tbot Reference
Report an Issue
Is this page helpful?
This guide provides a comprehensive list of commands, arguments, and flags for tbot: Teleport Machine & Workload Identity issues and renews short-lived certificates so your machines can access Teleport protected resources in the same way your engineers do.
tbot [<flags>] <command> [<args> ...]
Global flags:
| Flag | Default | Description |
|---|---|---|
-c, --config | none | Path to a configuration file. |
-d, --[no-]debug | false | Verbose logging to stdout. |
--log-format | text | Controls the format of output logs. Can be json or text. Defaults to text. |
--[no-]fips | false | Runs tbot in FIPS compliance mode. This requires the FIPS binary is in use. |
--[no-]insecure | false | Insecure configures the bot to trust the certificates from the Auth Server or Proxy on first connect without verification. Do not use in production. |
Global environment variables:
| Variable | Default | Description |
|---|---|---|
TBOT_CONFIG_PATH | none | Path to a configuration file. |
TBOT_DEBUG | false | Verbose logging to stdout. |
tbot configure application
Configures tbot with an application output.
Usage:
tbot configure application --destination=DESTINATION --app=APP [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--app | none | The name of the app in Teleport |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--[no-]specific-tls-extensions | false | If set, include additional tls.crt, tls.key, and tls.cas for apps that require these file extensions |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot configure application-proxy
Configures tbot with an application proxy.
Usage:
tbot configure application-proxy --listen=LISTEN [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--listen | none | A socket URI, such as tcp://0.0.0.0:8080 |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot configure application-tunnel
Configures tbot with an application tunnel.
Usage:
tbot configure application-tunnel --listen=LISTEN --app=APP [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--app | none | The name of the app in Teleport |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--listen | none | A socket URI, such as tcp://0.0.0.0:8080 |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot configure database
Configures tbot with a database output.
Usage:
tbot configure database --destination=DESTINATION --service=SERVICE --username=USERNAME --database=DATABASE [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--database | none | The name of the database available in the requested database service |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--format | `` | The database output format if necessary |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--service | none | The database service name |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
--username | none | The database user name |
tbot configure database-tunnel
Configures tbot with a database tunnel listener.
Usage:
tbot configure database-tunnel --listen=LISTEN --service=SERVICE --username=USERNAME --database=DATABASE [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--database | none | The name of the database available in the requested database service |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--listen | none | A socket URI to listen on, such as tcp://0.0.0.0:3306 |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--service | none | The database service name |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
--username | none | The database user name |
tbot configure identity
Configures tbot with an identity output for SSH and Teleport API access.
Usage:
tbot configure identity --destination=DESTINATION [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--cluster | none | The name of a specific cluster for which to issue an identity if using a leaf cluster |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--[no-]allow-reissue | false | Allow the credentials output by this command to be reissued. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot configure kubernetes
Configures tbot with a Kubernetes output.
Usage:
tbot configure kubernetes --destination=DESTINATION --kubernetes-cluster=KUBERNETES-CLUSTER [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--kubernetes-cluster | none | The name of the Kubernetes cluster in Teleport for which to fetch credentials |
--[no-]disable-exec-plugin | false | If set, disables the exec plugin. This allows credentials to be used without the tbot binary. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot configure kubernetes/v2
Configures tbot with a Kubernetes V2 output.
Usage:
tbot configure kubernetes/v2 --destination=DESTINATION [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--label-selector | none | A set of Kubernetes labels to match in k1=v1,k2=v2 form. Repeatable. |
--name-selector | none | An explicit Kubernetes cluster name to include. Repeatable. |
--[no-]disable-exec-plugin | false | If set, disables the exec plugin. This allows credentials to be used without the tbot binary. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot configure legacy
Configures tbot with either a config file or a legacy output.
Usage:
tbot configure legacy [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--data-dir | none | Directory to store internal bot data. Access to this directory should be limited. |
--destination-dir | none | Directory to write short-lived machine certificates. |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot configure ssh-multiplexer
Configures tbot with an SSH Multiplexer service.
Usage:
tbot configure ssh-multiplexer --destination=DESTINATION [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--[no-]enable-resumption | false | If set, disables SSH session resumption. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-command | none | The command to run as the SSH ProxyCommand, such as fdpass-teleport. Defaults to this tbot binary. Repeatable to add additional args. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--proxy-templates-path | none | A path to a proxy template config file. Optional. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot configure workload-identity-api
Configures tbot with a workload identity API listener. Compatible with the SPIFFE Workload API and Envoy SDS.
