diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0b4a34ef91c33..a443cc57c4387 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -556,14 +556,14 @@ protocols. When using HTTP protocol, the user's query activity is captured in
the Teleport audit log.
See how to connect ClickHouse to Teleport
-[here](docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/clickhouse-self-hosted.mdx).
+[here](docs/pages/enroll-resources/database-access/enrollment/self-hosted/clickhouse-self-hosted.mdx).
#### Oracle database access audit logging support
In Teleport 14, database access for Oracle integration is updated with query
audit logging support.
-See documentation on how to configure it in the [Oracle guide](docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx).
+See documentation on how to configure it in the [Oracle guide](docs/pages/enroll-resources/database-access/enrollment/self-hosted/oracle-self-hosted.mdx).
#### Limited passwordless access for local Windows users in Teleport Community Edition
@@ -1803,7 +1803,7 @@ label resources.
Teleport database access now supports auto-discovery for Azure-hosted PostgreSQL
and MySQL databases. See the [Azure
-guide](docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx) for more
+guide](docs/pages/enroll-resources/database-access/enrollment/azure/azure-postgres-mysql.mdx) for more
details.
In addition, Teleport database access will now use Azure AD managed identity
@@ -2003,7 +2003,7 @@ to other supported database protocols.
Teleport database access for SQL Server remains in Preview mode with more UX
improvements coming in future releases.
-Refer to [the guide](docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/sql-server-ad.mdx) to set
+Refer to [the guide](docs/pages/enroll-resources/database-access/enrollment/aws/rds/sql-server-ad.mdx) to set
up access to a SQL Server with Active Directory authentication.
### Snowflake database access (Preview)
@@ -2014,7 +2014,7 @@ standard database access features like role-based access control and audit
logging, including query activity.
Connect your Snowflake database to Teleport following the
-[documentation](docs/pages/enroll-resources/database-access/enroll-managed-databases/snowflake.mdx).
+[documentation](docs/pages/enroll-resources/database-access/enrollment/managed/snowflake.mdx).
### Elasticache/MemoryDB database access (Preview)
@@ -2023,8 +2023,7 @@ this integration by adding native support for AWS-hosted Elasticache and
MemoryDB, including auto-discovery and automatic credential management in some
deployment configurations.
-Learn more about it in the [documentation](
-docs/pages/enroll-resources/database-access/enroll-aws-databases/redis-aws.mdx).
+Learn more about it in the [documentation](docs/pages/enroll-resources/database-access/enrollment/aws/redis-aws.mdx).
### Teleport Connect for server and database access (Preview)
@@ -2514,7 +2513,7 @@ Redis cluster and view Redis commands in the Teleport audit log. We will be
adding support for Amazon Elasticache in the coming weeks.
[Self-hosted Redis
-guide](docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/redis.mdx)
+guide](docs/pages/enroll-resources/database-access/enrollment/self-hosted/redis.mdx)
#### SQL Server (Preview)
@@ -2523,7 +2522,7 @@ Directory authentication support for database access. Audit logging of query
activity is not included in the preview release and will be implemented in a
later 9.x release.
-[SQL Server guide](docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/sql-server-ad.mdx)
+[SQL Server guide](docs/pages/enroll-resources/database-access/enrollment/aws/rds/sql-server-ad.mdx)
#### RDS MariaDB
@@ -2531,7 +2530,7 @@ Teleport 9 updates MariaDB support with auto-discovery and connection to AWS RDS
MariaDB databases using IAM authentication. The minimum MariaDB version that
supports IAM authentication is 10.6.
-[Updated RDS guide](docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/mysql-postgres-mariadb.mdx)
+[Updated RDS guide](docs/pages/enroll-resources/database-access/enrollment/aws/rds/mysql-postgres-mariadb.mdx)
#### Other Improvements
@@ -2627,7 +2626,7 @@ without needing to update static YAML configuration or restart application or
database agents.
See dynamic registration guides for
-[apps](docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx)
+[apps](docs/pages/enroll-resources/application-access/configuration/dynamic-registration.mdx)
and
[databases](docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx).
@@ -2637,7 +2636,7 @@ With RDS auto discovery Teleport database agents can automatically discover RDS
instances and Aurora clusters in an AWS account.
See updated
-[RDS guide](docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/mysql-postgres-mariadb.mdx) for
+[RDS guide](docs/pages/enroll-resources/database-access/enrollment/aws/rds/mysql-postgres-mariadb.mdx) for
more information.
