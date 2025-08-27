Version: 17.x

Teleport Role Templates

As organizations grow, infrastructure teams have to figure out how to define access control policies that don't require manual configuration every time people join, leave, and form new teams.

Here are some common examples of such policies:

Grant every single sign-on user an SSH login generated from their email.

Assign each team member to their team's Kubernetes group.

Limit the dev team to a read-only replica of a database.

Let's explore how Teleport's role templates provide a way to describe these and other policies.

A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version: TELEPORT_DOMAIN= example.teleport.com:443 TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" Follow the instructions for your platform to install tctl and tsh clients: Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz cd teleport sudo ./install



To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Imagine you have two users, Alice and Bob. We would like to set the following access policies:

Alice can log in as SSH user admin and Kubernetes group edit

and Kubernetes group Bob can log in as ubuntu and Kubernetes group view

We can create two roles, one for each user in file roles.yaml :

kind: role version: v7 metadata: name: alice spec: allow: logins: [ 'admin' ] kubernetes_groups: [ 'edit' ] node_labels: '*': '*' kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' namespace: '*' name: '*' verbs: [ '*' ] kind: role version: v7 metadata: name: bob spec: allow: logins: [ 'ubuntu' ] kubernetes_groups: [ 'view' ] node_labels: '*': '*' kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' namespace: '*' name: '*' verbs: [ '*' ]

You can create roles and invite Alice and Bob as local users:

tctl create -f roles.yaml tctl users add alice --roles=alice tctl users add bob --roles=bob

tip You can also create and edit roles using the Web UI. Go to Access -> Roles and click Create New Role or pick an existing role to edit.

Having one role per user is not going to scale well. Because the roles are so similar, we can assign variables to each user, and use just one role template for both Alice and Bob.

Let's create a role template called devs.yaml :

kind: role version: v7 metadata: name: devs spec: allow: logins: [ '{{internal.logins}}' ] kubernetes_groups: [ '{{internal.kubernetes_groups}}' ] node_labels: '*': '*' kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' namespace: '*' name: '*' verbs: [ '*' ]

Any role becomes a template once it starts using template variables.

Just like roles, role templates are valid YAML and validate both the structure and types.

The role template devs is using the internal notation to refer to the local user's traits logins and kubernetes_groups . The internal notation only supports a limited set of predefined traits. Use the external.<trait-name> syntax if using a custom trait with a local user.

Use tctl to create a role template:

tctl create -f devs.yaml

The last step is to update Alice's and Bob's users with traits. Here is an example of user resources in a file called traits.yaml :

kind: user version: v2 metadata: name: alice spec: roles: [ 'devs' ] traits: logins: [ 'admin' ] kubernetes_groups: [ 'edit' ] kind: user version: v2 metadata: name: bob spec: roles: [ 'devs' ] traits: logins: [ 'ubuntu' ] kubernetes_groups: [ 'view' ]

Update both users' entries with the tctl create -f command:

tctl create -f traits.yaml

Once Alice logs in, she will receive SSH and X.509 certificates with a new role. SSH logins and Kubernetes groups will also be set:

Self-Hosted

Teleport Enterprise Cloud tsh login --proxy=teleport.example.com --user=alice

tsh login --proxy=mytenant.teleport.sh --user=alice



Identity provider admins can assign metadata to a user such as group membership or access permissions. Administrators configure what metadata is shared with Teleport. Teleport receives user metadata keys and values as OIDC claims or SAML attributes during the single sign-on redirect flow:

Let's create a role template called sso-users that expects external attribute logins to be set by an identity provider. Save this role as sso-users.yaml :

kind: role version: v7 metadata: name: sso-users spec: allow: logins: [ '{{external.logins}}' ] node_labels: '*': '*' kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' namespace: '*' name: '*' verbs: [ '*' ]

A GitHub connector called github.yaml maps every member of team cyber in organization octocats to the role sso-users :

kind: github version: v3 metadata: name: github spec: client_id: client-id client_secret: secret-data-here display: GitHub redirect_url: https://teleport.example.com/v1/webapi/github/callback teams_to_roles: - organization: octocats team: cyber roles: - sso-users

Create this connector using tctl :

tctl create -f github.yaml

Once Bob logs in using SSO, he will receive SSH and X.509 certificates with a new role and SSH logins generated using the sso-users role template:

Self-Hosted

Teleport Enterprise Cloud tsh login --proxy=teleport.example.com --auth=github

tsh login --proxy=mytenant.teleport.sh --auth=github



Administrators can configure what attributes identity providers return during single-sign on and present to Teleport. Let's review a couple of scenarios and see how Teleport interpolates the variables.

Let's go back to to the list of attributes for Alice's user entry:

Let's see how these variables are used with role template interpolation :

kind: role version: v7 metadata: name: interpolation spec: allow: logins: [ '{{external.logins}}' , 'admin' ] kubernetes_users: [ 'IAM#{{external.email}};' ] kubernetes_groups: [ '{{external.groups}}' ] database_users: [ '{{email.local(external.email)}}' ] db_labels: 'env': '{{regexp.replace(external.env, "^(staging)$", "$1")}}' node_labels: 'env': '{{external.env}}' 'region': 'us-west-2' kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' namespace: '*' name: '*' verbs: [ '*' ]

After interpolation with Alice's SSO user attributes, the role template will behave as the following role:

Available interpolation functions include:

Function Description email.local(variable) Extracts the local part of an email address. email.local([email protected]) evaluates to alice . regexp.replace(variable, expression, replacement) Finds all matches of expression and replaces them with replacement . This supports expansion, e.g. regexp.replace(external.email, "^(.*)@example.com$", "$1") . Values which do not match the expression will be filtered out. $N is used to refer to the Nth captured group, starting at $1 .

Access and Reviewer Request specifications do not use the same interpolation system as logins, labels etc. Instead, you can use the claims_to_roles clause in the request and review_requests rules to specify one or more patterns to match.

For example, given the following rule template for a request configuration:

kind: role version: v3 metadata: name: product-admin spec: allow: request: roles: [ access ] claims_to_roles: - claim: 'projects' value: '^product-(.*)$' roles: [ '$1-admin' ]

For example, we could grant Alice the product-admin role and add some entries to the projects trait:

kind: user version: v2 metadata: name: alice spec: roles: [ 'dev' , 'product-admin' ] traits: projects: [ 'internal-tooling' , 'product-alpha' , 'product-beta' ]

In this case, Alice would be allowed to request access to the RBAC roles access (from the static role list) and alpha-admin and beta-admin (from the claims_to_roles mapping).

The same syntax applies for Review Requests.