diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx
index 4e923f594a163..d9b041bb4d761 100644
--- a/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx
+++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx
@@ -29,20 +29,23 @@ Requests in the Proxy or Auth Service.
## Step 2/8. Install the Teleport Mattermost plugin
-
+
+
We recommend installing Teleport plugins on the same host as the Teleport Proxy
Service. This is an ideal location as plugins have a low memory footprint, and
will require both public internet access and Teleport Auth Service access.
-
+
-
+
Install the Teleport Mattermost plugin on a host that can access both your
Teleport Proxy Service and your Mattermost deployment.
-
+
+
+
(!docs/pages/includes/plugins/install-access-request.mdx name="mattermost"!)
diff --git a/docs/pages/access-controls/access-requests/resource-requests.mdx b/docs/pages/access-controls/access-requests/resource-requests.mdx
index 06ae8d2ded7a4..a08fa85d83550 100644
--- a/docs/pages/access-controls/access-requests/resource-requests.mdx
+++ b/docs/pages/access-controls/access-requests/resource-requests.mdx
@@ -13,16 +13,12 @@ under the hood.
The Access Request API makes it easy to dynamically approve or deny these
requests.
-
-
Just-in-time Access Requests are a feature of Teleport Enterprise.
Open-source Teleport users can get a preview of how Access Requests work by
requesting a role via the Teleport CLI. Full Access Request functionality,
including Resource Access Requests and an intuitive and searchable UI are
available in Teleport Enterprise.
-
-
## Prerequisites
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
diff --git a/docs/pages/access-controls/guides/hardware-key-support.mdx b/docs/pages/access-controls/guides/hardware-key-support.mdx
index fe17e1a27f97a..2760738cd163d 100644
--- a/docs/pages/access-controls/guides/hardware-key-support.mdx
+++ b/docs/pages/access-controls/guides/hardware-key-support.mdx
@@ -127,7 +127,8 @@ role or to that cluster must use their hardware key for all Teleport requests.
Affected users will be prompted to connect and touch their YubiKey to sign in.
The first time users sign in with their hardware key they might be required to immediately sign in again.
-
+
+
```code
$ tsh login --user=dev --proxy=proxy.example.com:3080
@@ -143,9 +144,9 @@ $ tsh login --user=dev --proxy=proxy.example.com:3080
```
-
+
-
+
```code
$ tsh login --user=dev --proxy=proxy.example.com:3080
@@ -160,9 +161,9 @@ $ tsh login --user=dev --proxy=proxy.example.com:3080
# ...
```
-
+
-
+
```code
$ tsh login --user=dev --proxy=proxy.example.com:3080
@@ -177,7 +178,9 @@ $ tsh login --user=dev --proxy=proxy.example.com:3080
# ...
```
-
+
+
+
Affected users with existing sessions that aren't backed by a hardware key are prompted to sign in again
on their next request. For example:
diff --git a/docs/pages/access-controls/guides/per-session-mfa.mdx b/docs/pages/access-controls/guides/per-session-mfa.mdx
index eb4f8aa49e4a3..79f67f0e66564 100644
--- a/docs/pages/access-controls/guides/per-session-mfa.mdx
+++ b/docs/pages/access-controls/guides/per-session-mfa.mdx
@@ -70,7 +70,8 @@ Per-session MFA can be enforced cluster-wide or only for some specific roles.
### Cluster-wide
-
+
+
To enforce MFA checks for all roles, edit your cluster authentication
configuration:
@@ -118,8 +119,8 @@ $ tctl create -f cap.yaml
-
-
+
+
Obtain your existing `cluster_auth_preference` resource:
@@ -146,7 +147,9 @@ Create the resource:
$ tctl create -f cap.yaml
```
-
+
+
+
### Per role
diff --git a/docs/pages/application-access/guides/dynamic-registration.mdx b/docs/pages/application-access/guides/dynamic-registration.mdx
index 151f6482482f3..a8538a8281f84 100644
--- a/docs/pages/application-access/guides/dynamic-registration.mdx
+++ b/docs/pages/application-access/guides/dynamic-registration.mdx
@@ -72,7 +72,8 @@ version: v5
To create an application resource, run:
-
+
+
```code
# Log in to your cluster with tsh so you can use tctl from your local machine.
@@ -82,8 +83,8 @@ $ tsh login --proxy=teleport.example.com --user=myuser
$ tctl create app.yaml
```
-
-
+
+
```code
# Log in to your Teleport cluster so you can use tctl remotely.
@@ -91,7 +92,9 @@ $ tsh login --proxy=mytenant.teleport.sh --user=myuser
$ tctl create app.yaml
```
-
+
+
+
After the resource has been created, it will appear among the list of available
apps (in `tsh apps ls` or UI) as long as at least one Application Service
diff --git a/docs/pages/choose-an-edition/teleport-enterprise/hsm.mdx b/docs/pages/choose-an-edition/teleport-enterprise/hsm.mdx
index fd1568cfb91a0..21991396213be 100644
--- a/docs/pages/choose-an-edition/teleport-enterprise/hsm.mdx
+++ b/docs/pages/choose-an-edition/teleport-enterprise/hsm.mdx
@@ -7,12 +7,6 @@ h1: Teleport HSM Support
This guide will show you how to set up the Teleport Auth Service to use a
hardware security module (HSM) to store and handle private keys.
