Use this file to discover all available pages before exploring further.
Teleport reads a static configuration file at startup—by default /etc/teleport.yaml. This file controls which services run on a given process and configures service-level options such as listen addresses, storage backends, and TLS certificates. Settings that change frequently (roles, users, trusted clusters) are managed as dynamic resources via tctl or the Teleport API and do not require a file change or restart.This page documents every top-level section of teleport.yaml.
version: v3 # always specify the schema versionteleport: # global process settings (data dir, node name, log, storage) ...auth_service: # Certificate Authority, audit log, user store enabled: true ...proxy_service: # Public-facing HTTPS/SSH endpoint and Web UI enabled: true ...ssh_service: # SSH access to Linux servers enabled: false ...kubernetes_service: # Kubernetes API proxy enabled: false ...db_service: # Database protocol proxy enabled: false ...app_service: # HTTP/TCP application proxy enabled: false ...windows_desktop_service: # RDP desktop proxy enabled: false ...
A single teleport binary can run multiple services simultaneously. The Auth Service and Proxy Service form the control plane and typically run on dedicated hosts (or pods). SSH, Kubernetes, Database, App, and Desktop services run on agent nodes alongside the resources they protect.
Before reading the file, Teleport expands environment variables in teleport.yaml values using the $VAR or ${VAR} syntax. The following environment variables also control process behavior directly:
The teleport section configures settings that apply to the entire process, regardless of which services are enabled.
teleport: # The name of this node as it appears in the cluster. # Defaults to the system hostname. nodename: my-node.example.com # Directory where Teleport stores its runtime data: # certificates, SQLite state (when applicable), and session uploads. data_dir: /var/lib/teleport # Address of the Auth Service. Used by agents and proxy to connect. # Separate multiple addresses with commas for HA setups. auth_server: auth.example.com:3025 # Join token or token file for new nodes joining the cluster. auth_token: /var/lib/teleport/token # Logging configuration log: output: stderr # "stderr", "stdout", or a file path severity: INFO # "DEBUG", "INFO", "WARN", "ERROR" format: output: text # "text" or "json" extra_fields: # additional structured fields - timestamp - component # Storage backend for cluster state and audit log. # For HA deployments replace "sqlite" with "dynamodb", "etcd", # "firestore", or "postgresql". storage: type: sqlite path: /var/lib/teleport/backend # Cipher suites, key exchange algorithms, and MAC algorithms # used for SSH connections. Omit to use secure defaults. ciphers: - aes128-gcm@openssh.com - chacha20-poly1305@openssh.com kex_algos: - curve25519-sha256 mac_algos: - hmac-sha2-256-etm@openssh.com # CA pinning: list of SHA-256 fingerprints of trusted Auth Service CAs. # Used by new agents on first join to prevent MITM attacks. ca_pin: - sha256:abc123...
auth_service — Certificate Authority and Audit Log
The Auth Service is the root of trust for the cluster. It signs certificates, stores dynamic resources, and writes audit events.
auth_service: enabled: true # The cluster name must be set at cluster creation and cannot be changed. # It should match the public address of your proxy. cluster_name: teleport.example.com # Address on which the gRPC/gRPC-Web API listens. listen_addr: 0.0.0.0:3025 # ────────────────────────────────────────────── # Authentication policy # ────────────────────────────────────────────── authentication: # "local" uses Teleport's built-in user store. # "github", "saml", or "oidc" delegates to an external IdP. type: local # Second factor settings second_factor: otp # "off", "otp", "webauthn", "on" (any), "optional" webauthn: rp_id: teleport.example.com # Relying Party ID — must match proxy public_addr # ────────────────────────────────────────────── # Session recording # ────────────────────────────────────────────── # Controls where PTY output is captured. # "node" — async, at the SSH node (default, recommended) # "node-sync" — sync, at the SSH node (for compliance environments) # "proxy" — async, at the Proxy Service # "proxy-sync" — sync, at the Proxy Service session_recording: node-sync # ────────────────────────────────────────────── # License (Enterprise only) # ────────────────────────────────────────────── license_file: /var/lib/teleport/license.pem # ────────────────────────────────────────────── # TLS key pairs for the Auth Service API # ────────────────────────────────────────────── tls_cert_file: /var/lib/teleport/certs/auth.crt tls_key_file: /var/lib/teleport/certs/auth.key # ────────────────────────────────────────────── # Token used by new nodes to join the cluster # ────────────────────────────────────────────── tokens: - "node:secret-join-token" - "proxy:another-secret-token" - "kube,app,db:another-token"
proxy_service — Public-Facing Endpoint and Web UI
The Proxy Service is the cluster’s public entry point. Users and agents connect through the Proxy.