Usage:
tbot configure workload-identity-api --listen=LISTEN [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--label-selector | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. |
--listen | none | The address on which the workload identity API should listen. This should either be prefixed with 'unix://' or 'tcp://'. |
--name-selector | none | The name of the workload identity to issue |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot configure workload-identity-aws-roles-anywhere
Configures tbot with an output containing AWS credentials generated via AWS Roles Anywhere.
Usage:
tbot configure workload-identity-aws-roles-anywhere --destination=DESTINATION --role-arn=ROLE-ARN --profile-arn=PROFILE-ARN --trust-anchor-arn=TRUST-ANCHOR-ARN [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--label-selector | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. |
--name-selector | none | The name of the workload identity to issue |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--profile-arn | none | The ARN of the Roles Anywhere profile to use. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--region | none | The AWS region to use. If unset, value will be used from the AWS config or the AWS_REGION environment variable. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--role-arn | none | The ARN of the role to assume. |
--session-duration | none | The duration of the resulting AWS session and credentials. This may be up to 12 hours. When unset, this defaults to 6 hours. |
--session-renewal-interval | none | How often the session should be renewed. This should be less than the session duration. When unset, this defaults to 1 hour. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
--trust-anchor-arn | none | The ARN of the Roles Anywhere trust anchor to use. |
tbot configure workload-identity-jwt
Configures tbot with a SPIFFE-compatible JWT SVID output.
Usage:
tbot configure workload-identity-jwt --destination=DESTINATION --audience=AUDIENCE [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--audience | none | Specify the audiences to include in the JWT. At least one audience must be specified. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--label-selector | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. |
--name-selector | none | The name of the workload identity to issue |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot configure workload-identity-x509
Configures tbot with a SPIFFE-compatible SVID output.
Usage:
tbot configure workload-identity-x509 --destination=DESTINATION [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--label-selector | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. |
--name-selector | none | The name of the workload identity to issue |
--[no-]include-federated-trust-bundles | false | If set, include federated trust bundles in the output |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot copy-binaries
Copies this tbot binary to a given destination
Usage:
tbot copy-binaries [<flags>] <destination-dir>
Flags:
| Flag | Default | Description |
|---|---|---|
--[no-]include-fdpass | false | If set, also copy fdpass-teleport. It must be available in the same path as tbot. |
Arguments:
| Argument | Default | Description |
|---|---|---|
| destination-dir | none (required) | The destination path to write the copy of the tbot binary |
tbot db
Execute database commands through tsh.
Usage:
tbot db [<flags>] [<args>...]
Flags:
| Flag | Default | Description |
|---|---|---|
--cluster | none | The cluster name. Extracted from the certificate if unset. |
--destination-dir | none | The destination directory with which to authenticate tsh |
--proxy-server | none | The Teleport proxy server to use, in host:port form. |
Arguments:
| Argument | Default | Description |
|---|---|---|
| args | none (optional) | Arguments to tsh db ...; prefix with -- to ensure flags are passed correctly. |
tbot help
Show help.
Usage:
tbot help [<command>...]
Arguments:
| Argument | Default | Description |
|---|---|---|
| command | none (optional) | Show help on command. |
tbot init
Initialize a certificate destination directory for writes from a separate bot user.
Usage:
tbot init [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--bot-user | none | Enables POSIX ACLs and defines Linux user that can read/write short-lived certificates to "--destination-dir". |
--destination-dir | none | Directory to write short-lived machine certificates. |
--init-dir | none | If using a config file and multiple destinations are configured, controls which destination dir to configure. |
--[no-]clean | false | If set, remove unexpected files and directories from the destination. |
--owner | none | Defines Linux "user:group" owner of "--destination-dir". Defaults to the Linux user running tbot if unspecified. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-user | none | Enables POSIX ACLs and defines Linux user that will read short-lived certificates from "--destination-dir". |
tbot install systemd
Generates and installs a systemd unit file for a specified tbot configuration file.
Usage:
tbot install systemd [<flags>]
Flags:
| Flag | Default | Description |
|---|---|---|
--group | teleport | The group that the service should run as. Defaults to 'teleport'. |
--name | tbot | Name for the systemd unit. Defaults to 'tbot'. |
--[no-]anonymous-telemetry | false | Enable anonymous telemetry. |
--[no-]force | false | Overwrite existing systemd unit file if present. |
--[no-]write | false | Write the systemd unit file. If not specified, this command runs in a dry-run mode that outputs the generated content to stdout. |
--systemd-directory | /etc/systemd/system | Path to the directory that the systemd unit file should be written. Defaults to '/etc/systemd/system'. |
--user | teleport | The user that the service should run as. Defaults to 'teleport'. |
tbot migrate
Migrates a config file from an older version to the newest version. Outputs to stdout by default.