-
-
-This guide is intended for Teleport Enterprise users.
-
-
-
## Prerequisites
- Teleport v(=teleport.version=) Enterprise (self-hosted).
@@ -358,3 +352,4 @@ You are all set! Check the teleport logs for `Creating new HSM key pair` to
confirm that the feature is working. You can also check that keys were created
in your HSM using your HSM's admin tool.
+
diff --git a/docs/pages/database-access/guides/aws-cassandra-keyspaces.mdx b/docs/pages/database-access/guides/aws-cassandra-keyspaces.mdx
index 627b3f94a3043..699691d440e25 100644
--- a/docs/pages/database-access/guides/aws-cassandra-keyspaces.mdx
+++ b/docs/pages/database-access/guides/aws-cassandra-keyspaces.mdx
@@ -15,12 +15,15 @@ description: How to configure Teleport database access with AWS Keyspaces (Apach
(!docs/pages/includes/database-access/db-introduction.mdx dbType="AWS Keyspaces (Apache Cassandra)" dbConfigure="AWS Keyspaces database with IAM authentication" dbName="AWS Keyspaces" !)
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -41,7 +44,8 @@ Install Teleport on the host where you will run the Teleport Database Service:
(!docs/pages/includes/install-linux.mdx!)
-
+
+
Create a configuration for the Teleport Database Service, pointing the
`--proxy` flag to the address of your Teleport Proxy Service:
@@ -57,8 +61,8 @@ $ teleport db configure create \
--labels=env=dev
```
-
-
+
+
Create a configuration for the Teleport Database Service, pointing the
`--proxy` flag to the address of your Teleport Proxy Service:
@@ -74,7 +78,9 @@ $ teleport db configure create \
--labels=env=dev
```
-
+
+
+
(!docs/pages/includes/aws-credentials.mdx service="the Teleport Database Service"!)
@@ -134,7 +140,8 @@ assume the IAM roles:
Once the Database Service has joined the cluster, log in to see the available
databases:
-
+
+
```code
$ tsh login --proxy=teleport.example.com --user=alice
@@ -144,8 +151,8 @@ databases:
# keyspaces [*] env=dev
```
-
-
+
+
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
@@ -155,7 +162,9 @@ databases:
# keyspaces [*] env=dev
```
-
+
+
+
To connect to a particular database instance using the `KeyspacesReader` AWS IAM Keyspaces role as a database user:
```code
@@ -183,3 +192,4 @@ $ tsh db logout
## Next steps
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
+
diff --git a/docs/pages/database-access/guides/azure-postgres-mysql.mdx b/docs/pages/database-access/guides/azure-postgres-mysql.mdx
index 3599332bf1b9c..fa16f5ac5ddd5 100644
--- a/docs/pages/database-access/guides/azure-postgres-mysql.mdx
+++ b/docs/pages/database-access/guides/azure-postgres-mysql.mdx
@@ -17,12 +17,15 @@ Teleport `12.0`.
(!docs/pages/includes/database-access/db-introduction.mdx dbType="Azure PostgreSQL or MySQL" dbConfigure="Azure PostgreSQL or MySQL database with IAM authentication" dbName="Azure PostgreSQL or MySQL" !)
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -371,7 +374,8 @@ You can create multiple database users identified by the same service principal.
Log in to your Teleport cluster. Your Azure database should appear in the list of
available databases:
-
+
+
```code
$ tsh login --proxy=teleport.example.com --user=alice
@@ -381,8 +385,8 @@ $ tsh db ls
# azure-db env=dev
```
-
-
+
+
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
@@ -392,7 +396,9 @@ $ tsh db ls
# azure-db env=dev
```
-
+
+
+
To retrieve credentials for a database and connect to it:
@@ -431,3 +437,4 @@ $ tsh db logout azure-db
## Next steps
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
+
diff --git a/docs/pages/database-access/guides/azure-sql-server-ad.mdx b/docs/pages/database-access/guides/azure-sql-server-ad.mdx
index cae96dc81395f..d733b809f703e 100644
--- a/docs/pages/database-access/guides/azure-sql-server-ad.mdx
+++ b/docs/pages/database-access/guides/azure-sql-server-ad.mdx
@@ -16,12 +16,15 @@ description: How to configure Teleport database access with Azure SQL Server usi
(!docs/pages/includes/database-access/db-introduction.mdx dbType="Azure SQL Server" dbConfigure="Azure SQL Server using Azure Active Directory authentication" dbName="Azure SQL Server" !)
