Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/gravitational/teleport/llms.txt

Use this file to discover all available pages before exploring further.

Teleport Enterprise Cloud is the fastest path to a production-grade Teleport cluster. The Teleport team manages the Auth Service, Proxy Service, TLS certificates, and cluster upgrades. You provide your infrastructure — servers, Kubernetes clusters, databases — and Teleport handles the rest. Each cloud account gets a dedicated tenant with a unique subdomain, for example yourorg.teleport.sh. The 14-day free trial includes all Enterprise features with no credit card required.
During sign-up, Teleport generates recovery codes for your account. Store these in a secure offline location immediately. If you lose access to your MFA device without recovery codes, you will need to create an entirely new account — there is no other recovery path.
1

Sign up for Teleport Enterprise Cloud

  1. Open goteleport.com/signup in your browser.
  2. Enter your work email address and follow the prompts to create your account.
  3. Teleport automatically provisions your cluster. When setup completes, you will be redirected to your Teleport Web UI at https://yourorg.teleport.sh.
The sign-up flow creates your first local Teleport user with three preset roles:
RolePermissions
editorPerform administrative tasks in your cluster
accessConnect to any Teleport-protected resource
auditorView audit events and session recordings
Treat this account as an administrative fallback identity. Once you have configured SSO and custom roles, day-to-day access should use least-privilege identities tied to your identity provider.
2

Create a backup local user

Having more than one local administrator prevents lockout if your primary account’s MFA device is lost.
  1. Download tctl from goteleport.com/download/client-tools, selecting CLI Client Tools for your platform.
  2. Log in from the command line (replace yourorg.teleport.sh with your actual cluster address): 
tsh login --proxy=yourorg.teleport.sh --user=teleport-admin
  1. Create the backup user:
tctl users add teleport-admin-backup \
  --roles=editor,access,auditor \
  --logins=root,ubuntu,ec2-user
The command prints a one-time setup URL:
User "teleport-admin-backup" has been created but requires a password.
Share this URL with the user to complete user setup, link is valid for 1h:
https://yourorg.teleport.sh:443/web/invite/123abc456def789ghi123abc456def78
  1. Open the URL in your browser to set a password and enroll an MFA device for the backup account.
3

Install the tsh client on your workstation

tsh is the Teleport CLI client. You use it to authenticate, open SSH sessions, connect to databases, and manage Kubernetes clusters.
brew install teleport
Verify the installation:
tsh version
4

Log in to your Teleport cluster

Authenticate against your cloud tenant. Replace yourorg.teleport.sh with your actual cluster address:
tsh login --proxy=yourorg.teleport.sh --user=teleport-admin
After completing MFA, tsh outputs your certificate details:
> Profile URL:        https://yourorg.teleport.sh:443
  Logged in as:       teleport-admin
  Cluster:            yourorg.teleport.sh
  Roles:              access, auditor, editor
  Logins:             root, ubuntu, ec2-user
  Kubernetes:         enabled
  Valid until:        2024-06-01 09:00:00 -0000 UTC [valid for 12h0m0s]
  Extensions:         permit-agent-forwarding, permit-port-forwarding, permit-pty
Your short-lived certificate is now cached locally and will be used automatically for all subsequent tsh commands until it expires.
Run tsh status at any time to check which cluster you are logged in to and how long your certificate remains valid.
5

Enroll your first Linux server

Teleport provides an automated installation script that installs the Teleport SSH agent and joins it to your cluster.From the Teleport Web UI:
  1. In the left sidebar, click Enroll New Resource (or Add NewResource).
  2. Select Ubuntu (or your Linux distribution) from the resource type list.
  3. Optionally add labels such as env: staging or team: platform for use in role-based access policies later.
  4. Copy the install script that Teleport generates and run it on your target server:
# Example — the actual script and token are generated by the Web UI for your cluster
sudo bash -c "$(curl -fsSL https://yourorg.teleport.sh/scripts/install-node.sh)"
  1. Wait for the “Agent detected” confirmation in the Web UI, then click Finish.
Your server now appears in the Resources view.
The install script downloads the Teleport binary, writes a minimal teleport.yaml configuration pointing at your cloud tenant, and starts the teleport systemd service. The server connects outbound to your Proxy Service over port 443 — no inbound firewall rules are needed on the server.
6

SSH into your server with tsh

List the servers registered in your cluster:
tsh ls

Node Name        Address        Labels
---------------- -------------- ---------------------
my-ubuntu-server 10.0.1.5:3022  env=staging,os=ubuntu
Connect via SSH using the node name, or list nodes matching a label first and then connect:
# Connect by node name
tsh ssh ubuntu@my-ubuntu-server

# List nodes matching a label, then connect to one
tsh ls --labels env=staging
tsh ssh ubuntu@my-ubuntu-server
To open an interactive session in the Teleport Web UI instead, navigate to Resources, find your server, and click Connect.
You can also use Teleport as a transparent proxy for standard ssh commands. Run tsh config and follow the instructions to add a Host block to your ~/.ssh/config file.

What’s next?

Now that your cluster is running and your first server is enrolled, explore what else Teleport can protect:

Enroll a Kubernetes cluster

Connect kubectl to EKS, GKE, AKS, or self-hosted Kubernetes with RBAC and full API-level audit logging.

Enroll a database

Add PostgreSQL, MySQL, MongoDB, or another supported database and enforce role-based access with query-level audit logs.

Set up SSO

Connect Teleport to Okta, GitHub, Microsoft Entra ID, or another SAML/OIDC provider so your team can log in with existing credentials.

Configure RBAC

Create custom roles that enforce least-privilege access across servers, databases, and Kubernetes clusters.

Build docs developers (and LLMs) love

Get started for freeTalk to us