Usage:
tbot migrate [<flags>]
Flags:
| Flag | Default | Description |
|---|---|---|
-o, --output | none | Path to write the generated configuration file to rather than write to stdout. |
tbot proxy
Start a local TLS proxy via tsh to connect to Teleport in single-port mode.
Usage:
tbot proxy [<flags>] [<args>...]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_PROXY | none | The Teleport proxy server to use, in host:port form. |
Flags:
| Flag | Default | Description |
|---|---|---|
--cluster | none | The cluster name. Extracted from the certificate if unset. |
--destination-dir | none | The destination directory with which to authenticate tsh |
--proxy-server | none | The Teleport proxy server to use, in host:port form. |
Arguments:
| Argument | Default | Description |
|---|---|---|
| args | none (optional) | Arguments to tsh proxy ...; prefix with -- to ensure flags are passed correctly. |
tbot spiffe-inspect
Inspects a SPIFFE Workload API endpoint to ensure it is working correctly.
Usage:
tbot spiffe-inspect --path=PATH
Flags:
| Flag | Default | Description |
|---|---|---|
--path | none | The path to the SPIFFE Workload API endpoint to test. |
tbot start application
Starts tbot with an application output.
Usage:
tbot start application --destination=DESTINATION --app=APP [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--app | none | The name of the app in Teleport |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--[no-]specific-tls-extensions | false | If set, include additional tls.crt, tls.key, and tls.cas for apps that require these file extensions |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot start application-proxy
Starts tbot with an application proxy.
Usage:
tbot start application-proxy --listen=LISTEN [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--listen | none | A socket URI, such as tcp://0.0.0.0:8080 |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot start application-tunnel
Starts tbot with an application tunnel.
Usage:
tbot start application-tunnel --listen=LISTEN --app=APP [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--app | none | The name of the app in Teleport |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--listen | none | A socket URI, such as tcp://0.0.0.0:8080 |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot start database
Starts tbot with a database output.
Usage:
tbot start database --destination=DESTINATION --service=SERVICE --username=USERNAME --database=DATABASE [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--database | none | The name of the database available in the requested database service |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--format | `` | The database output format if necessary |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--service | none | The database service name |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
--username | none | The database user name |
tbot start database-tunnel
Starts tbot with a database tunnel listener.
Usage:
tbot start database-tunnel --listen=LISTEN --service=SERVICE --username=USERNAME --database=DATABASE [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--database | none | The name of the database available in the requested database service |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--listen | none | A socket URI to listen on, such as tcp://0.0.0.0:3306 |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--service | none | The database service name |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
--username | none | The database user name |
tbot start identity
Starts tbot with an identity output for SSH and Teleport API access.
Usage:
tbot start identity --destination=DESTINATION [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--cluster | none | The name of a specific cluster for which to issue an identity if using a leaf cluster |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--[no-]allow-reissue | false | Allow the credentials output by this command to be reissued. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot start kubernetes
Starts tbot with a Kubernetes output.
Usage:
tbot start kubernetes --destination=DESTINATION --kubernetes-cluster=KUBERNETES-CLUSTER [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--kubernetes-cluster | none | The name of the Kubernetes cluster in Teleport for which to fetch credentials |
--[no-]disable-exec-plugin | false | If set, disables the exec plugin. This allows credentials to be used without the tbot binary. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot start kubernetes/v2
Starts tbot with a Kubernetes V2 output.
Usage:
tbot start kubernetes/v2 --destination=DESTINATION [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--label-selector | none | A set of Kubernetes labels to match in k1=v1,k2=v2 form. Repeatable. |
--name-selector | none | An explicit Kubernetes cluster name to include. Repeatable. |
--[no-]disable-exec-plugin | false | If set, disables the exec plugin. This allows credentials to be used without the tbot binary. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot start legacy
Starts tbot with either a config file or a legacy output.
Usage:
tbot start legacy [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--data-dir | none | Directory to store internal bot data. Access to this directory should be limited. |
--destination-dir | none | Directory to write short-lived machine certificates. |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot start ssh-multiplexer
Starts tbot with an SSH Multiplexer service.
