Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/gravitational/teleport/llms.txt

Use this file to discover all available pages before exploring further.

tsh is the user-facing CLI client for Teleport. It lets you authenticate to a Teleport cluster and interact with all protected infrastructure: SSH nodes, Kubernetes clusters, databases, and web applications — all using short-lived certificates. 
tsh [<flags>] <command> [<args> ...]
tsh communicates through the Teleport Proxy Service. Make sure you have network access to the proxy address before running any tsh commands.

Global Flags

These flags apply to every tsh subcommand.
FlagDefaultDescription
--proxyno defaultTeleport proxy address.
--userno defaultTeleport user, defaults to current local user.
--authno defaultSpecify the name of authentication connector to use.
--ttlno defaultMinutes to live for a session.
-i, --identityno defaultIdentity file.
-l, --loginno defaultRemote host login.
-k, --add-keys-to-agentautoControls how keys are handled. Valid values are [auto no yes only].
--mfa-modeautoPreferred mode for MFA and Passwordless assertions: auto, cross-platform, platform, otp, sso, browser.
--mlockautoDetermines whether process memory will be locked and whether failure to do so will be accepted (off, auto, best_effort, strict).
--piv-slotno defaultSpecify a PIV slot key to use for Hardware Key support instead of the default. Ex: "9d".
--relayno defaultTeleport relay address, "none" to explicitly disable relay use, or "default" to use the cluster-provided address.
--callbackno defaultOverride the base URL (host:port) shown when opening a browser for cluster logins. Must be used with --bind-addr.
--bind-addrno defaultOverride host:port used when opening a browser for cluster logins.
--cert-formatno defaultSSH certificate format.
-J, --jumphostno defaultSSH jumphost.
-d, --[no-]debugfalseVerbose logging to stdout.
--[no-]enable-escape-sequencestrueEnable support for SSH escape sequences. Type ~? during an SSH session to list supported sequences.
--[no-]headlessfalseUse headless login (shorthand for --auth=headless).
--[no-]insecurefalseDo not verify server certificate. Use only in test environments.
--[no-]os-logfalseVerbose logging to the unified logging system. Implies --debug.
--[no-]skip-version-checkfalseSkip version checking between client and server.

Global Environment Variables

VariableDefaultDescription
TELEPORT_ADD_KEYS_TO_AGENTautoControls how keys are handled. Valid values are [auto no yes only].
TELEPORT_AUTHno defaultSpecify the name of authentication connector to use.
TELEPORT_CLUSTERno defaultName of a Teleport root or leaf cluster.
TELEPORT_GLOBAL_TSH_CONFIGno defaultOverride location of global tsh config file from default /etc/tsh.yaml.
TELEPORT_HEADLESSfalseUse headless login. Shorthand for --auth=headless.
TELEPORT_HOMEno defaultHome location for tsh configuration and data.
TELEPORT_IDENTITY_FILEno defaultIdentity file.
TELEPORT_LOGINno defaultRemote host login.
TELEPORT_LOGIN_BIND_ADDRno defaultOverride host:port used when opening a browser for cluster logins.
TELEPORT_MFA_MODEautoPreferred mode for MFA and Passwordless assertions.
TELEPORT_MLOCK_MODEautoDetermines whether process memory will be locked and whether failure to do so will be accepted.
TELEPORT_PIV_SLOTno defaultSpecify a PIV slot key to use for Hardware Key support instead of the default.
TELEPORT_PROXYno defaultTeleport proxy address.
TELEPORT_RELAYno defaultTeleport relay address.
TELEPORT_USERno defaultTeleport user.

Auth Commands

tsh login

Log in to a Teleport cluster and retrieve a session certificate. 
tsh login [<flags>] [<cluster>]
FlagDefaultDescription
-o, --outno defaultIdentity output path.
-f, --formatfileIdentity format: file, openssh, kubernetes.
--kube-clusterno defaultName of the Kubernetes cluster to log in to.
--request-rolesno defaultRequest one or more extra roles.
--request-reasonno defaultReason for requesting additional roles.
--request-reviewersno defaultSuggested reviewers for role request.
--request-idno defaultLogin with roles from a given request ID.
--[no-]request-nowaitfalseFinish without waiting for request resolution.
--[no-]overwritefalseWhether to overwrite the existing identity file.
--scopeno defaultScope pins credentials to a given scope. Use "" to explicitly remove scoping.
--browserno defaultSet to none to suppress browser opening on login.
-v, --[no-]verbosefalseShow extra status information.
Example: 
# Log in to a cluster
tsh login --proxy=teleport.example.com