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -182,7 +185,8 @@ Install Teleport on the host where you will run the Teleport Database Service:
Generate a configuration file at `/etc/teleport.yaml` for the Database Service:
-
+
+
```code
$ teleport db configure create \
@@ -192,8 +196,8 @@ $ teleport db configure create \
--azure-sqlserver-discovery=eastus
```
-
-
+
+
```code
$ teleport db configure create \
-o file \
@@ -201,7 +205,9 @@ $ teleport db configure create \
--proxy=mytenant.teleport.sh:443 \
--azure-sqlserver-discovery=eastus
```
-
+
+
+
The command will generate a Database Service configuration with Azure SQL
Server auto-discovery enabled in the `eastus` region and place it at the
@@ -225,7 +231,8 @@ Server auto-discovery enabled in the `eastus` region and place it at the
Log in to your Teleport cluster. Your database should appear in the list of
available databases:
-
+
+
```code
$ tsh login --proxy=teleport.example.com --user=alice
@@ -236,8 +243,8 @@ sqlserver Azure SQL Server in westeurope [*] ...
sqlserver-managed Azure Managed SQL Server in eastus [*] ...
```
-
-
+
+
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
@@ -248,7 +255,9 @@ sqlserver Azure SQL Server in westeurope [*] ...
sqlserver-managed Azure Managed SQL Server in eastus [*] ...
```
-
+
+
+
To retrieve credentials for a database and connect to it:
@@ -304,3 +313,4 @@ To check if the VM has access, you can do the following on the VM:
## Next steps
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
+
diff --git a/docs/pages/database-access/guides/cassandra-self-hosted.mdx b/docs/pages/database-access/guides/cassandra-self-hosted.mdx
index aa73d80543b8f..3fe4436688475 100644
--- a/docs/pages/database-access/guides/cassandra-self-hosted.mdx
+++ b/docs/pages/database-access/guides/cassandra-self-hosted.mdx
@@ -15,12 +15,15 @@ description: How to configure Teleport database access with Cassandra and Scylla
(!docs/pages/includes/database-access/db-introduction.mdx dbType="Cassandra or ScyllaDB" dbConfigure="Cassandra or ScyllaDB with mutual TLS authentication" dbName="Cassandra or ScyllaDB" !)
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -138,7 +141,8 @@ Follow the instructions for your database to enable TLS communication with your
Once the Database Service has joined the cluster, log in to see the available
databases:
-
+
+
```code
$ tsh login --proxy=teleport.example.com --user=alice
@@ -148,8 +152,8 @@ databases:
# cassandra Cassandra Example [*] env=dev
```
-
-
+
+
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
@@ -159,7 +163,9 @@ databases:
# cassandra Cassandra Example [*] env=dev
```
-
+
+
+
To connect to a particular database instance :
```code
@@ -183,3 +189,4 @@ $ tsh db logout
## Next steps
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
+
diff --git a/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx b/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx
index 8ca92c3850c1b..e577e8238ea6a 100644
--- a/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx
+++ b/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx
@@ -5,12 +5,15 @@ description: How to configure Teleport database access with self-hosted Cockroac
(!docs/pages/includes/database-access/db-introduction.mdx dbType="CockroachDB" dbConfigure="CockroachDB with mutual TLS authentication" dbName="CockroachDB" !)
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -163,3 +166,4 @@ $ tsh db logout roach
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
- [CockroachDB client authentication](https://www.cockroachlabs.com/docs/stable/authentication.html#client-authentication)
+
diff --git a/docs/pages/database-access/guides/mongodb-self-hosted.mdx b/docs/pages/database-access/guides/mongodb-self-hosted.mdx
index 45d59aff33239..a3f458e80736b 100644
--- a/docs/pages/database-access/guides/mongodb-self-hosted.mdx
+++ b/docs/pages/database-access/guides/mongodb-self-hosted.mdx
@@ -6,12 +6,15 @@ videoBanner: 6lgVObxoLkc
(!docs/pages/includes/database-access/db-introduction.mdx dbType="MongoDB cluster" dbConfigure="MongoDB cluster with mutual TLS authentication" dbName="MongoDB" !)
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -192,7 +195,8 @@ in the MongoDB documentation for more details.
Log in to your Teleport cluster and see available databases:
-
+
+
```code
$ tsh login --proxy=teleport.example.com --user=alice
@@ -202,8 +206,8 @@ $ tsh db ls
# example-mongo Example MongoDB env=dev
```
-
-
+
+
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
@@ -213,7 +217,9 @@ $ tsh db ls
# example-mongo Example MongoDB env=dev
```
-
+
+
+
To retrieve credentials for a database and connect to it:
@@ -247,3 +253,4 @@ $ tsh db logout
## Next steps
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
+
diff --git a/docs/pages/database-access/guides/mysql-self-hosted.mdx b/docs/pages/database-access/guides/mysql-self-hosted.mdx
index 97445cc11bdd5..a8b6927b9bab2 100644
--- a/docs/pages/database-access/guides/mysql-self-hosted.mdx
+++ b/docs/pages/database-access/guides/mysql-self-hosted.mdx
@@ -5,12 +5,15 @@ description: How to configure Teleport database access with self-hosted MySQL/Ma
(!docs/pages/includes/database-access/db-introduction.mdx dbType="MySQL or MariaDB" dbConfigure="MySQL or MariaDB database with mutual TLS authentication" dbName="MySQL or MariaDB" !)