#### WebAuthn
@@ -2741,13 +2740,13 @@ Teleport 7.0 is a major release of Teleport that contains new features, improvem
Added support for [MongoDB](https://www.mongodb.com) to Teleport database access. [#6600](https://github.com/gravitational/teleport/issues/6600).
-View the [database access with MongoDB](docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/mongodb-self-hosted.mdx) for more details.
+View the [database access with MongoDB](docs/pages/enroll-resources/database-access/enrollment/self-hosted/mongodb-self-hosted.mdx) for more details.
#### Cloud SQL MySQL
Added support for [GCP Cloud SQL MySQL](https://cloud.google.com/sql/docs/mysql) to Teleport database access. [#7302](https://github.com/gravitational/teleport/pull/7302)
-View the Cloud SQL MySQL [guide](docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/mysql-cloudsql.mdx) for more details.
+View the Cloud SQL MySQL [guide](docs/pages/enroll-resources/database-access/enrollment/google-cloud/mysql-cloudsql.mdx) for more details.
#### AWS Console
@@ -2810,7 +2809,7 @@ before upgrading.
Added support for [Amazon Redshift](https://aws.amazon.com/redshift) to Teleport database access.[#6479](https://github.com/gravitational/teleport/pull/6479).
-View the [database access with Redshift on AWS guide](docs/pages/enroll-resources/database-access/enroll-aws-databases/postgres-redshift.mdx) for more details.
+View the [database access with Redshift on AWS guide](docs/pages/enroll-resources/database-access/enrollment/aws/postgres-redshift.mdx) for more details.
### Improvements
@@ -2966,10 +2965,10 @@ Configure database access following the [Getting Started](./docs/pages/enroll-re
##### Guides
* [AWS RDS/Aurora
- PostgreSQL](docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/mysql-postgres-mariadb.mdx)
-* [AWS RDS/Aurora MySQL](docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/mysql-postgres-mariadb.mdx)
-* [Self-hosted PostgreSQL](./docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/postgres-self-hosted.mdx)
-* [Self-hosted MySQL](./docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/mysql-self-hosted.mdx)
+ PostgreSQL](docs/pages/enroll-resources/database-access/enrollment/aws/rds/mysql-postgres-mariadb.mdx)
+* [AWS RDS/Aurora MySQL](docs/pages/enroll-resources/database-access/enrollment/aws/rds/mysql-postgres-mariadb.mdx)
+* [Self-hosted PostgreSQL](docs/pages/enroll-resources/database-access/enrollment/self-hosted/postgres-self-hosted.mdx)
+* [Self-hosted MySQL](docs/pages/enroll-resources/database-access/enrollment/self-hosted/mysql-self-hosted.mdx)
* [GUI clients](docs/pages/connect-your-client/third-party/gui-clients.mdx)
##### Resources
diff --git a/docs/config.json b/docs/config.json
index 43e2d6a516fb1..12f63c681f4a9 100644
--- a/docs/config.json
+++ b/docs/config.json
@@ -272,7 +272,7 @@
},
{
"source": "/reference/agent-services/kubernetes-application-discovery/",
- "destination": "/enroll-resources/auto-discovery/reference/kubernetes-application-discovery/",
+ "destination": "/enroll-resources/auto-discovery/kubernetes-applications/reference/",
"permanent": true
},
{
@@ -2667,27 +2667,27 @@
},
{
"source": "/enroll-resources/database-access/enroll-aws-databases/rds-oracle/",
- "destination": "/enroll-resources/database-access/enroll-aws-databases/rds/rds-oracle/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds/rds-oracle/",
"permanent": true
},
{
"source": "/enroll-resources/database-access/enroll-aws-databases/rds-proxy-mysql/",
- "destination": "/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-mysql/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-mysql/",
"permanent": true
},
{
"source": "/enroll-resources/database-access/enroll-aws-databases/rds-proxy-postgres/",
- "destination": "/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-postgres/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-postgres/",
"permanent": true
},
{
"source": "/enroll-resources/database-access/enroll-aws-databases/rds-proxy-sqlserver/",
- "destination": "/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-sqlserver/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-sqlserver/",
"permanent": true
},
{
"source": "/enroll-resources/database-access/enroll-aws-databases/sql-server-ad/",
- "destination": "/enroll-resources/database-access/enroll-aws-databases/rds/sql-server-ad/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds/sql-server-ad/",
"permanent": true
},
{
@@ -2762,7 +2762,7 @@
},
{
"source": "/reference/agent-services/auto-discovery-reference/kubernetes-application-discovery/",
- "destination": "/enroll-resources/auto-discovery/reference/kubernetes-application-discovery/",
+ "destination": "/enroll-resources/auto-discovery/kubernetes-applications/reference/",
"permanent": true
},
{
@@ -3014,6 +3014,281 @@
"source": "/zero-trust-access/deploy-a-cluster/helm-deployments/argocd-helm/",
"destination": "/enroll-resources/agents/argocd-helm/",
"permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/aws-cassandra-keyspaces/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/aws-cassandra-keyspaces/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/aws-cross-account/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/aws-cross-account/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/aws-docdb/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/aws-docdb/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/aws-dynamodb/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/aws-dynamodb/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/aws-memorydb/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/aws-memorydb/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/aws-opensearch/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/aws-opensearch/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/elasticache-serverless/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/elasticache-serverless/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/postgres-redshift/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/postgres-redshift/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-mysql/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-mysql/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-postgres/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-postgres/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-sqlserver/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-sqlserver/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/rds-proxy/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds-proxy/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/rds/mysql-postgres-mariadb/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds/mysql-postgres-mariadb/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/rds/rds-oracle/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds/rds-oracle/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/rds/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/rds/sql-server-ad/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/rds/sql-server-ad/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/redis-aws/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/redis-aws/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-aws-databases/redshift-serverless/",
+ "destination": "/enroll-resources/database-access/enrollment/aws/redshift-serverless/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql/",
+ "destination": "/enroll-resources/database-access/enrollment/azure/azure-postgres-mysql/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-azure-databases/azure-redis/",
+ "destination": "/enroll-resources/database-access/enrollment/azure/azure-redis/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-azure-databases/azure-sql-server-ad/",
+ "destination": "/enroll-resources/database-access/enrollment/azure/azure-sql-server-ad/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-azure-databases/",
+ "destination": "/enroll-resources/database-access/enrollment/azure/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-google-cloud-databases/alloydb/",
+ "destination": "/enroll-resources/database-access/enrollment/google-cloud/alloydb/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-google-cloud-databases/",
+ "destination": "/enroll-resources/database-access/enrollment/google-cloud/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-google-cloud-databases/mysql-cloudsql/",
+ "destination": "/enroll-resources/database-access/enrollment/google-cloud/mysql-cloudsql/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-google-cloud-databases/postgres-cloudsql/",
+ "destination": "/enroll-resources/database-access/enrollment/google-cloud/postgres-cloudsql/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-google-cloud-databases/spanner/",
+ "destination": "/enroll-resources/database-access/enrollment/google-cloud/spanner/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-managed-databases/",
+ "destination": "/enroll-resources/database-access/enrollment/managed/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-managed-databases/mongodb-atlas/",
+ "destination": "/enroll-resources/database-access/enrollment/managed/mongodb-atlas/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-managed-databases/oracle-exadata/",
+ "destination": "/enroll-resources/database-access/enrollment/managed/oracle-exadata/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-managed-databases/snowflake/",
+ "destination": "/enroll-resources/database-access/enrollment/managed/snowflake/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/cassandra-self-hosted/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/cassandra-self-hosted/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/clickhouse-self-hosted/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/clickhouse-self-hosted/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/cockroachdb-self-hosted/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/cockroachdb-self-hosted/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/elastic/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/elastic/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/mongodb-self-hosted/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/mongodb-self-hosted/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/mysql-self-hosted/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/mysql-self-hosted/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/oracle-self-hosted/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/postgres-self-hosted/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/postgres-self-hosted/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/redis-cluster/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/redis-cluster/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/redis/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/redis/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/sql-server-ad-pkinit/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/database-access/enroll-self-hosted-databases/vitess/",