# Log in and output an identity file
tsh login --proxy=teleport.example.com --out=/tmp/identity

# Log in to a leaf cluster
tsh login --proxy=teleport.example.com leaf-cluster

tsh logout

Delete the current cluster certificate. 
tsh logout

tsh status

Display the list of proxy servers and retrieved certificates. 
tsh status [<flags>]
FlagDefaultDescription
-f, --formattextOutput format: text, json, yaml.
-v, --[no-]verbosefalseShow extra status information after successful login.
--[no-]clientfalseShow client information only (no server required).
Example: 
tsh status

SSH Commands

tsh ssh

Run a shell or execute a command on a remote SSH node. 
tsh ssh [<flags>] [<[user@]host>] [<command>...]
FlagDefaultDescription
-p, --portno defaultSSH port on the remote host.
-A, --[no-]forward-agentfalseForward SSH agent to the target node.
-L, --forwardno defaultForward localhost connections to remote server.
-R, --remote-forwardno defaultForward remote connections to localhost.
-D, --dynamic-forwardno defaultForward via SOCKS5.
-t, --[no-]ttyfalseAllocate a TTY.
-N, --[no-]no-remote-execfalseDon’t execute remote command (useful for port forwarding).
-f, --[no-]fork-after-authenticationfalseRun in background after authentication is complete.
-o, --optionno defaultOpenSSH options in the format used in the configuration file.
--log-dirno defaultDirectory to log separated command output when executing on multiple nodes.
-c, --clusterno defaultSpecify the Teleport cluster to connect to.
--request-reasonno defaultReason for requesting access.
--request-moderesourceType of automatic Access Request to make: off, resource, role.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests (DEPRECATED: use --request-mode=off).
--[no-]localfalseExecute command on localhost after connecting to SSH node.
--[no-]no-resumefalseDisable SSH connection resumption.
--[no-]participant-reqfalseDisplays a verbose list of required participants in a moderated session.
--[no-]relogintruePermit performing an authentication attempt on a failed command.
--reasonno defaultThe purpose of the session.
--inviteno defaultComma-separated list of people to mark as invited for the session.
-X, --[no-]x11-untrustedfalseRequests untrusted (secure) X11 forwarding for this session.
-Y, --[no-]x11-trustedfalseRequests trusted (insecure) X11 forwarding for this session.
--x11-untrusted-timeout10mSets a timeout for untrusted X11 forwarding.
Example: 
# Open an interactive shell
tsh ssh user@node.example.com

# Run a command
tsh ssh user@node.example.com -- ls -la /tmp

# SSH to a node in a specific cluster
tsh ssh --cluster=leaf-cluster user@node

tsh scp

Transfer files to or from a remote SSH node. 
tsh scp [<flags>] <from, to>...
FlagDefaultDescription
-r, --[no-]recursivefalseRecursive copy of subdirectories.
-P, --portno defaultPort to connect to on the remote host.
-p, --[no-]preservefalsePreserve access and modification times.
-q, --[no-]quietfalseQuiet mode.
--[no-]no-resumefalseDisable SSH connection resumption.
--[no-]relogintruePermit performing an authentication attempt on a failed command.
-c, --clusterno defaultSpecify the Teleport cluster to connect to.
Example: 
# Upload a file
tsh scp local-file.txt user@node:/remote/path/

# Download a file
tsh scp user@node:/remote/file.txt ./local-copy.txt

# Recursive copy
tsh scp -r ./local-dir user@node:/remote/dir

tsh ls

List remote SSH nodes accessible in the cluster. 
tsh ls [<flags>] [<labels>]
FlagDefaultDescription
-f, --formattextOutput format: text, json, yaml, names.
-c, --clusterno defaultSpecify the Teleport cluster to connect to.
-R, --[no-]allfalseList nodes from all clusters and proxies.
--searchno defaultComma-separated search keywords.
--queryno defaultPredicate language query.
-v, --[no-]verbosefalseShow one-line output including node UUIDs.
Example: 
# List all nodes
tsh ls