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -160,7 +163,8 @@ Install and configure Teleport where you will run the Teleport Database Service:
Once the Database Service has joined the cluster, log in to see the available
databases:
-
+
+
```code
$ tsh login --proxy=teleport.example.com --user=alice
@@ -170,8 +174,8 @@ $ tsh db ls
# example-mysql Example MySQL env=dev
```
-
-
+
+
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
@@ -181,7 +185,9 @@ $ tsh db ls
# example-mysql Example MySQL env=dev
```
-
+
+
+
Note that you will only be able to see databases your role has access to. See
the [RBAC](../rbac.mdx) guide for more details.
@@ -212,3 +218,4 @@ $ tsh db logout example-mysql
# Remove credentials for all database instances.
$ tsh db logout
```
+
diff --git a/docs/pages/database-access/guides/oracle-self-hosted.mdx b/docs/pages/database-access/guides/oracle-self-hosted.mdx
index db3ec5573c84f..7510fce9dc49b 100644
--- a/docs/pages/database-access/guides/oracle-self-hosted.mdx
+++ b/docs/pages/database-access/guides/oracle-self-hosted.mdx
@@ -10,12 +10,15 @@ description: How to configure Teleport database access with Oracle.
(!docs/pages/includes/database-access/db-introduction.mdx dbType="Oracle" dbConfigure="Oracle with mutual TLS authentication" dbName="Oracle" !)
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -229,3 +232,4 @@ $ tsh db logout
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
- Learn more about `sqlnet.ora` and `listener.ora` configuration from the [Parameters for the sqlnet.ora File](https://docs.oracle.com/en/database/oracle/oracle-database/18/netrf/parameters-for-the-sqlnet-ora-file.html#GUID-28040885-6832-4FFC-9258-0EF19FE9A3AC) and [Oracle Net Listener Parameters in the listener.ora File](https://docs.oracle.com/en/database/oracle/oracle-database/18/netrf/Oracle-Net-Listener-parameters-in-listener-ora-file.html#GUID-F9FA0DF5-2FAF-45CA-B6A1-F0166C7BFE54) Oracle documentation.
+
diff --git a/docs/pages/database-access/guides/postgres-cloudsql.mdx b/docs/pages/database-access/guides/postgres-cloudsql.mdx
index 78366f96d529c..6ab49327ceceb 100644
--- a/docs/pages/database-access/guides/postgres-cloudsql.mdx
+++ b/docs/pages/database-access/guides/postgres-cloudsql.mdx
@@ -6,12 +6,15 @@ videoBanner: br9LZ3ZXqCk
(!docs/pages/includes/database-access/db-introduction.mdx dbType="PostgreSQL on Google Cloud SQL" dbConfigure="PostgreSQL on Google Cloud SQL with a service account" dbName="PostgreSQL on Google Cloud SQL" !)
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -191,7 +194,8 @@ Install Teleport on the host where you will run the Teleport Database Service:
Below is an example of a Database Service configuration file that proxies
a single Cloud SQL PostgreSQL database. Save this to `/etc/teleport.yaml`:
-
+
+
```yaml
version: v3
@@ -235,8 +239,8 @@ proxy_service:
enabled: "no"
```
-
-
+
+
```yaml
version: v3
@@ -278,7 +282,9 @@ proxy_service:
enabled: "no"
```
-
+
+
+
+
+
```code
$ tsh login --proxy=teleport.example.com --user=alice
@@ -327,8 +334,8 @@ $ tsh db ls
# cloudsql GCP Cloud SQL PostgreSQL env=dev
```
-
-
+
+
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
@@ -338,7 +345,9 @@ $ tsh db ls
# cloudsql GCP Cloud SQL PostgreSQL env=dev
```
-
+
+
+
Note that you will only be able to see databases your role has access to. See
our [RBAC](../rbac.mdx) guide for more details.
@@ -377,3 +386,4 @@ $ tsh db logout cloudsql
# Remove credentials for all database instances.
$ tsh db logout
```
+
diff --git a/docs/pages/database-access/guides/postgres-redshift.mdx b/docs/pages/database-access/guides/postgres-redshift.mdx
index ce81f35180d32..beee759d8a967 100644
--- a/docs/pages/database-access/guides/postgres-redshift.mdx
+++ b/docs/pages/database-access/guides/postgres-redshift.mdx
@@ -6,12 +6,15 @@ videoBanner: UFhT52d5bYg
(!docs/pages/includes/database-access/db-introduction.mdx dbType="AWS Redshift" dbConfigure="AWS Redshift database with IAM authentication" dbName="AWS Redshift" !)
