermit performing an authentication attempt on a failed command.
-p, --[no-]preservefalsePreserves access and modification times from the original file.
-P, --portno defaultPort to connect to on the remote host.
-q, --[no-]quietfalseQuiet mode.
-r, --[no-]recursivefalseRecursive copy of subdirectories.

Arguments:

ArgumentDefaultDescription
from, tono default (required)Source and destination to copy, one must be a local path and one must be a remote path.

tsh sessions ls

List active sessions.

Usage:

tsh sessions ls [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--kindssh,k8s,db,app,desktop (any of (repeatable): ssh, k8s, kube, db, app, desktop)Filter by session kind(s).

tsh ssh

Run shell or execute a command on a remote SSH node.

Usage:

tsh ssh [<flags>] [<[user@]host>] [<command>...]

Environment variables:

VariableDefaultDescription
TELEPORT_NO_RESUMEfalseDisable SSH connection resumption.
TELEPORT_REQUEST_MODEresource (one of: off, resource, role)Type of automatic Access Request to make.

Flags:

FlagDefaultDescription
-A, --[no-]forward-agentfalseForward agent to target node.
-c, --clusterno defaultSpecify the Teleport cluster to connect.
-D, --dynamic-forwardno defaultForward localhost connections to remote server using SOCKS5.
-f, --[no-]fork-after-authenticationfalseRun in background after authentication is complete.
--inviteno defaultA comma separated list of people to mark as invited for the session.
-L, --forwardno defaultForward localhost connections to remote server.
--log-dirno defaultDirectory to log separated command output, when executing on multiple nodes. If set, output from each node will also be labeled in the terminal.
-N, --[no-]no-remote-execfalseDon't execute remote command, useful for port forwarding.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests (DEPRECATED: use --request-mode=off).
--[no-]localfalseExecute command on localhost after connecting to SSH node.
--[no-]no-resumefalseDisable SSH connection resumption.
--[no-]participant-reqfalseDisplays a verbose list of required participants in a moderated session.
--[no-]relogintruePermit performing an authentication attempt on a failed command.
-o, --optionno defaultOpenSSH options in the format used in the configuration file.
-p, --portno defaultSSH port on a remote host.
--reasonno defaultThe purpose of the session.
--request-moderesource (one of: off, resource, role)Type of automatic Access Request to make.
--request-reasonno defaultReason for requesting access.
-R, --remote-forwardno defaultForward remote connections to localhost.
-t, --[no-]ttyfalseAllocate TTY.
--x11-untrusted-timeout10mSets a timeout for untrusted X11 forwarding, after which the client will reject any forwarding requests from the server.
-X, --[no-]x11-untrustedfalseRequests untrusted (secure) X11 forwarding for this session.
-Y, --[no-]x11-trustedfalseRequests trusted (insecure) X11 forwarding for this session. This can make your local machine vulnerable to attacks, use with caution.

Arguments:

ArgumentDefaultDescription
commandno default (optional)Command to execute on a remote host.
[user@]hostno default (optional)Remote hostname and the login to use, this argument is required.

tsh status

Display the list of proxy servers and retrieved certificates.

Usage:

tsh status [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--[no-]clientfalseShow client information only (no server required).
-v, --[no-]verbosefalseShow extra status information after successful login.

tsh update

Update client tools (tsh, tctl) to the latest version defined by the cluster configuration.

Usage:

tsh update [<flags>]

Flags:

FlagDefaultDescription
--[no-]clearfalseRemoves locally installed client tools updates from the Teleport home directory.

tsh version

Print the tsh client and Proxy server versions for the current context.

Usage:

tsh version [<flags>]

Flags:

FlagDefaultDescription
-f, --formattext (one of: text, json, yaml)Format output (text, json, yaml).
--[no-]clientfalseShow the client version only (no server required).

tsh vnet

Start Teleport VNet, a virtual network for TCP application access.

Usage:

tsh vnet

tsh vnet-ssh-autoconfig

Automatically include VNet's generated OpenSSH-compatible config file in ~/.ssh/config.

Usage:

tsh vnet-ssh-autoconfig

tsh workload-identity issue-x509

Use Teleport Workload Identity to issue an X509 credential and write it to a local directory.

Usage:

tsh workload-identity issue-x509 --output=OUTPUT [<flags>]

Flags:

FlagDefaultDescription
--credential-ttl1hSets the time to live for the credential.
--label-selectorno defaultA label-based selector for which workload identities to issue. Multiple labels can be provided using ','.
--name-selectorno defaultThe name of the workload identity to issue.
--outputno defaultPath to the directory to write the SVID into.