# Filter by label
tsh ls env=production

# JSON output
tsh ls --format=json

Kubernetes Commands

tsh kube login

Log in to a Kubernetes cluster and update the local kubeconfig. 
tsh kube login [<flags>] [<kube-cluster>]
FlagDefaultDescription
-c, --clusterno defaultSpecify the Teleport cluster to connect to.
-n, --namespaceno defaultConfigure the default Kubernetes namespace.
--asno defaultConfigure custom Kubernetes user impersonation.
--as-groupsno defaultConfigure custom Kubernetes group impersonation.
--labelsno defaultFilter by labels.
--queryno defaultFilter by predicate language query.
--[no-]allfalseGenerate kubeconfig for every accessible cluster.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests.
--request-reasonno defaultReason for requesting access.
--set-context-name{{.ClusterName}}-{{.KubeName}}Define a custom context name.
Example: 
# Log in to a specific Kubernetes cluster
tsh kube login my-k8s-cluster

# Log in and generate kubeconfig for all accessible clusters
tsh kube login --all

tsh kube ls

List Kubernetes clusters accessible in the Teleport cluster. 
tsh kube ls [<flags>] [<labels>]
FlagDefaultDescription
-f, --formattextOutput format: text, json, yaml.
-c, --clusterno defaultSpecify the Teleport cluster.
-R, --[no-]allfalseList from all clusters and proxies.
-q, --[no-]quietfalseQuiet mode.
--searchno defaultSearch keywords.
--queryno defaultPredicate language query.
-v, --[no-]verbosefalseShow an untruncated list of labels.
Example: 
tsh kube ls
tsh kube ls --format=json

tsh kube exec

Execute a command in a Kubernetes pod. 
tsh kube exec [<flags>] <target> <command>...
FlagDefaultDescription
-n, --namespaceno defaultKubernetes namespace.
-c, --containerno defaultContainer name.
-f, --filenameno defaultTo use to exec into the resource.
-s, --[no-]stdinfalsePass stdin to the container.
-t, --[no-]ttyfalseStdin is a TTY.
-q, --[no-]quietfalseOnly print output from the remote session.
--[no-]participant-reqfalseDisplays a verbose list of required participants in a moderated session.
--reasonno defaultThe purpose of the session.
--inviteno defaultComma-separated list of invited users.
Example: 
# Execute a command in a pod
tsh kube exec my-pod -- ls /app

# Open an interactive shell in a pod
tsh kube exec -it my-pod -- /bin/bash

Database Commands

tsh db login

Retrieve short-lived credentials for a database. 
tsh db login [<flags>] [<db>]
FlagDefaultDescription
-u, --db-userno defaultDatabase user to configure as default.
-n, --db-nameno defaultDatabase name to configure as default.
-r, --db-rolesno defaultComma-separated database roles for auto-provisioned user.
--labelsno defaultFilter by labels.
--queryno defaultPredicate language query.
--request-reasonno defaultReason for requesting access.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests.
Example: 
# Log in to a database
tsh db login mydb

# Log in with specific user and database name
tsh db login --db-user=alice --db-name=myapp mydb

tsh db ls

List all available databases. 
tsh db ls [<flags>] [<labels>]
FlagDefaultDescription
-f, --formattextOutput format: text, json, yaml.
-R, --[no-]allfalseList from all clusters and proxies.
--searchno defaultSearch keywords.
--queryno defaultPredicate language query.
-v, --[no-]verbosefalseShow extra database fields.
Example: 
tsh db ls
tsh db ls env=production

tsh db connect

Connect to a database interactively. 
tsh db connect [<flags>] [<db>]
FlagDefaultDescription
-u, --db-userno defaultDatabase user to log in as.
-n, --db-nameno defaultDatabase name to log in to.
-r, --db-rolesno defaultComma-separated database roles.
--labelsno defaultFilter by labels.
--queryno defaultPredicate language query.
--request-reasonno defaultReason for requesting access.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests.
Example: 
# Connect to a PostgreSQL database
tsh db connect --db-user=alice --db-name=myapp mydb