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -40,7 +43,8 @@ Install Teleport on the host where you will run the Teleport Database Service:
On the node that is running the Database Service, create a configuration file:
-
+
+
```code
$ teleport db configure create \
@@ -50,8 +54,8 @@ $ teleport db configure create \
--redshift-discovery=us-west-1
```
-
-
+
+
```code
$ teleport db configure create \
@@ -61,7 +65,9 @@ $ teleport db configure create \
--redshift-discovery=us-west-1
```
-
+
+
+
The command will generate a Database Service configuration with Redshift
database auto-discovery enabled on the `us-west-1` region and place it at the
@@ -92,7 +98,8 @@ may not propagate immediately and can take a few minutes to come into effect.
## Step 5/5. Connect
-
+
+
Once the Database Service has started and joined the cluster, log in to see the
registered databases. Replace `--proxy` with the address of your Teleport Proxy
@@ -106,8 +113,8 @@ $ tsh db ls
# my-redshift Redshift cluster in us-east-1 ...
```
-
-
+
+
Once the Database Service has started and joined the cluster, log in to see the
registered databases. Replace `--proxy` with the address of your Teleport Cloud
@@ -121,7 +128,9 @@ $ tsh db ls
# my-redshift Redshift cluster in us-east-1 ...
```
-
+
+
+
You can override the database name by applying the `TeleportDatabaseName` AWS tag to the resource. The value of the tag will be used as the database name.
@@ -164,3 +173,4 @@ $ tsh db logout my-redshift
- Learn how to [restrict access](../rbac.mdx) to certain users and databases.
- View the [High Availability (HA)](../guides/ha.mdx) guide.
- Take a look at the YAML configuration [reference](../reference/configuration.mdx).
+
diff --git a/docs/pages/database-access/guides/postgres-self-hosted.mdx b/docs/pages/database-access/guides/postgres-self-hosted.mdx
index d102bbcc5e3d9..cc79455f221f9 100644
--- a/docs/pages/database-access/guides/postgres-self-hosted.mdx
+++ b/docs/pages/database-access/guides/postgres-self-hosted.mdx
@@ -5,12 +5,15 @@ description: How to configure Teleport database access with self-hosted PostgreS
(!docs/pages/includes/database-access/db-introduction.mdx dbType="PostgreSQL" dbConfigure="PostgreSQL database with mutual TLS authentication" dbName="PostgreSQL" !)
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -109,7 +112,8 @@ Install and configure Teleport where you will run the Teleport Database Service:
Once the Database Service has joined the cluster, log in to see the available
databases:
-
+
+
```code
$ tsh login --proxy=teleport.example.com --user=alice
@@ -119,8 +123,8 @@ $ tsh db ls
# example-postgres Example PostgreSQL env=dev
```
-
-
+
+
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
@@ -130,7 +134,9 @@ $ tsh db ls
# example-postgres Example PostgreSQL env=dev
```
-
+
+
+
Note that you will only be able to see databases your role has access to. See
[RBAC](../rbac.mdx) section for more details.
@@ -160,3 +166,4 @@ $ tsh db logout
## Next steps
- Set up [automatic database user provisioning](../rbac/configuring-auto-user-provisioning.mdx).
+
diff --git a/docs/pages/database-access/guides/redshift-serverless.mdx b/docs/pages/database-access/guides/redshift-serverless.mdx
index e4c6ed0dd03d3..83da04989d031 100644
--- a/docs/pages/database-access/guides/redshift-serverless.mdx
+++ b/docs/pages/database-access/guides/redshift-serverless.mdx
@@ -10,12 +10,15 @@ This guide will help you to:
- Set up Teleport to access your AWS Redshift Serverless workgroups.
- Connect to your databases through Teleport.
-
+
+
-
-
+
+
-
+
+
+
## Prerequisites
@@ -357,3 +360,4 @@ prior to logging in as this new IAM role to avoid or resolve user permission iss
- Learn how to [restrict access](../rbac.mdx) to certain users and databases.
- View the [High Availability (HA)](../guides/ha.mdx) guide.
- Take a look at the YAML configuration [reference](../reference/configuration.mdx).
+
diff --git a/docs/pages/database-access/guides/sql-server-ad-pkinit.mdx b/docs/pages/database-access/guides/sql-server-ad-pkinit.mdx
index b90d655e27f83..56aa11f9671d0 100644
--- a/docs/pages/database-access/guides/sql-server-ad-pkinit.mdx
+++ b/docs/pages/database-access/guides/sql-server-ad-pkinit.mdx
@@ -5,7 +5,8 @@ description: How to configure Microsoft SQL Server access with Active Directory
(!docs/pages/includes/database-access/db-introduction.mdx dbType="Microsoft SQL Server" dbConfigure="Microsoft SQL Server database with PKINIT authentication" dbName="Microsoft SQL Server" !)