+ "destination": "/enroll-resources/database-access/enrollment/self-hosted/vitess/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/auto-discovery/reference/kubernetes-application-discovery/",
+ "destination": "/enroll-resources/auto-discovery/kubernetes-applications/reference/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/server-access/introduction/",
+ "destination": "/enroll-resources/server-access/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/application-access/guides/dynamic-registration/",
+ "destination": "/enroll-resources/application-access/configuration/dynamic-registration/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/application-access/guides/",
+ "destination": "/enroll-resources/application-access/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/application-access/guides/ha/",
+ "destination": "/enroll-resources/application-access/configuration/ha/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/application-access/guides/vnet/",
+ "destination": "/enroll-resources/application-access/vnet/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/application-access/controls/",
+ "destination": "/enroll-resources/application-access/configuration/controls/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/application-access/dynamic-registration/",
+ "destination": "/enroll-resources/application-access/configuration/dynamic-registration/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/application-access/ha/",
+ "destination": "/enroll-resources/application-access/configuration/ha/",
+ "permanent": true
+ },
+ {
+ "source": "/enroll-resources/server-access/guides/ansible/",
+ "destination": "/connect-your-client/third-party/ansible/",
+ "permanent": true
}
]
}
diff --git a/docs/pages/connect-your-client/model-context-protocol/database-access.mdx b/docs/pages/connect-your-client/model-context-protocol/database-access.mdx
index 4d1b491f1b165..89ac3802c71f0 100644
--- a/docs/pages/connect-your-client/model-context-protocol/database-access.mdx
+++ b/docs/pages/connect-your-client/model-context-protocol/database-access.mdx
@@ -19,8 +19,8 @@ This guide explains how to connect to your **PostgreSQL** Teleport databases wit
- Teleport Database Service with a PostgreSQL database enrolled. See our [guides](../../enroll-resources/database-access/database-access.mdx)
for options on how to enroll PostgreSQL databases with Teleport, such as
- the [AWS RDS PostgreSQL](../../enroll-resources/database-access/enroll-aws-databases/rds/mysql-postgres-mariadb.mdx)
- and [self-hosted PostgreSQL](../../enroll-resources/database-access/enroll-self-hosted-databases/postgres-self-hosted.mdx) guides.
+ the [AWS RDS PostgreSQL](../../enroll-resources/database-access/enrollment/aws/rds/mysql-postgres-mariadb.mdx)
+ and [self-hosted PostgreSQL](../../enroll-resources/database-access/enrollment/self-hosted/postgres-self-hosted.mdx) guides.
Since language models can execute any query on your database, we advise creating
diff --git a/docs/pages/connect-your-client/teleport-clients/vnet.mdx b/docs/pages/connect-your-client/teleport-clients/vnet.mdx
index 91c0980cc9c64..475ec0a465818 100644
--- a/docs/pages/connect-your-client/teleport-clients/vnet.mdx
+++ b/docs/pages/connect-your-client/teleport-clients/vnet.mdx
@@ -188,7 +188,7 @@ running Tailscale or another VPN client, and try disabling it to see if the
issue persists.
To avoid the conflict and run VNet alongside Tailscale or another VPN client you
can configure VNet to use a different IPv4 range, see our VNet configuration
-[guide](../../enroll-resources/application-access/guides/vnet.mdx#configuring-ipv4-cidr-range).
+[guide](../../enroll-resources/application-access/vnet.mdx#configuring-ipv4-cidr-range).
### Connecting to the app without VNet
@@ -355,7 +355,7 @@ Before version 18.0.0, VNet logs were saved in `C:\Program Files\Teleport Connec
## Next steps
-- Read our VNet configuration [guide](../../enroll-resources/application-access/guides/vnet.mdx)
+- Read our VNet configuration [guide](../../enroll-resources/application-access/vnet.mdx)
to learn how to configure VNet access to your applications.
- Read [RFD 163](https://github.com/gravitational/teleport/blob/master/rfd/0163-vnet.md) to learn how VNet works on a technical level.
- Read [RFD 207](https://github.com/gravitational/teleport/blob/master/rfd/0207-vnet-ssh.md) to learn how VNet SSH access works.
diff --git a/docs/pages/enroll-resources/server-access/guides/ansible.mdx b/docs/pages/connect-your-client/third-party/ansible.mdx
similarity index 95%
rename from docs/pages/enroll-resources/server-access/guides/ansible.mdx
rename to docs/pages/connect-your-client/third-party/ansible.mdx
index 98bf1a8d914b3..c17056a023c83 100644
--- a/docs/pages/enroll-resources/server-access/guides/ansible.mdx
+++ b/docs/pages/connect-your-client/third-party/ansible.mdx
@@ -29,7 +29,6 @@ servers.