Application Commands

tsh apps login

Retrieve a short-lived certificate for an application. 
tsh apps login [<flags>] <app>
FlagDefaultDescription
--aws-roleno defaultAmazon IAM role ARN or role name (for AWS CLI access).
--azure-identityno defaultAzure managed identity name (for Azure CLI access).
--gcp-service-accountno defaultGCP service account name (for GCP CLI access).
--target-portno defaultPort to which connections should be routed. Valid only for multi-port TCP apps.
-q, --[no-]quietfalseQuiet mode.
Example: 
tsh apps login my-app

# Log in to an AWS app with a specific IAM role
tsh apps login --aws-role=arn:aws:iam::123456789:role/DevRole my-aws-app

tsh apps ls

List available applications. 
tsh apps ls [<flags>] [<labels>]
FlagDefaultDescription
-f, --formattextOutput format: text, json, yaml.
-R, --[no-]allfalseList from all clusters and proxies.
--searchno defaultSearch keywords.
--queryno defaultPredicate language query.
-v, --[no-]verbosefalseShow extra application fields.
Example: 
tsh apps ls
tsh apps ls --format=json

Session Commands

tsh recordings ls

List recorded sessions. 
tsh recordings ls [<flags>]
FlagDefaultDescription
-f, --formattextOutput format: text, json, yaml.
--from-utcno defaultStart of time range (format: 2006-01-02). Defaults to 24 hours ago.
--to-utcno defaultEnd of time range (format: 2006-01-02). Defaults to current time.
--lastno defaultDuration into the past (e.g., 5h30m40s).
--limit50Maximum number of recordings to show.
Example: 
# List recent recordings
tsh recordings ls

# List recordings from the last 48 hours
tsh recordings ls --last=48h

# Export in JSON
tsh recordings ls --format=json

tsh join

Join an active SSH or Kubernetes session. 
tsh join [<flags>] <session-id>
FlagDefaultDescription
-m, --modeobserverMode of joining: observer, moderator, peer.
-c, --clusterno defaultSpecify the Teleport cluster to connect to.
Example: 
tsh join abc123-session-id
tsh join --mode=moderator abc123-session-id

Access Request Commands

tsh request create

Create a new Access Request for additional roles or resources. 
tsh request create [<flags>]
FlagDefaultDescription
--rolesno defaultRoles to be requested.
--resourceno defaultResource ID to be requested.
--reasonno defaultReason for requesting.
--reviewersno defaultSuggested reviewers.
--request-ttlno defaultExpiration time for the Access Request.
--session-ttlno defaultExpiration time for the elevated certificate.
--max-durationno defaultHow long the access should be granted for.
--assume-start-timeno defaultSets time roles can be assumed (RFC3339, e.g. 2023-12-12T23:20:50.52Z).
--[no-]nowaitfalseFinish without waiting for request resolution.
Example: 
# Request a specific role
tsh request create --roles=db-admin --reason="Production incident investigation"

# Request access to a specific resource
tsh request create --resource=/teleport.cluster.local/node/abc123 --reason="Debugging"

tsh request review

Review an Access Request. 
tsh request review [<flags>] <request-id>
FlagDefaultDescription
--[no-]approvefalseReview proposes approval.
--[no-]denyfalseReview proposes denial.
--reasonno defaultReview reason message.
--assume-start-timeno defaultSets time roles can be assumed (RFC3339, e.g. 2023-12-12T23:20:50.52Z).
Example: 
# Approve a request
tsh request review --approve --reason="Verified and approved" abc123

# Deny a request
tsh request review --deny --reason="Not authorized for this resource" abc123

tsh request ls

List Access Requests. 
tsh request ls [<flags>]
FlagDefaultDescription
-f, --formattextOutput format: text, json, yaml.
--[no-]my-requestsfalseOnly show requests created by the current user.
--[no-]reviewablefalseOnly show requests reviewable by the current user.
--[no-]suggestedfalseOnly show requests that suggest the current user as reviewer.
Example: 
# List all pending requests
tsh request ls

# List only your own requests
tsh request ls --my-requests
Use tsh request drop to remove active Access Requests from your current identity, returning you to your base role permissions.

Build docs developers (and LLMs) love

Get started for freeTalk to us