-
+
+
```mermaid
%%{ init: { 'flowchart': { 'curve': 'stepBefore' } } }%%
graph LR
@@ -29,8 +30,8 @@ style local fill:#C0C0C0,stroke: #000000
e-->d
end
```
-
-
+
+
```mermaid
%%{ init: { 'flowchart': { 'curve': 'stepBefore' } } }%%
graph LR
@@ -54,7 +55,9 @@ style local fill:#C0C0C0,stroke: #000000
e-->d
end
```
-
+
+
+
This guide will focus on SQL Servers using self-hosted Active Directory
authentication.
@@ -320,7 +323,8 @@ master> CREATE LOGIN [EXAMPLE\alice] FROM WINDOWS WITH DEFAULT_DATABASE = [maste
Log in to your Teleport cluster. Your SQL Server database should appear in the
list of available databases:
-
+
+
```code
$ tsh login --proxy=teleport.example.com --user=alice
@@ -330,8 +334,8 @@ $ tsh db ls
# sqlserver env=dev
```
-
-
+
+
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
@@ -341,7 +345,9 @@ $ tsh db ls
# sqlserver env=dev
```
-
+
+
+
To retrieve credentials for a database and connect to it:
@@ -416,3 +422,4 @@ skipping TLS verification in production environments.
## Further reading
- [Kerberos PKINIT authentication](https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html).
+
diff --git a/docs/pages/database-access/reference/configuration.mdx b/docs/pages/database-access/reference/configuration.mdx
index 160d0ba151ec6..748d61f06f014 100644
--- a/docs/pages/database-access/reference/configuration.mdx
+++ b/docs/pages/database-access/reference/configuration.mdx
@@ -184,7 +184,8 @@ spec:
You can create a new `db` resource by running the following commands, which
assume that you have created a YAML file called `db.yaml` with your configuration:
-
+
+
```code
# Log in to your cluster with tsh so you can use tctl from your local machine.
@@ -195,8 +196,8 @@ $ tsh login --proxy=teleport.example.com --user=myuser
$ tctl create -f db.yaml
```
-
-
+
+
```code
# Log in to your Teleport cluster so you can use tctl from your local machine.
@@ -205,4 +206,7 @@ $ tsh login --proxy=mytenant.teleport.sh --user=myuser
$ tctl create -f db.yaml
```
-
+
+
+
+
diff --git a/docs/pages/deploy-a-cluster/deployments/aws-terraform.mdx b/docs/pages/deploy-a-cluster/deployments/aws-terraform.mdx
index 54bfd380b6378..dcb0c6df5f64f 100644
--- a/docs/pages/deploy-a-cluster/deployments/aws-terraform.mdx
+++ b/docs/pages/deploy-a-cluster/deployments/aws-terraform.mdx
@@ -487,7 +487,8 @@ $ ssh -i ${TF_VAR_key_name}.pem -o ProxyCommand="ssh -i ${TF_VAR_key_name}.pem -
4 - Use the `tctl` command to create an admin user for Teleport:
-
+
+
```code
# From EC2 host
$ sudo tctl users add teleport-admin --roles=editor,access --logins=root
@@ -497,8 +498,8 @@ $ sudo tctl users add teleport-admin --roles=editor,access --logins=root
# NOTE: Make sure teleport.example.com:443 points at a Teleport proxy which users can access.
# When the user 'teleport-admin' activates their account, they will be assigned roles [editor, access]
```
-
-
+
+
```code
# From EC2 host
$ sudo tctl users add teleport-admin --roles=editor,access,reviewer --logins=root
@@ -508,7 +509,9 @@ $ sudo tctl users add teleport-admin --roles=editor,access,reviewer --logins=roo
# NOTE: Make sure teleport.example.com:443 points at a Teleport proxy which users can access.
# When the user 'teleport-admin' activates their account, they will be assigned roles [editor, access, reviewer]
```
-
+
+
+
5 - Click the link to launch the Teleport web UI and finish setting up your user. You will need to scan the QR
code with an TOTP-compatible app like Google Authenticator or Authy. You will also set a password for the
@@ -524,7 +527,8 @@ You can [download the Teleport package containing the `tsh` client from here](ht
- the client is the same for both OSS and Enterprise versions of Teleport.
-
+
+
```code
$ tsh login --proxy=${TF_VAR_route53_domain} --user=teleport-admin
# Enter password for Teleport user teleport-admin:
@@ -546,8 +550,8 @@ $ tsh ls
$ tsh ssh root@ip-172-31-11-69-ec2-internal
# [root@ip-172-31-11-69 ~]#
```
-
-
+
+
```code
$ tsh login --proxy=${TF_VAR_route53_domain} --user=teleport-admin
# Enter password for Teleport user teleport-admin:
@@ -569,7 +573,9 @@ $ tsh ls
$ tsh ssh root@ip-172-31-11-69-ec2-internal
# [root@ip-172-31-11-69 ~]#
```
-
+
+
+
## Restarting/checking Teleport services
@@ -899,3 +905,4 @@ $ ./connect.sh node
### AWS quotas
(!docs/pages/includes/aws-quotas.mdx!)