- `ssh` openssh tool
- `ansible` >= (=ansible.min_version=)
- Optional tool `jq` to process `JSON` output.
-- (!docs/pages/includes/tctl.mdx!)
## Step 1/3. Login and configure SSH
@@ -146,7 +145,9 @@ $ ansible-playbook -vvvv playbook.yaml
If your hostnames contain uppercase characters (like `MYHOSTNAME`), please note that Teleport's internal hostname matching
is case sensitive by default, which can also lead to seeing this error.
-If this is the case, you can work around this by enabling case-insensitive routing at the cluster level.
+If this is the case, you can work around this by requesting that your Teleport
+administrator enable case-insensitive routing at the cluster level. For admins,
+is possible to enable case-insensitive routing using the following instructions:
diff --git a/docs/pages/core-concepts.mdx b/docs/pages/core-concepts.mdx
index 2119e77077a17..549f9a2074705 100644
--- a/docs/pages/core-concepts.mdx
+++ b/docs/pages/core-concepts.mdx
@@ -69,7 +69,7 @@ An SSH server implementation that allows users to execute commands on remote
machines while taking advantage of Teleport's built-in access controls,
auditing, and session recording. The SSH service is enabled by default.
-Read more about the [Teleport SSH Service](./enroll-resources/server-access/introduction.mdx).
+Read more about the [Teleport SSH Service](./enroll-resources/server-access/server-access.mdx).
### Teleport Kubernetes Service
diff --git a/docs/pages/enroll-resources/agents/agents.mdx b/docs/pages/enroll-resources/agents/agents.mdx
index 2f37f58c87bff..4bd3d73f28f47 100644
--- a/docs/pages/enroll-resources/agents/agents.mdx
+++ b/docs/pages/enroll-resources/agents/agents.mdx
@@ -5,7 +5,7 @@ tags:
- how-to
- zero-trust
- infrastructure-identity
-sidebar_position: 7
+sidebar_position: 8
---
You can use Teleport to protect infrastructure resources like servers and
diff --git a/docs/pages/enroll-resources/agents/kubernetes.mdx b/docs/pages/enroll-resources/agents/kubernetes.mdx
index ac05b6db80dad..45ae40db5b6ef 100644
--- a/docs/pages/enroll-resources/agents/kubernetes.mdx
+++ b/docs/pages/enroll-resources/agents/kubernetes.mdx
@@ -1,6 +1,6 @@
---
title: Joining Services via Kubernetes ServiceAccount Token
-sidebar_label: Kubernetes ServiceAccount Token
+sidebar_label: Kubernetes Token
description: Use Kubernetes ServiceAccount tokens to join services running in the same Kubernetes cluster as the Auth Service.
tags:
- how-to
@@ -248,6 +248,6 @@ namespace "teleport-agent" deleted
{/* vale messaging.protocol-products = NO */}
- The possible values for `teleport-kube-agent` chart are documented
[in its reference](../../reference/helm-reference/teleport-kube-agent.mdx).
-- See [Application Access Guides](../application-access/guides/guides.mdx)
+- See [Application Access guides](../application-access/application-access.mdx)
- See [Database Access Guides](../database-access/guides/guides.mdx)
{/* vale messaging.protocol-products = YES */}
diff --git a/docs/pages/enroll-resources/application-access/application-access.mdx b/docs/pages/enroll-resources/application-access/application-access.mdx
index 70231ea0701e9..4ce3991e3bac6 100644
--- a/docs/pages/enroll-resources/application-access/application-access.mdx
+++ b/docs/pages/enroll-resources/application-access/application-access.mdx
@@ -99,12 +99,12 @@ IdP](../../identity-governance/idps/usage/usage.mdx).
{
title: "Dynamic app registration",
description: "Admin can register new apps without updating static configuration files.",
- href: "./guides/dynamic-registration/",
+ href: "./configuration/dynamic-registration/",
},
{
title: "High availability app access",
description: "Configure the Teleport Application Service for high availability.",
- href: "./guides/ha/",
+ href: "./configuration/ha/",
},
{
title: "JWT authentication",
diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx
index d810304414d87..9d8bdb92cf8ea 100644
--- a/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx
+++ b/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx
@@ -1,6 +1,6 @@
---
-title: Access AWS With Teleport Application Access
-sidebar_label: AWS (via Teleport Application Service)
+title: Access AWS with the Teleport Application Service
+sidebar_label: AWS (via Teleport Agent)
description: How to access AWS with Teleport application access.
tags:
- how-to
@@ -840,7 +840,7 @@ for all of the variables and functions you can use in the `aws_role_arns` field.
