Version: 19.x (unreleased)

This reference guide lists dynamic resources you can manage with Teleport. For more information on dynamic resources, see our guide to Using Dynamic Resources.

Examples of applying dynamic resources with tctl :

tctl get connectors

tctl get saml/okta

tctl rm saml/okta

tctl rm oidc/gworkspace

tctl rm github/myteam

tctl rm users/admin

tctl get devices

tctl get devices/<asset-tag>

tctl get cluster_auth_preference

note Although tctl get connectors will show you every connector, when working with an individual connector you must use the correct kind , such as saml or oidc . You can see each connector's kind at the top of its YAML output from tctl get connectors .

Here's the list of resources currently exposed via tctl :

Resource Kind Description user A user record in the internal Teleport user DB. role A role assumed by interactive and non-interactive users. connector Authentication connectors for Single Sign-On (SSO) for SAML, OIDC and GitHub. node A registered SSH node. The same record is displayed via tctl nodes ls . windows_desktop A registered Windows desktop. cluster A trusted cluster. See here for more details on connecting clusters together. login_rule A Login Rule, see the Login Rules guide for more info. device A Teleport Trusted Device, see the Device Trust guide for more info. ui_config Configuration for the Web UI served by the Proxy Service. vnet_config Configuration for the cluster's VNet options. cluster_auth_preference Configuration for the cluster's auth preferences. database_object_import_rule Database object import rules. autoupdate_config Client tools auto-update configuration autoupdate_version Client tools auto-update target version configuration access_monitoring_rule Access monitoring rules. health_check_config Configuration for resource endpoint health checks

Teleport supports interactive local users, non-interactive local users (bots) and single-sign on users that are represented as a resource.

kind: user version: v2 metadata: name: joe spec: roles: - admin status: is_locked: false lock_expires: 0001-01-01T00:00:00Z locked_time: 0001-01-01T00:00:00Z traits: logins: - joe - root expires: 0001-01-01T00:00:00Z created_by: time: 0001-01-01T00:00:00Z user: name: builtin-Admin

Interactive and non-interactive users (bots) assume one or many roles.

Roles govern access to databases, SSH servers, Kubernetes clusters, web services and applications and Windows Desktops.

