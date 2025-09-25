Version: 19.x (unreleased)

Teleport Configuration

Teleport uses the YAML file format for configuration. A full configuration reference file is shown below. This provides comments and all available options for teleport.yaml .

By default, Teleport reads its configuration from /etc/teleport.yaml .

danger Do not use this example configuration in production.

You must edit your configuration file to meet the needs of your environment. Using a copy of the reference configuration will have unintended effects. To create a configuration file that you can use as a starting point, run the following command:

teleport configure -o file

There are also configure commands available for the SSH Service and Database Service. See our documentation on teleport node configure and teleport db configure in the Teleport CLI Reference.

warning You should back up your configuration file before making changes. This will enable you to roll back to the previous configuration if you need to.

The teleport process can run multiple services.

For some services, you must enable the service within your Teleport configuration in order to start it. Other services are enabled by default.

To enable or disable a service, include the following in your Teleport configuration, replacing service_name with the name of your service (service names are listed below):

service_name: enabled: false

Teleport supports the following services:

Service Configuration section Enabled by default Application Service app_service ❌ Auth Service auth_service ✅ Database Service db_service ❌ Discovery Service discovery_service ❌ Kubernetes Service kubernetes_service ❌ Proxy Service proxy_service ✅ SSH Service ssh_service ✅ Desktop Service windows_desktop_service ❌ Jamf Service jamf_service ❌ Debug Service debug_service ✅

Teleport Cloud manages the Auth Service and Proxy Service for you. Instances of Teleport services (e.g., the Application Service and Database Service) should include the following configuration options to avoid unintended effects:

auth_service: enabled: false proxy_service: enabled: false

These example configurations include all possible configuration options in YAML format to demonstrate proper use of indentation.

Choose a Teleport service to view the application configuration options:

These settings apply to any teleport instance:

version: v3 teleport: nodename: graviton data_dir: /var/lib/teleport auth_token: xxxx-token-xxxx join_params: method: "token" |"ec2"|"iam"|"github"|"circleci"|"kubernetes" token_name: "token-name" ca_pin: "sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1" advertise_ip: 10.1 .0 .5 diag_addr: "127.0.0.1:3000" auth_server: 10.1 .0 .5 :3025 proxy_server: teleport-proxy.example.com:443 connection_limits: max_connections: 1000 log: output: /var/lib/teleport/teleport.log severity: INFO format: output: text extra_fields: [ level , timestamp , component , caller ]

These settings apply to the Teleport Proxy Service:

tip Teleport Enterprise Cloud manages the Proxy Service for you, so you do not need to specify these configuration settings.

proxy_service: enabled: true proxy_protocol: on proxy_protocol_allow_downgrade: on listen_addr: 0.0 .0 .0 :3023 tunnel_listen_addr: 0.0 .0 .0 :3024 peer_listen_addr: 0.0 .0 .0 :3021 peer_public_addr: teleport-proxy-host-1.example.com:3021 web_listen_addr: 0.0 .0 .0 :3080 public_addr: proxy.example.com:3080 ssh_public_addr: proxy.example.com:3023 tunnel_public_addr: proxy.example.com:3024 https_keypairs: - key_file: /var/lib/teleport/webproxy_key.pem cert_file: /var/lib/teleport/webproxy_cert.pem - key_file: /etc/letsencrypt/live/*.teleport.example.com/privkey.pem cert_file: /etc/letsencrypt/live/*.teleport.example.com/fullchain.pem https_keypairs_reload_interval: 1h kube_listen_addr: 0.0 .0 .0 :3026 kube_public_addr: kube.example.com:3026 mysql_listen_addr: "0.0.0.0:3036" mysql_public_addr: "mysql.teleport.example.com:3306" postgres_public_addr: "postgres.teleport.example.com:443" mongo_public_addr: "mongo.teleport.example.com:443" idp: saml: enabled: yes ui: scrollback_lines: 1000 show_resources: 'requestable' trust_x_forwarded_for: false automatic_upgrades_channels: default: static_version: v14.2.1 additional/channel/static: static_version: v14.2.0 critical: true additional/channel/remote: forward_url: https://updates.releases.teleport.dev/v1/stable/cloud

These settings apply to the Teleport Auth Service:

tip Teleport Enterprise Cloud manages the Auth Service for you, so you do not need to specify these configuration settings.