You can deploy a pool of Teleport Agents to run the Teleport Application
Service, then enroll an AWS application in your Teleport cluster as a dynamic
resource. Read more about [dynamically registering
-applications](../guides/dynamic-registration.mdx).
+applications](../configuration/dynamic-registration.mdx).
### Choose an alternative agent join method
diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/cloud-apis.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/cloud-apis.mdx
index 111dc361a83f4..1629cdc42fbc7 100644
--- a/docs/pages/enroll-resources/application-access/cloud-apis/cloud-apis.mdx
+++ b/docs/pages/enroll-resources/application-access/cloud-apis/cloud-apis.mdx
@@ -1,5 +1,7 @@
---
title: "Securing Access to Cloud APIs"
+sidebar_position: 2
+sidebar_label: Cloud APIs
description: "How to use Teleport to achieve secure access while managing your cloud-based infrastructure."
tags:
- zero-trust
diff --git a/docs/pages/enroll-resources/application-access/configuration/configuration.mdx b/docs/pages/enroll-resources/application-access/configuration/configuration.mdx
new file mode 100644
index 0000000000000..903966f95d408
--- /dev/null
+++ b/docs/pages/enroll-resources/application-access/configuration/configuration.mdx
@@ -0,0 +1,11 @@
+---
+title: Teleport Application Service Configuration
+sidebar_label: Configuration Guides
+description: Provides instructions for configuring the Teleport Application Service
+---
+
+The guides in this section show you how to configure the Teleport Application
+Service, which proxies traffic to and from Teleport-protected applications.
+
+
+
diff --git a/docs/pages/enroll-resources/application-access/controls.mdx b/docs/pages/enroll-resources/application-access/configuration/controls.mdx
similarity index 83%
rename from docs/pages/enroll-resources/application-access/controls.mdx
rename to docs/pages/enroll-resources/application-access/configuration/controls.mdx
index 4da16e80dd05f..f163a2a660b27 100644
--- a/docs/pages/enroll-resources/application-access/controls.mdx
+++ b/docs/pages/enroll-resources/application-access/configuration/controls.mdx
@@ -1,6 +1,6 @@
---
title: Application Access Role-Based Access Control
-sidebar_label: Role-Based Access Control
+sidebar_label: Access Controls
description: Role-Based Access Control (RBAC) for Teleport application access.
tags:
- conceptual
@@ -132,23 +132,23 @@ This command uses the `--set-azure-identities` flag to add Azure identities to a
user. The value of this flag is a comma-separated list of Azure identity URIs.
See our [Azure
-CLI](./cloud-apis/azure.mdx#step-34-enable-your-user-to-access-azure-clis) guide
+CLI](../cloud-apis/azure.mdx#step-34-enable-your-user-to-access-azure-clis) guide
for more information on enabling access to Azure managed identities.
## Next steps
-- View the access controls [Getting Started](../../zero-trust-access/rbac-get-started/role-demo.mdx) guide
+- View the access controls [Getting Started](../../../zero-trust-access/rbac-get-started/role-demo.mdx) guide
and other available
- [guides](../../zero-trust-access/authentication/authentication.mdx).
+ [guides](../../../zero-trust-access/authentication/authentication.mdx).
- For full details on how Teleport populates the `internal` and `external`
traits we illustrated in this guide, see the [Access
- Controls Reference](../../reference/access-controls/roles.mdx).
-- Learn about using [JWT tokens](./jwt/introduction.mdx) to implement access
+ Controls Reference](../../../reference/access-controls/roles.mdx).
+- Learn about using [JWT tokens](../jwt/introduction.mdx) to implement access
controls in your application.