kind: role version: v8 metadata: name: example description: This is an example role. spec: options: max_session_ttl: 8h forward_agent: true ssh_port_forwarding: remote: enabled: true local: enabled: true ssh_file_copy: false client_idle_timeout: never disconnect_expired_cert: false max_sessions: 10 enhanced_recording: - command - disk - network permit_x11_forwarding: true device_trust_mode: optional|required|off require_session_mfa: true mfa_verification_interval: 1h lock: strict request_access: reason request_prompt: Please provide your ticket ID max_connections: 2 max_kubernetes_connections: 1 record_session: desktop: true default: best_effort|strict ssh: best_effort|strict desktop_clipboard: true desktop_directory_sharing: true pin_source_ip: true cert_extensions: - type: ssh mode: extension name: [email protected] value: '{{ external.github_login }}' create_host_user_mode: keep create_host_user_default_shell: bash create_db_user_mode: keep allow: logins: [ root , '{{internal.logins}}' ] windows_desktop_logins: [ Administrator , '{{internal.logins}}' ] node_labels: 'env': 'test' '*': '*' 'region': [ 'us-west-1' , 'eu-central-1' ] 'reg': '^us-west-1|eu-central-1$' host_groups: [ ubuntu , nginx , other ] host_sudoers: [ "ALL = (root) NOPASSWD: /usr/bin/systemctl restart nginx.service" ] kubernetes_groups: [ 'system:masters' , '{{external.trait_name}}' ] kubernetes_users: [ 'IAM#{{external.foo}};' ] kubernetes_labels: 'env': 'prod' 'region': 'us-west-*' 'cluster_name': '^us.*\.example\.com$' kubernetes_resources: - kind: '*' api_group: '*' namespace: '*' name: '^nginx-[a-z0-9-]+$' verbs: [ '*' ] db_users: [ '{{email.local(external.email)}}' ] db_names: [ '{{external.db_names}}' ] db_labels: 'env': '{{regexp.replace(external.env, "^(staging)$", "$1")}}' db_roles: [ '{{external.db_roles}}' ] db_permissions: - match: object_kind: table permissions: - SELECT - INSERT - UPDATE - DELETE - TRUNCATE - REFERENCES - TRIGGER app_labels: 'env': 'prod' 'region': 'us-west-*' 'cluster_name': '^us.*\.example\.com$' group_labels: 'env': 'prod' cluster_labels: 'env': 'prod' workload_identity_labels: 'env': 'prod' 'team': '{{external.team}}' node_labels_expression: | labels["env"] == "staging" || contains(user.spec.traits["teams"] , labels["team"]) app_labels_expression: 'labels["env"] == "staging"' cluster_labels_expression: 'labels["env"] == "staging"' kubernetes_labels_expression: 'labels["env"] == "staging"' db_labels_expression: 'labels["env"] == "staging"' db_service_labels_expression: 'labels["env"] == "staging"' windows_desktop_labels_expression: 'labels["env"] == "staging"' group_labels_expression: 'labels["env"] == "staging"' workload_identity_labels_expression: 'labels["env"] == "staging"' aws_role_arns: - 'arn:aws:iam::1234567890:role/ec2-read-only' - 'arn:aws:iam::1234567890:role/ec2-full-access' - 'arn:aws:iam::0987654321:role/example-role' account_assignments: - account: "<account_id>" name: AdministratorAccess permission_set: arn:aws:sso:::permissionSet/ssoins-1234/ps-5678 impersonate: users: [ '*' ] roles: [ 'jenkins' ] where: > contains(user.spec.traits["group"], impersonate_role.metadata.labels["group"]) && contains(user.spec.traits["group"], impersonate_user.metadata.labels["group"]) review_requests: roles: [ 'dbadmin' ] preview_as_roles: [ 'dbadmin' ] request: roles: [ 'common' , 'dev-*' ] search_as_roles: [ 'access' ] kubernetes_resources: - kind: "namespace" reason: mode: "optional" thresholds: - approve: 2 deny: 1 max_duration: 7d claims_to_roles: - claim: 'projects' value: '^product-(.*)$' roles: [ '$1-admin' ] annotations: foo: [ 'bar' ] groups: [ '{{external.groups}}' ] require_session_join: - name: Auditor oversight filter: 'contains(user.spec.roles, ' auditor')' kinds: [ 'k8s' , 'ssh' ] modes: [ 'moderator' ] count: 1 on_leave: 'terminate' join_sessions: - name: Auditor oversight roles : [ 'prod-access' ] kinds: [ 'k8s' , 'ssh' ] modes: [ 'moderator' , 'observer' , 'peer' ] spiffe: - path: "/svc/foo" ip_sans: [ "10.0.0.100/32" ] dns_sans: [ "foo.svc.example.com" ] github_permissions: - orgs: - my-org rules: - resources: [ role ] verbs: [ list , create , read , update , delete ] - resources: [ auth_connector ] verbs: [ list , create , read , update , delete ] - resources: [ session ] verbs: [ list , read ] - resources: [ trusted_cluster ] verbs: [ list , create , read , update , delete ] - resources: [ event ] verbs: [ list , read ] - resources: [ user ] verbs: [ list , create , read , update , delete ] - resources: [ token ] verbs: [ list , create , read , update , delete ] deny: {}

Versions 5, 6, 7 and 8 of the Teleport role resource have different behaviors when accessing Kubernetes resources.

Roles not granting Kubernetes access are equivalent in the four versions.

Roles v5 and v6 can only restrict actions on pods (e.g. executing in them). Role v7 supports restricting some common resource kinds ( see the kubernetes_resource documentation for a complete list). Role v8 supports restricting all resource kinds, including CRDs. It also changes the format of the kind field.

When no kubernetes_resource is set:

Roles v5, v7 and v8 grant all access by default

Roles v6 blocks pod execution by default, this was reverted by roles v7 to improve the user experience.

Allow rule Role v5 Role v6 Role v7 Role v8 kubernetes_groups:

- "system :masters "

kubernetes_labels: {}

kubernetes_resources: []

❌ no access ❌ no access ❌ no access ❌ no access kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources: []

✅ full access to dev clusters ❌ cannot exec in pods

✅ can access other

resources like secrets ✅ full access to dev clusters ✅ full access to dev clusters kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- name: "*"

kind: pod

namespace: "foo" ✅ can exec in pods in foo

✅ can access secrets in all namespaces.

❌ cannot exec in other namespaces ✅ can exec in pods in foo

✅ can access secrets in all namespaces.