+
diff --git a/docs/pages/deploy-a-cluster/helm-deployments/custom.mdx b/docs/pages/deploy-a-cluster/helm-deployments/custom.mdx
index 11ffab03db172..3aec55bdb865c 100644
--- a/docs/pages/deploy-a-cluster/helm-deployments/custom.mdx
+++ b/docs/pages/deploy-a-cluster/helm-deployments/custom.mdx
@@ -123,21 +123,17 @@ $ kubectl label namespace teleport 'pod-security.kubernetes.io/enforce=baseline'
namespace/teleport labeled
```
-
+If you are running a self-hosted Teleport Enterprise cluster, you will need to
+create a secret that contains your Teleport license information before you can
+install Teleport.
-Before you can install Teleport in your Kubernetes cluster, you will need to
-create a secret that contains your Teleport license information.
-
-(!docs/pages/includes//enterprise/obtainlicense.mdx!)
-
-Create a secret from your license file. Teleport will automatically discover
+1. (!docs/pages/includes//enterprise/obtainlicense.mdx!)
+1. Create a secret from your license file. Teleport will automatically discover
this secret as long as your file is named `license.pem`.
-```code
-$ kubectl -n teleport create secret generic license --from-file=license.pem
-```
-
-
+ ```code
+ $ kubectl -n teleport create secret generic license --from-file=license.pem
+ ```
Note that although the `proxy_service` listens on port 3080 inside the pod,
@@ -210,7 +206,8 @@ If you're not migrating an existing Teleport cluster, you'll need to create a
user to be able to log into Teleport. This needs to be done on the Teleport
auth server, so we can run the command using `kubectl`:
-
+
+
```code
$ kubectl --namespace teleport exec deployment/teleport-auth -- tctl users add test --roles=access,editor
@@ -219,8 +216,8 @@ https://teleport.example.com:443/web/invite/91cfbd08bc89122275006e48b516cc68
NOTE: Make sure teleport.example.com:443 points at a Teleport proxy that users can access.
```
-
-
+
+
```code
$ kubectl --namespace teleport exec deployment/teleport-auth -- tctl users add test --roles=access,editor,reviewer
@@ -229,7 +226,9 @@ https://teleport.example.com:443/web/invite/91cfbd08bc89122275006e48b516cc68
NOTE: Make sure teleport.example.com:443 points at a Teleport proxy that users can access.
```
-
+
+
+
If you didn't set up DNS for your hostname earlier, remember to replace
@@ -277,3 +276,4 @@ users and setting up RBAC.
To see all of the options you can set in the values file for the
`teleport-cluster` Helm chart, consult our [reference
guide](../../reference/helm-reference/teleport-cluster.mdx).
+
diff --git a/docs/pages/deploy-a-cluster/helm-deployments/digitalocean.mdx b/docs/pages/deploy-a-cluster/helm-deployments/digitalocean.mdx
index 3803136b9ed4e..426afef2d589f 100644
--- a/docs/pages/deploy-a-cluster/helm-deployments/digitalocean.mdx
+++ b/docs/pages/deploy-a-cluster/helm-deployments/digitalocean.mdx
@@ -123,7 +123,8 @@ Once you get the value for the external IP (it may take a few minutes for this f
## Step 3/4. Create and set up Teleport user
Now we create a Teleport user by executing the `tctl` command with `kubectl`.
-
+
+
```code
$ kubectl --namespace teleport-cluster exec deployment/teleport-cluster-auth -- tctl users add tadmin --roles=access,editor --logins=ubuntu
@@ -132,8 +133,8 @@ https://tele.example.com:443/web/invite/
NOTE: Make sure tele.example.com:443 points at a Teleport proxy which users can access.
```
-
-
+
+
```code
$ kubectl --namespace teleport-cluster exec deployment/teleport-cluster-auth -- tctl users add tadmin --roles=access,editor,reviewer --logins=ubuntu
@@ -142,7 +143,9 @@ https://tele.example.com:443/web/invite/
NOTE: Make sure tele.example.com:443 points at a Teleport proxy which users can access.
```
-
+
+
+
Copy the link shown after executing the above command and open the link in a web browser to complete the user registration process (the link is `https://tele.example.com:443/web/invite/` in the above case).
