Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/gravitational/teleport/llms.txt

Use this file to discover all available pages before exploring further.

Teleport reads its configuration from a YAML file, typically located at /etc/teleport.yaml. This file controls which services the process runs, how they communicate, and where state is stored. Every setting that can appear in teleport.yaml can also be overridden by an environment variable of the form TELEPORT_<SECTION>_<KEY> — for example, the auth service’s listen address becomes TELEPORT_AUTH_SERVICE_LISTEN_ADDR. When you run multiple services on the same machine (the most common production pattern), each service section is enabled under the same configuration file and Teleport starts them all in a single process.
After editing teleport.yaml, restart the teleport service (sudo systemctl restart teleport) for changes to take effect.

Top-level structure

# /etc/teleport.yaml
teleport:         # global node settings
  nodename: ...

auth_service:     # Auth Service (cluster control plane)
  enabled: true

proxy_service:    # Proxy Service (public-facing gateway)
  enabled: true

ssh_service:      # SSH Service (Linux server access)
  enabled: true

kubernetes_service:  # Kubernetes Service
  enabled: false

db_service:       # Database Service
  enabled: false

app_service:      # Application Service
  enabled: false

windows_desktop_service:   # Windows Desktop Service
  enabled: false

teleport section

The teleport block configures node-wide identity and storage.
FieldTypeDefaultDescription
nodenamestringsystem hostnameUnique name for this Teleport instance in the cluster.
data_dirstring/var/lib/teleportDirectory for persistent state, certificates, and SQLite cache.
pid_filestring(none)Path to write the process PID file.
advertise_ipstring(auto-detected)Public IP address announced to other cluster members.
auth_tokenstring(none)Static token used to join a cluster (prefer join_params).
join_params.token_namestring(none)Name of a provisioning token for joining.
join_params.methodstringtokenJoin method: token, iam, ec2, github, gcp, azure, kubernetes.
log.outputstringstderrLog destination: stderr, stdout, or a file path.
log.severitystringINFOLog level: DEBUG, INFO, WARN, ERROR.
log.format.outputstringtextLog format: text or json.
ca_pinstring(none)SHA-256 fingerprint of the cluster CA, used for first-time join.
diag_addrstring(none)Address for the /healthz and /readyz diagnostic endpoints.
teleport:
  nodename: node-01
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: json
  join_params:
    token_name: my-join-token
    method: token
  diag_addr: "0.0.0.0:3000"

auth_service section

The Auth Service is the cluster certificate authority and the single source of truth for all access decisions.
FieldTypeDefaultDescription
enabledboolfalseEnable the Auth Service on this node.
listen_addrstring0.0.0.0:3025Address the Auth Service binds on.
cluster_namestring(required)Unique cluster name; cannot be changed after initial setup.
tokenslist[]Static join tokens (format: "role:token_value"). Prefer dynamic tokens.
authentication.typestringlocalAuthentication backend: local, github, oidc, saml.
authentication.second_factorstringotpSecond factor: off, otp, webauthn, on (best available).
authentication.webauthn.rp_idstring(proxy domain)WebAuthn relying party ID (typically your proxy domain).
authentication.require_session_mfastringnoCluster-wide per-session MFA: no, yes, hardware_key.
session_recordingstringnodeWhere sessions are recorded: node, proxy, off, node-sync, proxy-sync.
storage.typestringdirState backend: dir (SQLite), dynamodb, firestore, etcd.
storage.regionstring(AWS region)Region for DynamoDB or Firestore.
storage.table_namestring(none)DynamoDB table name.
audit_events_urilist[]Destinations for audit events (e.g., dynamodb://table, s3://bucket, file:///path).
audit_sessions_uristring(none)S3/GCS URI for session recordings.
client_idle_timeoutdurationneverDisconnect idle clients.
disconnect_expired_certboolfalseDisconnect sessions when the client certificate expires.
auth_service:
  enabled: true
  listen_addr: 0.0.0.0:3025
  cluster_name: example.teleport.sh
  authentication:
    type: local
    second_factor: webauthn
    webauthn:
      rp_id: example.teleport.sh
  session_recording: node
  storage:
    type: dynamodb
    region: us-east-1
    table_name: teleport-state
  audit_events_uri:
    - dynamodb://teleport-events
    - s3://my-audit-bucket/events
  audit_sessions_uri: s3://my-audit-bucket/recordings

