# tbot Reference This guide provides a comprehensive list of commands, arguments, and flags for tbot. `tbot` is a CLI tool used with **Machine & Workload Identity** that programatically issues and renews short-lived certificates to any service account (e.g, a CI/CD server). ``` $ tbot [] [ ...] ``` Global flags: | Flag | Default | Description | | -------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | `-c`, `--config` | none | Path to a configuration file. | | `-d`, `--[no-]debug` | `false` | Enables verbose logging to stdout. | | `--log-format` | `text` | Controls the format of output logs. Can be `json` or `text`. Defaults to `text`. | | `--[no-]fips` | `false` | Enables FIPS compliance mode. This requires the FIPS binary is in use. | | `--[no-]insecure` | `false` | Insecure configures the bot to trust the certificates from the Auth Server or Proxy on first connect without verification. Do not use in production. | Global environment variables: | Variable | Default | Description | | ------------------ | ------- | ---------------------------------- | | `TBOT_CONFIG_PATH` | none | Path to a configuration file. | | `TBOT_DEBUG` | `false` | Enables verbose logging to stdout. | ## tbot configure application Configures tbot with an application output. Usage: ``` $ tbot configure application --destination=DESTINATION --app=APP [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | -------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--app` | none | The name of the app in Teleport | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--[no-]specific-tls-extensions` | `false` | If set, includes additional `tls.crt`, `tls.key`, and `tls.cas` for apps that require these file extensions | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot configure application-proxy Configures tbot with a HTTP application proxy. Usage: ``` $ tbot configure application-proxy --listen=LISTEN [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--listen` | none | The socket URI on which the local proxy should listen, such as `tcp://0.0.0.0:8080`. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot configure application-tunnel Configures tbot with an application tunnel. Usage: ``` $ tbot configure application-tunnel --listen=LISTEN --app=APP [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--app` | none | The name of the app in Teleport | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--listen` | none | The socket URI on which the tunnel should listen, such as `tcp://0.0.0.0:8080`. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot configure database Configures tbot with a database output. Usage: ``` $ tbot configure database --destination=DESTINATION --service=SERVICE --username=USERNAME --database=DATABASE [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--database` | none | The name of the database available in the requested database service. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--format` | \`\` | The format of the credentials to generate. If specified, must be `tls`, `mongo` or `cockroach`. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--service` | none | The database service name. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `--username` | none | The database user name. | ## tbot configure database-tunnel Configures tbot with a database tunnel listener. Usage: ``` $ tbot configure database-tunnel --listen=LISTEN --service=SERVICE --username=USERNAME --database=DATABASE [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--database` | none | The name of the database available in the requested database service. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--listen` | none | A socket URI to listen on, such as `tcp://0.0.0.0:3306`. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--service` | none | The database service name. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `--username` | none | The database user name. | ## tbot configure identity Configures tbot with an identity output for SSH and Teleport API access. Usage: ``` $ tbot configure identity --destination=DESTINATION [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--cluster` | none | The name of a specific cluster for which to issue an identity if using a leaf cluster. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--[no-]allow-reissue` | `false` | Allow the credentials output by this command to be reissued. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot configure kubernetes Configures tbot with a Kubernetes output. Usage: ``` $ tbot configure kubernetes --destination=DESTINATION --kubernetes-cluster=KUBERNETES-CLUSTER [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--kubernetes-cluster` | none | The name of the Kubernetes cluster in Teleport for which to fetch credentials. | | `--[no-]disable-exec-plugin` | `false` | If set, disables the exec plugin. This allows credentials to be used without the `tbot` binary. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot configure kubernetes/v2 Configures tbot with a Kubernetes V2 output. Usage: ``` $ tbot configure kubernetes/v2 --destination=DESTINATION [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--label-selector` | none | A set of Kubernetes labels to match in k1=v1,k2=v2 form. Repeatable. | | `--name-selector` | none | An explicit Kubernetes cluster name to include. Repeatable. | | `--[no-]disable-exec-plugin` | `false` | If set, disables the exec plugin. This allows credentials to be used without the `tbot` binary. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot configure legacy Configures tbot with either a config file or a legacy output. Usage: ``` $ tbot configure legacy [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | --------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--data-dir` | none | Directory to store internal bot data. Access to this directory should be limited. | | `--destination-dir` | none | Directory to write short-lived machine certificates. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot configure noop Configures tbot with no configured services to test onboarding config. Usage: ``` $ tbot configure noop [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot configure ssh-multiplexer Configures tbot with an SSH Multiplexer service. Usage: ``` $ tbot configure ssh-multiplexer --destination=DESTINATION [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--[no-]enable-resumption` | `false` | If set, disables SSH session resumption. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-command` | none | The command to run as the SSH ProxyCommand, such as `fdpass-teleport`. Defaults to this tbot binary. Repeatable to add additional args. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--proxy-templates-path` | none | A path to a proxy template config file. Optional. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot configure workload-identity-api Configures tbot with a workload identity API listener. Compatible with the SPIFFE Workload API and Envoy SDS. Usage: ``` $ tbot configure workload-identity-api --listen=LISTEN [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--label-selector` | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. Mutually exclusive with --name-selector. | | `--listen` | none | The address on which the workload identity API should listen. This should either be prefixed with 'unix://' or 'tcp\://'. | | `--name-selector` | none | The name of the workload identity to issue. Mutually exclusive with --label-selector. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot configure workload-identity-aws-roles-anywhere Configures tbot with an output containing AWS credentials generated via AWS Roles Anywhere. Usage: ``` $ tbot configure workload-identity-aws-roles-anywhere --destination=DESTINATION --role-arn=ROLE-ARN --profile-arn=PROFILE-ARN --trust-anchor-arn=TRUST-ANCHOR-ARN [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--label-selector` | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. Mutually exclusive with --name-selector. | | `--name-selector` | none | The name of the workload identity to issue. Mutually exclusive with --label-selector. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--profile-arn` | none | The ARN of the Roles Anywhere profile to use. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--region` | none | The AWS region to use. If unset, value will be used from the AWS config or the AWS\_REGION environment variable. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--role-arn` | none | The ARN of the role to assume. | | `--session-duration` | none | The duration of the resulting AWS session and credentials. This may be up to 12 hours. When unset, this defaults to 6 hours. | | `--session-renewal-interval` | none | How often the session should be renewed. This should be less than the session duration. When unset, this defaults to 1 hour. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `--trust-anchor-arn` | none | The ARN of the Roles Anywhere trust anchor to use. | ## tbot configure workload-identity-jwt Configures tbot with a SPIFFE-compatible JWT SVID output. Usage: ``` $ tbot configure workload-identity-jwt --destination=DESTINATION --audience=AUDIENCE [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--audience` | none | Specify the audiences to include in the JWT. At least one audience must be specified. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--label-selector` | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. Mutually exclusive with --name-selector. | | `--name-selector` | none | The name of the workload identity to issue. Mutually exclusive with --label-selector. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot configure workload-identity-x509 Configures tbot with a SPIFFE-compatible SVID output. Usage: ``` $ tbot configure workload-identity-x509 --destination=DESTINATION [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--label-selector` | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. Mutually exclusive with --name-selector. | | `--name-selector` | none | The name of the workload identity to issue. Mutually exclusive with --label-selector. | | `--[no-]include-federated-trust-bundles` | `false` | If set, include federated trust bundles in the output. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot copy-binaries Copies this tbot binary to a given destination. Usage: ``` $ tbot copy-binaries [] ``` Flags: | Flag | Default | Description | | ----------------------- | ------- | ------------------------------------------------------------------------------------- | | `--[no-]include-fdpass` | `false` | If set, also copy `fdpass-teleport`. It must be available in the same path as `tbot`. | Arguments: | Argument | Default | Description | | --------------- | --------------- | ---------------------------------------------------------- | | destination-dir | none (required) | The destination path to write the copy of the tbot binary. | ## tbot db Executes database commands through tsh. Usage: ``` $ tbot db [] [...] ``` Flags: | Flag | Default | Description | | ------------------- | ------- | ------------------------------------------------------------------- | | `--cluster` | none | The cluster name. Extracted from the certificate if unset. | | `--destination-dir` | none | The destination directory to provide tsh for authentication. | | `--proxy-server` | none | The address of the Teleport proxy server to use, in host:port form. | Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------------------------------------------------------------------- | | args | none (optional) | Arguments to `tsh db ...