@@ -213,7 +216,8 @@ $ export KUBECONFIG=${HOME?}/teleport-kubeconfig.yaml
-
+
+
```code
$ tsh login --proxy=tele.example.com:443 --auth=local --user=tadmin
Enter password for Teleport user tadmin:
@@ -228,8 +232,8 @@ Enter your OTP token:
Valid until: 2021-10-27 06:37:15 +0000 UTC [valid for 12h0m0s]
Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty
```
-
-
+
+
```code
$ tsh login --proxy=tele.example.com:443 --auth=local --user=tadmin
Enter password for Teleport user tadmin:
@@ -244,7 +248,9 @@ Enter your OTP token:
Valid until: 2021-10-27 06:37:15 +0000 UTC [valid for 12h0m0s]
Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty
```
-
+
+
+
### Select the Kubernetes cluster
@@ -280,3 +286,4 @@ Teleport:
- [Set up Machine ID with Kubernetes](../../machine-id/guides/kubernetes.mdx)
- [Federated Access using Trusted Clusters](../../kubernetes-access/manage-access/federation.mdx)
- [Single-Sign On and Kubernetes Access Control](../../kubernetes-access/controls.mdx)
+
diff --git a/docs/pages/includes/database-access/db-introduction.mdx b/docs/pages/includes/database-access/db-introduction.mdx
index 9305811bc2c23..460b3a9c89272 100644
--- a/docs/pages/includes/database-access/db-introduction.mdx
+++ b/docs/pages/includes/database-access/db-introduction.mdx
@@ -6,4 +6,5 @@ In this guide, you will:
1. Configure an {{ dbConfigure }}.
1. Join the {{ dbName }} database to your Teleport cluster.
-1. Connect to the {{ dbName }} database via the Teleport Database Service.
\ No newline at end of file
+1. Connect to the {{ dbName }} database via the Teleport Database Service.
+
diff --git a/docs/pages/includes/database-access/tctl-auth-sign.mdx b/docs/pages/includes/database-access/tctl-auth-sign.mdx
index 7c596bdd90988..6eeca14de1b3d 100644
--- a/docs/pages/includes/database-access/tctl-auth-sign.mdx
+++ b/docs/pages/includes/database-access/tctl-auth-sign.mdx
@@ -3,11 +3,9 @@ databases must be configured with Teleport's certificate authority to be
able to verify client certificates. They also need a certificate/key pair that
Teleport can verify.
-
-
-Your Teleport Cloud user
-must be allowed to impersonate the system role `Db` in order to be able to
-generate the database certificate.
+If you are using Teleport Cloud, your Teleport user must be allowed to
+impersonate the system role `Db` in order to be able to generate the database
+certificate.
Include the following `allow` rule in in your Teleport Cloud user's role:
@@ -18,4 +16,3 @@ allow:
roles: ["Db"]
```
-
diff --git a/docs/pages/includes/enterprise/oidcauthentication.mdx b/docs/pages/includes/enterprise/oidcauthentication.mdx
index ffe640a6c868c..5ecb3a6ce3b3a 100644
--- a/docs/pages/includes/enterprise/oidcauthentication.mdx
+++ b/docs/pages/includes/enterprise/oidcauthentication.mdx
@@ -1,12 +1,7 @@
Configure Teleport to use OIDC authentication as the default instead of the local
user database.
-
-
-You can either edit your Teleport configuration file or create a dynamic
-resource.
-
-
+Follow the instructions for your Teleport edition:
@@ -41,3 +36,4 @@ resource.
```
+
diff --git a/docs/pages/includes/enterprise/samlauthentication.mdx b/docs/pages/includes/enterprise/samlauthentication.mdx
index ed10a66c72a89..dfabdb7a3ec71 100644
--- a/docs/pages/includes/enterprise/samlauthentication.mdx
+++ b/docs/pages/includes/enterprise/samlauthentication.mdx
@@ -3,10 +3,7 @@
Configure Teleport to use SAML authentication as the default instead of the local
user database.
-
-You can either edit the Teleport Auth Service configuration file or create a dynamic
-resource.
-
+Follow the instructions for your Teleport edition:
@@ -56,3 +53,4 @@ auth_service:
If you need to log in again before configuring your SAML provider, use the flag `--auth=local`.
+
diff --git a/docs/pages/includes/sso/loginerrortroubleshooting.mdx b/docs/pages/includes/sso/loginerrortroubleshooting.mdx
index 3e3fa0a839fd5..7c691e2dc93fa 100644
--- a/docs/pages/includes/sso/loginerrortroubleshooting.mdx
+++ b/docs/pages/includes/sso/loginerrortroubleshooting.mdx
@@ -1,14 +1,13 @@
Troubleshooting SSO configuration can be challenging. Usually a Teleport administrator
must be able to:
-
-- Ensure that HTTP/TLS certificates are configured properly for both the Teleport
- Proxy Service and the SSO provider.
-
- Be able to see what SAML/OIDC claims and values are getting exported and passed
by the SSO provider to Teleport.
- Be able to see how Teleport maps the received claims to role mappings as defined
in the connector.
+- For self-hosted Teleport Enterprise clusters, ensure that HTTP/TLS
+ certificates are configured properly for both the Teleport Proxy Service and
+ the SSO provider.
If something is not working, we recommend to:
@@ -58,3 +57,4 @@ spec:
'env': 'dev'
version: v5
```
+