proxy_service section

The Proxy Service is the public-facing gateway that routes traffic to the Auth Service, SSH nodes, Kubernetes clusters, databases, and applications.
FieldTypeDefaultDescription
enabledboolfalseEnable the Proxy Service.
listen_addrstring0.0.0.0:3023Address for SSH proxy connections.
web_listen_addrstring0.0.0.0:3080Address for the Web UI and HTTPS API.
tunnel_listen_addrstring0.0.0.0:3024Reverse tunnel listener for agents.
public_addrstring(none)Publicly reachable address (host:port). Used in issued certificates.
https_keypairslist[]TLS certificate/key pairs for the Web UI.
acme.enabledboolfalseObtain Let’s Encrypt certificates automatically.
acme.emailstring(none)Email for Let’s Encrypt ACME registration.
kube_listen_addrstring0.0.0.0:3026Address for Kubernetes proxy connections.
mysql_listen_addrstring0.0.0.0:3036Address for MySQL database proxy.
postgres_listen_addrstring(none)Override address for PostgreSQL proxy (default shares web port).
trusted_cluster_tokenstring(none)Token for connecting leaf clusters.
proxy_service:
  enabled: true
  public_addr: example.teleport.sh:443
  listen_addr: 0.0.0.0:3023
  web_listen_addr: 0.0.0.0:443
  tunnel_listen_addr: 0.0.0.0:3024
  acme:
    enabled: true
    email: ops@example.com

ssh_service section

The SSH Service turns the node into a Teleport-managed SSH server.
FieldTypeDefaultDescription
enabledboolfalseEnable the SSH Service.
listen_addrstring0.0.0.0:3022Address for inbound SSH connections.
labelsmap{}Static labels applied to this node. Used for RBAC.
commandslist[]Shell commands whose output becomes dynamic labels.
permit_user_envboolfalseAllow users to pass environment variables through SSH.
pam.enabledboolfalseEnable PAM integration for session creation.
pam.service_namestringsshdPAM service name.
enhanced_recording.enabledboolfalseEnable BPF-based enhanced session recording.
ssh_service:
  enabled: true
  listen_addr: 0.0.0.0:3022
  labels:
    env: production
    team: platform
  commands:
    - name: arch
      command: [uname, -p]
      period: 1h
  enhanced_recording:
    enabled: true

kubernetes_service section

The Kubernetes Service proxies access to Kubernetes API servers.
FieldTypeDefaultDescription
enabledboolfalseEnable the Kubernetes Service.
listen_addrstring0.0.0.0:3026Address to listen for Kubernetes API connections.
kubeconfig_filestring(in-cluster)Path to a kubeconfig granting access to Kubernetes clusters.
kube_cluster_namestring(none)Name of the in-cluster Kubernetes cluster to register.
labelsmap{}Labels applied to the Kubernetes cluster resource.
resourceslist[]Dynamic clusters discovered via label selectors.
kubernetes_service:
  enabled: true
  kube_cluster_name: my-eks-cluster
  labels:
    env: production
    cloud: aws

db_service section

The Database Service proxies connections to databases (PostgreSQL, MySQL, MongoDB, and more).
FieldTypeDefaultDescription
enabledboolfalseEnable the Database Service.
databaseslist[]Statically enrolled databases.
databases[*].namestring(required)Unique resource name of the database.
databases[*].protocolstring(required)Protocol: postgres, mysql, mongodb, sqlserver, redis, etc.
databases[*].uristring(required)Connection endpoint (host:port).
databases[*].descriptionstring(none)Human-readable description.
databases[*].labelsmap{}Labels for RBAC matching.
databases[*].tls.modestringverify-fullTLS mode: verify-full, verify-ca, insecure.
databases[*].aws.regionstring(none)AWS region for IAM-authenticated RDS/Aurora databases.
db_service:
  enabled: true
  databases:
    - name: prod-postgres
      description: "Production PostgreSQL"
      protocol: postgres
      uri: "pg.internal:5432"
      labels:
        env: production
    - name: analytics-mysql
      protocol: mysql
      uri: "mysql.internal:3306"
      labels:
        env: production
        team: data