❌ cannot exec in other namespaces ✅ can exec in pods in foo

❌ cannot access secrets in all namespaces

❌ cannot exec in other namespaces ⚠️ invalid, v8 uses plural kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- name: "*"

kind: pod

namespace: "foo"

- name: "*"

kind: secret

namespace: "foo" ⚠️ not supported ⚠️ not supported ✅ can exec in pods in foo

✅ can access secrets in foo

❌ cannot exec in other namespaces

❌ cannot access secrets in other namespaces

❌ cannot access configmaps in foo ⚠️ invalid, v8 uses plural kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- kind: "namespace"

name: "foo" ⚠️ not supported ⚠️ not supported ✅ full access in namespace foo including all its resources

❌ cannot access other namespaces

❌ cannot access cluster-wide resources ⚠️ invalid, v8 uses plural kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- kind: "*"

namespace: "foo"

name: "*" ⚠️ not supported ⚠️ not supported ✅ full access in namespace foo including all its resources

❌ cannot access other namespaces

✅ full access to cluster-wide resources ⚠️ invalid, v8 requires api_group for '*' kind kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- kind: "*"

namespace: "*"

name: "*" ⚠️ not supported ⚠️ not supported ✅ full access to dev clusters ⚠️ invalid, v8 requires api_group for '*' kind kubernetes_groups:

- "system :masters "

kubernetes_labels:

env: ["dev"]

kubernetes_resources:

- name: "*"

kind: pods

namespace: "foo"

- name: "*"

kind: deployments

api_group: apps

namespace: "foo" ⚠️ not supported ⚠️ not supported ⚠️ not supported ✅ can exec in pods in foo

✅ can access deployments in foo

❌ cannot exec in other namespaces

❌ cannot access deployments in other namespaces

❌ cannot access configmaps in foo

In most cases, Teleport will register windows_desktop resources automatically based on static hosts in your configuration file or via LDAP-based discovery.

You can also use dynamic registration using dynamic_windows_desktop resources. This can be useful for managing inventories of hosts that are not joined to an Active Directory domain.

There are a few important considerations to keep in mind when registering desktops this way:

The desktop's addr can be a hostname or IP address, and should include the RDP port (typically 3389). If you intend to log in to the desktop with local Windows users you must set non_ad: true . If you intend to log in with Active Directory users, leave non_ad unset (or false), and specify the Active Directory domain in the domain field.

Login rules contain logic to transform SSO user traits during login.

kind: login_rule version: v1 metadata: name: example spec: priority: 0 traits_map: groups: - external.groups logins: - strings.lower(external.username) traits_expression: | external.put("logins", strings.lower(external.logins))

Database object import rule define the labels to be applied to database objects imported into Teleport.

See Database Access Controls for more details.

kind: db_object_import_rule metadata: name: my_custom_rule spec: priority: 123 database_labels: - name: 'env' values: - 'test' - 'staging' - name: 'dept' values: - '*' mappings: - add_labels: database: '{{obj.database}}' object_kind: '{{obj.object_kind}}' name: '{{obj.name}}' protocol: '{{obj.protocol}}' schema: '{{obj.schema}}' database_service_name: '{{obj.database_service_name}}' fixed: const_value template: 'foo-{{obj.name}}' match: table_names: - 'fixed_table_name' - 'partial_wildcard_*' scope: database_names: - Widget* schema_names: - public - secret - add_labels: confidential: true match: table_names: - '*' scope: schema_names: - secret version: v1

Device contains information identifying a trusted device.

kind: device version: v1 metadata: name: 5ff09619-527c-4a17-973f-cd9cd5c93990 spec: asset_tag: HD6M74XNCK collected_data: - collect_time: "2023-02-22T21:04:26.312862Z" os_type: macos record_time: "2023-02-22T21:04:26.396471Z" serial_number: HD6M74XNCK create_time: "2023-02-22T21:04:20.87721Z" update_time: "2023-02-22T21:04:26.396471Z" os_type: macos credential: id: ebe41e2b-5dbb-40a0-82fb-cded7d3373dd public_key_der: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhO73Q5+DWIg9nXFc/Nv38cI9iog9nnlwDmdtZXBtRNc6P0WajDG3cWn3NWttkHTKDSxywOOmupliKA8q1VxvfQ== enroll_status: enrolled

Global configuration options for the Web UI served by the Proxy Service. This resource is not set by default, which means a tctl get ui will result in an error if used before this resource has been set.

kind: ui_config version: v1 metadata: name: ui-config spec: scrollback_lines: 1000 show_resources: 'requestable'

Cluster-specific options VNet should use when setting up connections to resources from this cluster.

See VNet for more details.

kind: vnet_config version: v1 metadata: name: vnet-config spec: ipv4_cidr_range: "100.64.0.0/10" custom_dns_zones: - suffix: company.test

Global configuration options for the agents enrolled into automatic updates (v1).

warning cluster_maintenance_config configures Managed Updates v1, which are currently supported but will be superseded by Managed Updates v2. The autoupdate_config and autoupdate_version resources further down configure Managed Updates v2.

kind: cluster_maintenance_config spec: agent_upgrades: utc_start_hour: 2 weekdays: - Mon - Wed - Fri

Global cluster configuration options for authentication.

metadata: name: cluster-auth-preference spec: second_factors: [ "webauthn" , "otp" ] connector_name: "" webauthn: rp_id: teleport.example.com attestation_allowed_cas: [] attestation_denied_cas: [] require_session_mfa: false disconnect_expired_cert: false allow_headless: false allow_local_auth: true allow_passwordless: false message_of_the_day: "" idp: saml: enabled: true locking_mode: best_effort default_session_ttl: "12h" type: local stable_unix_user_config: enabled: false first_uid: 90000 last_uid: 95000 version: v2

Bot resources define a Machine ID Bot identity and its access.