These settings apply to the Teleport SSH Service:

ssh_service: enabled: true listen_addr: 0.0 .0 .0 :3022 public_addr: node.example.com:3022 labels: role: leader type: postgres commands: - name: arch command: [ '/bin/uname' , '-p' ] period: 1h0m0s permit_user_env: false disable_create_host_user: true force_listen: false enhanced_recording: enabled: false command_buffer_size: 8 disk_buffer_size: 128 network_buffer_size: 8 cgroup_path: /cgroup2 root_path: /teleport pam: enabled: yes service_name: 'sshd' use_pam_auth: true port_forwarding: true x11: enabled: yes display_offset: 10 max_display: 1010 ssh_file_copy: true

These settings apply to the Teleport Kubernetes Service:

kubernetes_service: enabled: true public_addr: [ k8s.example.com:3026 ] listen_addr: 0.0 .0 .0 :3026 kubeconfig_file: /secrets/kubeconfig kube_cluster_name: resources: - labels: "*": "*" aws: assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name" external_id: "example-external-id" labels: env: "prod" commands: - name: "os" command: [ "/usr/bin/uname" ] period: "5s" - name: cluster-name command: - 'curl' - 'http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name' - '-H' - 'Metadata-Flavor: Google' period: 1m0s

These settings apply to the Teleport Application Service:

app_service: enabled: true debug_app: true mcp_demo_server: true resources: - labels: "*": "*" apps: - name: "kubernetes-dashboard" cloud: "" description: "Kubernetes Dashboard to development cluster" uri: "http://10.0.1.27:8000" public_addr: "example.com" labels: env: "prod" commands: - name: "os" command: [ "/usr/bin/uname" ] period: "5s" mcp: command: "docker" args: [ "run" , "-i" , "--rm" , "mcp/everything" ] run_as_host_user: "docker"

These settings apply to the Teleport Database Service:

db_service: enabled: true resources: - labels: "*": "*" aws: assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name" external_id: "example-external-id" aws: - types: [ "rds" , "rdsproxy" , "redshift" , "redshift-serverless" , "elasticache" , "elasticache-serverless" , "memorydb" , "opensearch" ] regions: [ "us-west-1" , "us-east-2" ] assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name" external_id: "example-external-id" tags: "*": "*" azure: - types: [ "mysql" , "postgres" , "redis" , "sqlserver" ] regions: [ "eastus" , "westus" ] subscriptions: [ "11111111-2222-3333-4444-555555555555" ] resource_groups: [ "group1" , "group2" ] tags: "*": "*" databases: - name: "prod" description: "Production database" protocol: "postgres" uri: "postgres.example.com:5432" tls: mode: verify-full server_name: db.example.com ca_cert_file: /path/to/pem trust_system_cert_pool: false mysql: server_version: 8.0 .28 admin_user: name: "teleport-admin" default_database: "teleport" aws: region: "us-east-1" assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name" external_id: "example-external-id" redshift: cluster_id: "redshift-cluster-1" rds: instance_id: "rds-instance-1" cluster_id: "aurora-cluster-1" elasticache: replication_group_id: "elasticache-replication-group-1" memorydb: cluster_name: "memorydb-cluster-1" secret_store: key_prefix: "teleport/" kms_key_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" session_tags: dynamodb_table_name: "table-a" gcp: project_id: "xxx-1234" instance_id: "example" alloydb: endpoint_type: "private" endpoint_override: "11.22.33.44" ad: keytab_file: /path/to/keytab domain: EXAMPLE.COM spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433 krb5_file: /etc/krb5.conf ldap_service_account_name: "svc-teleport" ldap_service_account_sid: "S-1-5-21-1111111111-2222222222-3333333333-4444" azure: is_flexi_server: false resource_id: "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/example-group/providers/Microsoft.Cache/Redis/example-db-name" static_labels: env: "prod" dynamic_labels: - name: "hostname" command: [ "hostname" ] period: 1m0s