proxy_service: enabled: true # The externally-reachable address users connect to. # This becomes the cluster's identity and cannot change. public_addr: teleport.example.com:443 # Address on which the Proxy listens for HTTPS and SSH traffic. listen_addr: 0.0.0.0:443 # ────────────────────────────────────────────── # TLS certificate options (choose one) # ────────────────────────────────────────────── # Option 1: Automatic ACME certificate from Let's Encrypt acme: enabled: true email: admin@example.com # Option 2: Supply your own certificate https_keypairs: - key_file: /var/lib/teleport/certs/proxy.key cert_file: /var/lib/teleport/certs/proxy.crt # ────────────────────────────────────────────── # TLS Routing (multiplexes all protocols on port 443) # When enabled, you only need to open one port. # ────────────────────────────────────────────── tunnel_listen_addr: 0.0.0.0:443 # ────────────────────────────────────────────── # MySQL and PostgreSQL database proxy listeners # (only needed when NOT using TLS Routing) # ────────────────────────────────────────────── mysql_listen_addr: 0.0.0.0:3036 postgres_listen_addr: 0.0.0.0:5432 # ────────────────────────────────────────────── # Automatic agent update channels (self-hosted Enterprise) # ────────────────────────────────────────────── automatic_upgrades_channels: default: forward_url: https://updates.releases.teleport.dev/v1/stable/cloud
ssh_service — SSH Access to Linux Servers
The SSH Service turns a node into an SSH bastion protected by Teleport RBAC and audit logging.
ssh_service: enabled: true # Address on which the SSH Service listens. listen_addr: 0.0.0.0:3022 # Labels attached to this node. Used in role label selectors. labels: env: production team: platform # Dynamic label commands: run a shell command and use its # stdout as the label value (re-evaluated on an interval). commands: - name: arch command: [uname, -m] period: 1h # Enhanced Session Recording (BPF-based; requires Linux 5.8+) enhanced_recording: enabled: false command_buffer_size: 8 disk_buffer_size: 128 network_buffer_size: 8 cgroups_path: /cgroup2 # PAM integration pam: enabled: false service_name: teleport use_pam_auth: false # Allow or deny specific port forwarding port_forwarding: true
kubernetes_service — Kubernetes API Proxy
The Kubernetes Service proxies kubectl and other Kubernetes API clients through Teleport, enforcing RBAC and recording API calls.
kubernetes_service: enabled: true # Address on which the Kubernetes proxy listens. listen_addr: 0.0.0.0:3026 # A human-readable name shown in `tsh kube ls`. kube_cluster_name: my-k8s-cluster # Labels for RBAC matching. labels: env: production cloud: aws # kubeconfig pointing at the target cluster. # Omit to use the in-cluster service account (when running inside k8s). kubeconfig_file: /etc/teleport/kubeconfig # Automatically discover and enroll clusters # (requires Discovery Service permissions). resources: - labels: "*": "*"
db_service — Database Protocol Proxy
The Database Service proxies native database protocols (PostgreSQL wire, MySQL wire, MongoDB, etc.) and enforces RBAC on every query.
db_service: enabled: true # Address on which the Database Service listens. listen_addr: 0.0.0.0:3036 # Statically registered databases. Each entry registers one database. databases: - name: my-postgres description: "Production PostgreSQL" protocol: postgres uri: postgres.internal:5432 # For RDS, provide the AWS region; Teleport uses IAM auth automatically. aws: region: us-east-1 rds: instance_id: my-rds-instance labels: env: production - name: my-mysql description: "Staging MySQL" protocol: mysql uri: mysql.internal:3306 labels: env: staging # Dynamic discovery rules (auto-enroll matching RDS/Redshift/GCP instances). resources: - labels: "teleport.dev/db": "true"
app_service — HTTP and TCP Application Proxy
The Application Service proxies HTTP and TCP applications, applying Teleport JWT authentication and RBAC in front of any internal tool.