`; prefix with `-- `to ensure flags are passed correctly. | ## tbot help Show help. Usage: ``` $ tbot help [...] ``` Arguments: | Argument | Default | Description | | -------- | --------------- | --------------------- | | command | none (optional) | Show help on command. | ## tbot init Initializes a destination directory for writes from a separate bot user. Usage: ``` $ tbot init [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | -------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | --------------------- | ------- | ---------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--bot-user` | none | Enables POSIX ACLs and defines Linux user that can read/write short-lived certificates to "--destination-dir". | | `--destination-dir` | none | Directory to write short-lived machine certificates. | | `--init-dir` | none | If using a config file and multiple destinations are configured, controls which destination dir to configure. | | `--[no-]clean` | `false` | If set, removes unexpected files and directories from the destination. | | `--owner` | none | Defines Linux "user:group" owner of "--destination-dir". Defaults to the Linux user running tbot if unspecified. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-user` | none | Enables POSIX ACLs and defines Linux user that will read short-lived certificates from "--destination-dir". | ## tbot install systemd Generates and installs a systemd unit file for a specified tbot configuration file. Usage: ``` $ tbot install systemd [] ``` Flags: | Flag | Default | Description | | ---------------------------- | --------------------- | -------------------------------------------------------------------------------------------------------------------------------- | | `--group` | `teleport` | The group that the service should run as. Defaults to 'teleport'. | | `--name` | `tbot` | Name for the systemd unit. Defaults to 'tbot'. | | `--[no-]anonymous-telemetry` | `false` | Enable anonymous telemetry. | | `--[no-]force` | `false` | Overwrite existing systemd unit file if present. | | `--[no-]write` | `false` | Write the systemd unit file. If not specified, this command runs in a dry-run mode that outputs the generated content to stdout. | | `--pid-file` | none | Overrides the PID file path that should be set in the systemd unit files. | | `--systemd-directory` | `/etc/systemd/system` | Path to the directory that the systemd unit file should be written. Defaults to '/etc/systemd/system'. | | `--user` | `teleport` | The user that the service should run as. Defaults to 'teleport'. | ## tbot keypair create Creates a keypair to preregister for bound-keypair joining. Usage: ``` $ tbot keypair create --proxy-server=PROXY-SERVER [] ``` Flags: | Flag | Default | Description | | ------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--format` | `text` | Output format, one of: text, json | | `--[no-]overwrite` | `false` | If set, overwrite any existing keypair. If unset and a keypair already exists, its key will be printed for use. | | `--[no-]static` | `false` | If set, creates a static private key instead of writing a mutable key into bot storage. If --static-key-path is unset, the key will be printed to the terminal. | | `--proxy-server` | none | The proxy server, which will be pinged to determine the current cryptographic suite in use. | | `--static-key-path` | none | If set, writes the static private key to a file. | | `--storage` | none | The internal storage URI to write the keypair to, such as `file:///var/lib/teleport/bot`. | ## tbot migrate Migrates a configuration file from an older version to the newest version. Outputs to stdout by default. Usage: ``` $ tbot migrate [] ``` Flags: | Flag | Default | Description | | ---------------- | ------- | ---------------------------------------------------------------------------------------------- | | `-o`, `--output` | none | The path to write the generated configuration file to. If unset, it will be written to stdout. | ## tbot proxy Starts a local TLS proxy via tsh to connect to Teleport in single-port mode. Usage: ``` $ tbot proxy [] [...] ``` Flags: | Flag | Default | Description | | ------------------- | ------- | ------------------------------------------------------------------- | | `--cluster` | none | The cluster name. Extracted from the certificate if unset. | | `--destination-dir` | none | The destination directory to provide tsh for authentication. | | `--proxy-server` | none | The address of the Teleport proxy server to use, in host:port form. | Arguments: | Argument | Default | Description | | -------- | --------------- | ------------------------------------------------------------------------------------ | | args | none (optional) | Arguments to `tsh proxy ...`; prefix with `-- `to ensure flags are passed correctly. | ## tbot spiffe-inspect Inspects a SPIFFE Workload API endpoint to ensure it is working correctly. Usage: ``` $ tbot spiffe-inspect --path=PATH ``` Flags: | Flag | Default | Description | | -------- | ------- | ----------------------------------------------------- | | `--path` | none | The path to the SPIFFE Workload API endpoint to test. | ## tbot start application Starts tbot with an application output. Usage: ``` $ tbot start application --destination=DESTINATION --app=APP [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | -------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--app` | none | The name of the app in Teleport | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--[no-]specific-tls-extensions` | `false` | If set, includes additional `tls.crt`, `tls.key`, and `tls.cas` for apps that require these file extensions | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot start application-proxy Starts tbot with a HTTP application proxy. Usage: ``` $ tbot start application-proxy --listen=LISTEN [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--listen` | none | The socket URI on which the local proxy should listen, such as `tcp://0.0.0.0:8080`. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot start application-tunnel Starts tbot with an application tunnel. Usage: ``` $ tbot start application-tunnel --listen=LISTEN --app=APP [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--app` | none | The name of the app in Teleport | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--listen` | none | The socket URI on which the tunnel should listen, such as `tcp://0.0.0.0:8080`. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot start database Starts tbot with a database output. Usage: ``` $ tbot start database --destination=DESTINATION --service=SERVICE --username=USERNAME --database=DATABASE [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--database` | none | The name of the database available in the requested database service. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--format` | \`\` | The format of the credentials to generate. If specified, must be `tls`, `mongo` or `cockroach`. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--service` | none | The database service name. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `--username` | none | The database user name. | ## tbot start database-tunnel Starts tbot with a database tunnel listener. Usage: ``` $ tbot start database-tunnel --listen=LISTEN --service=SERVICE --username=USERNAME --database=DATABASE [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--database` | none | The name of the database available in the requested database service. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--listen` | none | A socket URI to listen on, such as `tcp://0.0.0.0:3306`. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--service` | none | The database service name. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `--username` | none | The database user name. | ## tbot start identity Starts tbot with an identity output for SSH and Teleport API access. Usage: ``` $ tbot start identity --destination=DESTINATION [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--cluster` | none | The name of a specific cluster for which to issue an identity if using a leaf cluster. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--[no-]allow-reissue` | `false` | Allow the credentials output by this command to be reissued. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot start kubernetes Starts tbot with a Kubernetes output. Usage: ``` $ tbot start kubernetes --destination=DESTINATION --kubernetes-cluster=KUBERNETES-CLUSTER [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--kubernetes-cluster` | none | The name of the Kubernetes cluster in Teleport for which to fetch credentials. | | `--[no-]disable-exec-plugin` | `false` | If set, disables the exec plugin. This allows credentials to be used without the `tbot` binary. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot start kubernetes/v2 Starts tbot with a Kubernetes V2 output. Usage: ``` $ tbot start kubernetes/v2 --destination=DESTINATION [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--label-selector` | none | A set of Kubernetes labels to match in k1=v1,k2=v2 form. Repeatable. | | `--name-selector` | none | An explicit Kubernetes cluster name to include. Repeatable. | | `--[no-]disable-exec-plugin` | `false` | If set, disables the exec plugin. This allows credentials to be used without the `tbot` binary. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot start legacy Starts tbot with either a config file or a legacy output. Usage: ``` $ tbot start legacy [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | --------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--data-dir` | none | Directory to store internal bot data. Access to this directory should be limited. | | `--destination-dir` | none | Directory to write short-lived machine certificates. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot start noop Starts tbot with no configured services to test onboarding config. Usage: ``` $ tbot start noop [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot start ssh-multiplexer Starts tbot with an SSH Multiplexer service. Usage: ``` $ tbot start ssh-multiplexer --destination=DESTINATION [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--[no-]enable-resumption` | `false` | If set, disables SSH session resumption. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-command` | none | The command to run as the SSH ProxyCommand, such as `fdpass-teleport`. Defaults to this tbot binary. Repeatable to add additional args. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--proxy-templates-path` | none | A path to a proxy template config file. Optional. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot start workload-identity-api Starts tbot with a workload identity API listener. Compatible with the SPIFFE Workload API and Envoy SDS. Usage: ``` $ tbot start workload-identity-api --listen=LISTEN [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--label-selector` | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. Mutually exclusive with --name-selector. | | `--listen` | none | The address on which the workload identity API should listen. This should either be prefixed with 'unix://' or 'tcp\://'. | | `--name-selector` | none | The name of the workload identity to issue. Mutually exclusive with --label-selector. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot start workload-identity-aws-roles-anywhere Starts tbot with an output containing AWS credentials generated via AWS Roles Anywhere. Usage: ``` $ tbot start workload-identity-aws-roles-anywhere --destination=DESTINATION --role-arn=ROLE-ARN --profile-arn=PROFILE-ARN --trust-anchor-arn=TRUST-ANCHOR-ARN [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--label-selector` | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. Mutually exclusive with --name-selector. | | `--name-selector` | none | The name of the workload identity to issue. Mutually exclusive with --label-selector. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--profile-arn` | none | The ARN of the Roles Anywhere profile to use. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--region` | none | The AWS region to use. If unset, value will be used from the AWS config or the AWS\_REGION environment variable. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--role-arn` | none | The ARN of the role to assume. | | `--session-duration` | none | The duration of the resulting AWS session and credentials. This may be up to 12 hours. When unset, this defaults to 6 hours. | | `--session-renewal-interval` | none | How often the session should be renewed. This should be less than the session duration. When unset, this defaults to 1 hour. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `--trust-anchor-arn` | none | The ARN of the Roles Anywhere trust anchor to use. | ## tbot start workload-identity-jwt Starts tbot with a SPIFFE-compatible JWT SVID output. Usage: ``` $ tbot start workload-identity-jwt --destination=DESTINATION --audience=AUDIENCE [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--audience` | none | Specify the audiences to include in the JWT. At least one audience must be specified. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--label-selector` | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. Mutually exclusive with --name-selector. | | `--name-selector` | none | The name of the workload identity to issue. Mutually exclusive with --label-selector. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot start workload-identity-x509 Starts tbot with a SPIFFE-compatible SVID output. Usage: ``` $ tbot start workload-identity-x509 --destination=DESTINATION [] ``` Environment variables: | Variable | Default | Description | | ---------------------- | ------- | ------------------------------------------------------------------------------------------------------------- | | `TELEPORT_AUTH_SERVER` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `TELEPORT_BOT_TOKEN` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | | `TELEPORT_PROXY` | none | Address of the Teleport Proxy Server. | Flags: | Flag | Default | Description | | ---------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-a`, `--auth-server` | none | Address of the Teleport Auth Server. Prefer using --proxy-server where possible. | | `--ca-pin` | none | CA pin to validate the Teleport Auth Server; used on first connect. | | `--certificate-ttl` | none | TTL of short-lived machine certificates. | | `--destination` | none | A destination URI, such as file:///foo/bar | | `--diag-addr` | none | If set and the bot is in debug mode, a diagnostics service will listen on specified address. | | `--join-method` | none | Method to use to join the cluster. (azure, azure\_devops, bitbucket, circleci, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm, terraform\_cloud, oracle, bound\_keypair, env0) | | `--join-uri` | none | An optional URI with joining and authentication parameters. Individual flags for proxy, join method, token, etc may be used instead. | | `--label-selector` | none | A label-based selector for which workload identities to issue. Multiple labels can be provided using ','. Mutually exclusive with --name-selector. | | `--name-selector` | none | The name of the workload identity to issue. Mutually exclusive with --label-selector. | | `--[no-]include-federated-trust-bundles` | `false` | If set, include federated trust bundles in the output. | | `--[no-]oneshot` | `false` | If set, quit after the first renewal. | | `--pid-file` | none | Full path to the PID file. By default no PID file will be created. | | `--proxy-server` | none | Address of the Teleport Proxy Server. | | `--reader-group` | none | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--reader-user` | none | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. | | `--registration-secret` | none | For bound keypair joining, specifies a registration secret for use at first join. | | `--registration-secret-path` | none | For bound keypair joining, specifies a file containing a registration secret for use at first join. | | `--renewal-interval` | none | Interval at which short-lived certificates are renewed; must be less than the certificate TTL. | | `--static-key-path` | none | For bound keypair joining, specifies a path to a static key. | | `--storage` | none | A destination URI for tbot's internal storage, e.g. file:///foo/bar | | `--token` | none | A bot join token or path to file with token value, if attempting to onboard a new bot; used on first connect. | ## tbot tpm identify Outputs identifying information related to the TPM detected on the system. Usage: ``` $ tbot tpm identify ``` ## tbot version Prints the version of this tbot binary. Usage: ``` $ tbot version ``` ## tbot wait Waits for a running tbot to become ready. Usage: ``` $ tbot wait --diag-addr=DIAG-ADDR [] ``` Flags: | Flag | Default | Description | | ------------- | ------- | --------------------------------------------------------------------------------------------------------------- | | `--diag-addr` | none | The configured --diag-addr of a running bot, in host:port form. | | `--service` | none | An optional name. If set, waits for only the named service to become healthy. If unset, waits for all services. | | `--timeout` | none | An optional timeout. If set, returns an error if all specified services have reported healthy by the timeout. |