These settings apply to the Teleport Discovery Service:

discovery_service: enabled: true discovery_group: "disc-group" poll_interval: 5m aws: - types: [ "ec2" ] regions: [ "us-east-1" , "us-west-1" ] tags: "*": "*" assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name" external_id: "example-external-id" install: join_params: token_name: "aws-discovery-iam-token" script_name: "default-installer" ssm: document_name: "TeleportDiscoveryInstaller" setup_access_for_arn: arn:aws:iam::123456789012:role/kube-service-role azure: - types: [ "aks" ] regions: [ "eastus" , "westus" ] subscriptions: [ "11111111-2222-3333-4444-555555555555" ] resource_groups: [ "group1" , "group2" ] tags: "*": "*" gcp: - types: [ "gce" ] project_ids: [ "project-id" ] locations: [ "us-east2" , "us-west1-b" ] service_accounts: [] labels: "*": "*" kubernetes: - types: [ "app" ] namespaces: [ "test" , "staging" ] labels: "purpose": "monitoring" "department": "security"

These settings apply to the Windows Desktop Service:

windows_desktop_service: enabled: true listen_addr: "0.0.0.0:3028" public_addr: "desktop-access.example.com:3028" show_desktop_wallpaper: false ldap: addr: "$LDAP_SERVER_ADDRESS" locate_server: enabled: true site: "$LDAP_SITE_NAME" server_name: "$LDAP_SERVER_NAME" insecure_skip_verify: false ldap_ca_cert: | -----BEGIN CERTIFICATE----- *certificate data* -----END CERTIFICATE----- der_ca_file: /path/to/cert domain: "$LDAP_DOMAIN_NAME" username: "$LDAP_USERNAME" sid: "$LDAP_USER_SID" pki_domain: root.example.com kdc_address: "$KDC_SERVER_ADDRESS" static_hosts: - name: example1 ad: false addr: win1.dev.example.com labels: datacenter: dc1 - ad: true addr: win2.dev.example.com labels: controller: all discovery_configs: - base_dn: "OU=prod,DC=example,DC=com" filters: - "(location=Oakland)" - "(!(primaryGroupID=516))" label_attributes: - location rdp_port: 3389 discovery_interval: 10m publish_crl_interval: 10m resources: - labels: "env": "dev" host_labels: - match: '^.*\.dev\.example\.com' labels: environment: dev - match: '^.*\.prod\.example\.com' labels: environment: prod - match: "^EC2AMAZ-" labels: environment: discovered-in-aws labels: teleport.internal/resource-id: "resource-id"

These settings apply to the Jamf Service:

jamf_service: enabled: true name: jamf api_endpoint: https://yourtenant.jamfcloud.com username: teleport password_file: /var/lib/teleport/jamf_password.txt client_id: your-client-id client_secret_file: /var/lib/teleport/jamf_client_secret.txt sync_delay: 0 exit_on_sync: false inventory: - sync_period_partial: 6h sync_period_full: 24h on_missing: NOOP filter_rsql: '' page_size: 0

These settings apply to the Debug Service

debug_service: enabled: true

In order to avoid breaking existing configurations, Teleport's configuration is versioned. The newer configuration version is v3 . If a version is not specified in the configuration file, v1 is assumed.

Some new Teleport features require users to opt-in by explicitly upgrading their configuration to a newer version.

v1 is the original version of Teleport's file configuration. It is still supported today, but most new users should start with the latest configuration version.

Configuration version v2 was introduced in Teleport 8 as part of Teleport's TLS routing feature. With TLS routing, Teleport's proxy listens on a single port and uses ALPN and SNI to route incoming traffic to the correct Teleport service rather than listening on multiple protocol-specific ports.

For backwards compatibility, configuration version v1 always listens on these protocol-specific ports. When Teleport is using configuration version v2 , the individual protocol-specific ports are not opened unless explicitly set.

Configuration version v3 was introduced with Teleport 11. In version 3, the auth_servers field is no longer supported, and agents must specify one of auth_server or proxy_server to indicate which endpoint to use for joining a Teleport cluster.

Previous versions of Teleport allowed for auth_servers to point to Auth Servers or Proxy Servers. As a result, Teleport would try to connect in multiple different modes, resulting in confusing error messages. With config version 3, Teleport only attempts to connect in a single mode, which is both more efficient and easier to troubleshoot.

For example, this excerpt from a v2 config can be converted to v3 with the following changes.