app_service section

The Application Service exposes web applications and cloud provider APIs through Teleport.
FieldTypeDefaultDescription
enabledboolfalseEnable the Application Service.
appslist[]Statically enrolled applications.
apps[*].namestring(required)Unique application name (used in the URL).
apps[*].uristring(required)Internal URL of the application.
apps[*].public_addrstring(none)Custom public address, otherwise <name>.<proxy_addr>.
apps[*].descriptionstring(none)Human-readable description.
apps[*].labelsmap{}Labels for RBAC matching.
apps[*].insecure_skip_verifyboolfalseSkip TLS certificate verification for the upstream app.
apps[*].rewrite.headerslist[]HTTP headers to inject or rewrite.
apps[*].cloudstring(none)Cloud API proxy: AWS, GCP, Azure.
app_service:
  enabled: true
  apps:
    - name: grafana
      uri: "http://localhost:3000"
      description: "Internal Grafana"
      labels:
        env: production
    - name: jenkins
      uri: "https://jenkins.internal:8443"
      insecure_skip_verify: true
      labels:
        env: production

windows_desktop_service section

The Windows Desktop Service provides browser-based RDP access to Windows machines.
FieldTypeDefaultDescription
enabledboolfalseEnable the Windows Desktop Service.
listen_addrstring0.0.0.0:3028Address for desktop proxy connections.
ldap.addrstring(none)Active Directory LDAP address (host:port).
ldap.usernamestring(none)Service account UPN for LDAP bind.
ldap.domainstring(none)Active Directory domain.
ldap.insecure_skip_verifyboolfalseSkip LDAP TLS verification (development only).
discovery.base_dnstring(none)Base DN for AD computer object discovery.
discovery.filterslist[]LDAP filters for computer object discovery.
hostslist[]Statically configured Windows hosts.
hosts[*].namestring(required)Unique resource name.
hosts[*].addrstring(required)IP or hostname of the Windows machine.
labelsmap{}Labels applied to all desktops registered by this service.
windows_desktop_service:
  enabled: true
  ldap:
    addr: "dc.example.com:636"
    username: "svc-teleport@example.com"
    domain: example.com
  discovery:
    base_dn: "CN=Computers,DC=example,DC=com"
  labels:
    env: production

Complete multi-service example

The following is a complete, working teleport.yaml that runs the Auth Service, Proxy Service, SSH Service, and Database Service on the same host: 
# /etc/teleport.yaml
teleport:
  nodename: teleport-all-in-one
  data_dir: /var/lib/teleport
  log:
    output: /var/log/teleport.log
    severity: INFO
    format:
      output: json
  diag_addr: "0.0.0.0:3000"

auth_service:
  enabled: true
  listen_addr: 0.0.0.0:3025
  cluster_name: example.teleport.sh
  authentication:
    type: local
    second_factor: webauthn
    webauthn:
      rp_id: example.teleport.sh
  session_recording: node
  storage:
    type: dir                      # use SQLite for small clusters
  audit_events_uri:
    - file:///var/lib/teleport/audit/events

proxy_service:
  enabled: true
  public_addr: example.teleport.sh:443
  web_listen_addr: 0.0.0.0:443
  listen_addr: 0.0.0.0:3023
  tunnel_listen_addr: 0.0.0.0:3024
  acme:
    enabled: true
    email: ops@example.com

ssh_service:
  enabled: true
  listen_addr: 0.0.0.0:3022
  labels:
    env: production
    role: controller

db_service:
  enabled: true
  databases:
    - name: pg-prod
      protocol: postgres
      uri: "pg.internal:5432"
      labels:
        env: production

app_service:
  enabled: false

kubernetes_service:
  enabled: false

windows_desktop_service:
  enabled: false

Environment variable overrides

Every configuration field can be overridden with an environment variable using the pattern TELEPORT_<SECTION>_<FIELD> (uppercase, underscores). This is useful for secrets in containerised deployments: 
# Override the auth token without storing it in the config file
export TELEPORT_AUTH_TOKEN=my-secret-token

# Override log level
export TELEPORT_LOG_SEVERITY=DEBUG

# Override the data directory
export TELEPORT_DATA_DIR=/mnt/data/teleport
In Kubernetes, store sensitive values in Secrets and mount them as environment variables rather than baking them into the teleport.yaml ConfigMap.

Build docs developers (and LLMs) love

Get started for freeTalk to us