Find out more on the Machine ID configuration reference.

kind: bot version: v1 metadata: name: robot spec: roles: - editor traits: - name: logins values: - root

Configuration options for Teleport Agent and client tools Managed Updates (v2).

warning The autoupdate_config and autoupdate_version resources configure Managed Updates v2 and Managed Updates v1. cluster_maintenance_config above configures only Managed Updates v1 which are currently supported but will be deprecated in a future version.

kind: autoupdate_config metadata: name: autoupdate-config spec: agents: mode: enabled strategy: halt-on-error schedules: regular: - name: staging start_hour: 4 days: [ "Mon" , "Tue" , "Wed" , "Thu" ] - name: production start_hour: 5 wait_hours: 24 tools: mode: enabled

See Teleport Client Tool Managed Updates and Teleport Agent Managed Updates for more details.

Allows cluster administrators to manage versions used for agent and client tools Managed Updates.

warning The autoupdate_config and autoupdate_version resources configure Managed Updates v2 and Managed Updates v1. cluster_maintenance_config above configures only Managed Updates v1 which are currently supported but will be deprecated in a future version.

This resource is not editable for cloud-managed Teleport Enterprise to ensure that all of your clients receive security patches and remain compatible with your cluster.

kind: autoupdate_version metadata: name: autoupdate-version spec: agents: start_version: v17.2.0 target_version: v17.2.1 schedule: regular mode: enabled tools: target_version: v17.2.1

See Teleport Client Tool Managed Updates and Teleport Agent Managed Updates for more details.

Allows cluster administrators to view the current agent rollout for Teleport Agent Managed Updates (v2).

This resource should not be edited by humans.

kind: autoupdate_agent_rollout metadata: name: autoupdate-agent-rollout spec: start_version: v17.2.0 target_version: v17.2.1 schedule: regular autoupdate_mode: enabled strategy: halt-on-error status: groups: - name: staging start_time: 0001-01-01T00:00:00Z state: active last_update_time: 0001-01-01T00:00:00Z last_update_reason: "new version" config_days: [ "Mon" , "Tue" , "Wed" , "Thu" ] config_start_hour: 4 - name: production config_wait_hours: 24 start_time: 0001-01-01T00:00:00Z state: active

See Teleport Agent Managed Updates for more details.

This is an internal resource used by the Auth service to track which agent is running which version and decide if the update can progress.

This resource should not be edited by humans.

kind: autoupdate_agent_report version: v1 metadata: name: auth1 spec: timestamp: 2025-05-28T11:22:41.924956-04:00 groups: dev: versions: "1.2.3": count: 15 "1.2.4": count: 2 "1.2.5": count: 34 stage: versions: "1.2.3": count: 15 "1.2.4": count: 125 prod: versions: "1.2.5": count: 1543 omitted: - count: 120 reason: "version is pinned" - count: 12 reason: "managed update v1 updater does not support agent reports" - count: 42 reason: "updater version predates agent report"

Access monitoring rules allows cluster administrators to monitor Access Requests and apply notification routing and automatic review rules.

kind: access_monitoring_rule version: v1 metadata: name: example_rule spec: subjects: - access_request condition: |- contains_all(set("access"), access_request.spec.roles) && contains_any(user.traits["team"], set("dev")) desired_state: reviewed automatic_review: integration: builtin decision: APPROVED notification: name: email recipients: - [email protected]

Accepted fields within the condition predicate expression:

Field Description access_request.spec.roles The set of roles requested. access_request.spec.suggested_reviewers The set of reviewers specified in the request. access_request.spec.system_annotations A map of system annotations on the request. access_request.spec.user The requesting user. access_request.spec.request_reason The request reason. access_request.spec.creation_time The creation time of the request. access_request.spec.expiry The expiry time of the request. user.traits A map of traits of the requesting user.

See Predicate Language for more details.

Configuration for resource endpoint health checks.

Currently, health checks can only be configured for database endpoints.

kind: health_check_config version: v1 metadata: name: example description: Example healthcheck configuration spec: interval: 30s timeout: 5s healthy_threshold: 2 unhealthy_threshold: 1 match: db_labels: - name: env values: - dev - staging db_labels_expression: 'labels["owner"] == "database-team"'

See predicate language label expressions for more info about using predicate language to match resource labels.