Usage:
tbot start ssh-multiplexer --destination=DESTINATION [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--[no-]enable-resumption | false | If set, disables SSH session resumption. |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-command | none | The command to run as the SSH ProxyCommand, such as fdpass-teleport. Defaults to this tbot binary. Repeatable to add additional args. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--proxy-templates-path | none | A path to a proxy template config file. Optional. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot start workload-identity-api
Starts tbot with a workload identity API listener. Compatible with the SPIFFE Workload API and Envoy SDS.
Usage:
tbot start workload-identity-api --listen=LISTEN [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--label-selector | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. |
--listen | none | The address on which the workload identity API should listen. This should either be prefixed with 'unix://' or 'tcp://'. |
--name-selector | none | The name of the workload identity to issue |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot start workload-identity-aws-roles-anywhere
Starts tbot with an output containing AWS credentials generated via AWS Roles Anywhere.
Usage:
tbot start workload-identity-aws-roles-anywhere --destination=DESTINATION --role-arn=ROLE-ARN --profile-arn=PROFILE-ARN --trust-anchor-arn=TRUST-ANCHOR-ARN [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--label-selector | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. |
--name-selector | none | The name of the workload identity to issue |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--profile-arn | none | The ARN of the Roles Anywhere profile to use. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--region | none | The AWS region to use. If unset, value will be used from the AWS config or the AWS_REGION environment variable. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--role-arn | none | The ARN of the role to assume. |
--session-duration | none | The duration of the resulting AWS session and credentials. This may be up to 12 hours. When unset, this defaults to 6 hours. |
--session-renewal-interval | none | How often the session should be renewed. This should be less than the session duration. When unset, this defaults to 1 hour. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
--trust-anchor-arn | none | The ARN of the Roles Anywhere trust anchor to use. |
tbot start workload-identity-jwt
Starts tbot with a SPIFFE-compatible JWT SVID output.
Usage:
tbot start workload-identity-jwt --destination=DESTINATION --audience=AUDIENCE [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--audience | none | Specify the audiences to include in the JWT. At least one audience must be specified. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--label-selector | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. |
--name-selector | none | The name of the workload identity to issue |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot start workload-identity-x509
Starts tbot with a SPIFFE-compatible SVID output.
Usage:
tbot start workload-identity-x509 --destination=DESTINATION [<flags>]
Environment variables:
| Variable | Default | Description |
|---|---|---|
TELEPORT_AUTH_SERVER | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
TELEPORT_BOT_TOKEN | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
TELEPORT_PROXY | none | Address of the Teleport Proxy Server. |
Flags:
| Flag | Default | Description |
|---|---|---|
-a, --auth-server | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. |
--ca-pin | none | CA pin to validate the Teleport Auth Server; used on first connect. |
--certificate-ttl | none | TTL of short-lived machine certificates. |
--destination | none | A destination URI, such as file:///foo/bar |
--diag-addr | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. |
--join-method | none | Method to use to join the cluster. (azure, azure_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform_cloud, oracle, bound_keypair, env0) |
--join-uri | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. |
--label-selector | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. |
--name-selector | none | The name of the workload identity to issue |
--[no-]include-federated-trust-bundles | false | If set, include federated trust bundles in the output |
--[no-]oneshot | false | If set, quit after the first renewal. |
--pid-file | none | Full path to the PID file. By default no PID file will be created. |
--proxy-server | none | Address of the Teleport Proxy Server. |
--reader-group | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--reader-user | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
--registration-secret | none | For bound keypair joining, specifies a registration secret for use at first join. |
--registration-secret-path | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. |
--renewal-interval | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. |
--static-key-path | none | For bound keypair joining, specifies a path to a static key. |
--storage | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar |
--token | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. |
tbot tpm identify
Output identifying information related to the TPM detected on the system.
Usage:
tbot tpm identify
tbot version
Print the version of your tbot binary.
Usage:
tbot version
tbot wait
Waits for a running tbot to become ready.
Usage:
tbot wait --diag-addr=DIAG-ADDR [<flags>]
Flags:
| Flag | Default | Description |
|---|---|---|
--diag-addr | none | The configured --diag-addr of a running bot, in host:port form. |
--service | none | An optional name. If set, waits for only the named service to become healthy. If unset, waits for all services. |
--timeout | none | An optional timeout. If set, returns an error if all specified services have reported healthy by the timeout. |
Was this page helpful?