- Integrate with your identity provider:
- - [OIDC](../../zero-trust-access/sso/oidc.mdx)
- - [ADFS](../../zero-trust-access/sso/adfs.mdx)
- - [Microsoft Entra ID](../../zero-trust-access/sso/entra-id.mdx)
- - [Google Workspace](../../zero-trust-access/sso/google-workspace.mdx)
- - [Onelogin](../../zero-trust-access/sso/one-login.mdx)
- - [Okta](../../zero-trust-access/sso/okta.mdx)
+ - [OIDC](../../../zero-trust-access/sso/oidc.mdx)
+ - [ADFS](../../../zero-trust-access/sso/adfs.mdx)
+ - [Microsoft Entra ID](../../../zero-trust-access/sso/entra-id.mdx)
+ - [Google Workspace](../../../zero-trust-access/sso/google-workspace.mdx)
+ - [Onelogin](../../../zero-trust-access/sso/one-login.mdx)
+ - [Okta](../../../zero-trust-access/sso/okta.mdx)
diff --git a/docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx b/docs/pages/enroll-resources/application-access/configuration/dynamic-registration.mdx
similarity index 98%
rename from docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx
rename to docs/pages/enroll-resources/application-access/configuration/dynamic-registration.mdx
index 45461870004ea..4c224249f91da 100644
--- a/docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx
+++ b/docs/pages/enroll-resources/application-access/configuration/dynamic-registration.mdx
@@ -1,5 +1,6 @@
---
title: Dynamic App Registration
+sidebar_label: Dynamic Registration
description: Register/unregister apps without restarting Teleport.
tags:
- conceptual
diff --git a/docs/pages/enroll-resources/application-access/guides/ha.mdx b/docs/pages/enroll-resources/application-access/configuration/ha.mdx
similarity index 100%
rename from docs/pages/enroll-resources/application-access/guides/ha.mdx
rename to docs/pages/enroll-resources/application-access/configuration/ha.mdx
diff --git a/docs/pages/enroll-resources/application-access/guides/guides.mdx b/docs/pages/enroll-resources/application-access/guides/guides.mdx
deleted file mode 100644
index 74a1404a4ebcf..0000000000000
--- a/docs/pages/enroll-resources/application-access/guides/guides.mdx
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Application Access Guides
-sidebar_label: Guides
-description: Guides for configuring Teleport application access.
-template: "no-toc"
-tags:
- - zero-trust
- - infrastructure-identity
----
-
-These guides explain how to use the Teleport Application Service, which allows
-your teams to connect to applications within private networks with fine-grained
-RBAC and audit logging.
-
-Manage access to internal applications:
-
-- [Web App Access](../protect-apps/connecting-apps.mdx): How to access web apps with Teleport.
-- [TCP App Access](../protect-apps/tcp.mdx): How to access plain TCP apps with Teleport.
-- [VNet](vnet.mdx): How to configure VNet to support applications with custom public addresses.
-- [API Access](../protect-apps/api-access.mdx): How to access REST APIs with Teleport.
-- [Dynamic Registration](dynamic-registration.mdx): Register/unregister apps without restarting Teleport.
-- [Amazon Athena Access](../protect-apps/amazon-athena.mdx): How to access Amazon Athena with Teleport.
-- [Amazon DynamoDB Access](../protect-apps/dynamodb.mdx): How to access Amazon DynamoDB as an application.
-- [Application Service HA](ha.mdx): How to configure the Teleport Application Service for high availability.
diff --git a/docs/pages/enroll-resources/application-access/jwt/elasticsearch.mdx b/docs/pages/enroll-resources/application-access/jwt/elasticsearch.mdx
index 8cc8410cebad7..1cedfa26a5fa7 100644
--- a/docs/pages/enroll-resources/application-access/jwt/elasticsearch.mdx
+++ b/docs/pages/enroll-resources/application-access/jwt/elasticsearch.mdx
@@ -1,5 +1,6 @@
---
title: Using JWT Authentication with Elasticsearch
+sidebar_label: Elasticsearch
description: How to use JWT Authentication with Elasticsearch
tags:
- how-to
@@ -141,7 +142,7 @@ $ curl \
## Next steps
- Get more information about integrating with [Teleport JWT tokens](./introduction.mdx).
-- See the [dynamic registration](../guides/dynamic-registration.mdx) guide.
+- See the [dynamic registration](../configuration/dynamic-registration.mdx) guide.
- Learn more about [accessing APIs](../protect-apps/api-access.mdx) with the Teleport
Application Service.
-- Take a look at application-related [Access Controls](../controls.mdx).
+- Take a look at application-related [Access Controls](../configuration/controls.mdx).
diff --git a/docs/pages/enroll-resources/application-access/jwt/grafana.mdx b/docs/pages/enroll-resources/application-access/jwt/grafana.mdx
index 5621bb8b02d17..e1dbaaca4c82d 100644
--- a/docs/pages/enroll-resources/application-access/jwt/grafana.mdx
+++ b/docs/pages/enroll-resources/application-access/jwt/grafana.mdx
@@ -1,5 +1,6 @@
---
title: Using JWT Authentication with Grafana
+sidebar_label: Grafana
description: How to use JWT Authentication with Grafana
tags:
- how-to
@@ -126,7 +127,7 @@ corner.
## Next steps
- Get more information about integrating with [Teleport JWT tokens](./introduction.mdx).
-- See the [dynamic registration](../guides/dynamic-registration.mdx) guide.
+- See the [dynamic registration](../configuration/dynamic-registration.mdx) guide.
- Learn more about [accessing APIs](../protect-apps/api-access.mdx) with the Teleport
Application Service.
-- Take a look at application-related [Access Controls](../controls.mdx).
+- Take a look at application-related [Access Controls](../configuration/controls.mdx).
diff --git a/docs/pages/enroll-resources/application-access/jwt/introduction.mdx b/docs/pages/enroll-resources/application-access/jwt/introduction.mdx
index 2ffa96f32c39c..e808247550b13 100644
--- a/docs/pages/enroll-resources/application-access/jwt/introduction.mdx
+++ b/docs/pages/enroll-resources/application-access/jwt/introduction.mdx
@@ -1,5 +1,6 @@
---
title: Use JWT Tokens With Application Access
+sidebar_label: JWT Tokens
description: How to use JWT tokens for authentication with Teleport application access.
tags:
- conceptual
@@ -42,4 +43,4 @@ The following guides are currently available showing how to configure it:
## Troubleshooting
-(!docs/pages/includes/application-access/jwt-configure-claims.mdx!)
\ No newline at end of file
+(!docs/pages/includes/application-access/jwt-configure-claims.mdx!)
diff --git a/docs/pages/enroll-resources/application-access/jwt/jwt.mdx b/docs/pages/enroll-resources/application-access/jwt/jwt.mdx
index c1a44be755997..3b8fae471dd47 100644
--- a/docs/pages/enroll-resources/application-access/jwt/jwt.mdx
+++ b/docs/pages/enroll-resources/application-access/jwt/jwt.mdx
@@ -1,6 +1,7 @@
---
title: Application Access JWT Authentication
-sidebar_label: JWT Authentication
+sidebar_label: JWT Applications
+sidebar_position: 4
description: Guides for using Teleport application access JWT authentication.
template: "no-toc"
tags:
diff --git a/docs/pages/enroll-resources/application-access/protect-apps/connecting-apps.mdx b/docs/pages/enroll-resources/application-access/protect-apps/connecting-apps.mdx
index ea73fd276ad55..c708627239a3c 100644
--- a/docs/pages/enroll-resources/application-access/protect-apps/connecting-apps.mdx
+++ b/docs/pages/enroll-resources/application-access/protect-apps/connecting-apps.mdx
@@ -446,4 +446,4 @@ do so by hitting the `/teleport-logout` endpoint:
## Next steps
- Learn how to [configure web apps as TCP apps to access them through
- VNet](../guides/vnet.mdx#accessing-web-apps-through-vnet).
+ VNet](../vnet.mdx#accessing-web-apps-through-vnet).
diff --git a/docs/pages/enroll-resources/application-access/protect-apps/dynamodb.mdx b/docs/pages/enroll-resources/application-access/protect-apps/dynamodb.mdx
index fd0cc0ddf972d..1e1cbac34d1b8 100644
--- a/docs/pages/enroll-resources/application-access/protect-apps/dynamodb.mdx
+++ b/docs/pages/enroll-resources/application-access/protect-apps/dynamodb.mdx
@@ -34,7 +34,7 @@ The Teleport Application Service enables secure access to DynamoDB via its
[integration](../cloud-apis/aws-console.mdx) with the AWS management console and
API. This is an alternative to accessing DynamoDB through the Teleport Database
service, as described in our [Protect Amazon DynamoDB with
-Teleport](../../database-access/enroll-aws-databases/aws-dynamodb.mdx) guide.
+Teleport](../../database-access/enrollment/aws/aws-dynamodb.mdx) guide.
The Application Service's integration with AWS is not designed specifically for
diff --git a/docs/pages/enroll-resources/application-access/protect-apps/protect-apps.mdx b/docs/pages/enroll-resources/application-access/protect-apps/protect-apps.mdx
index d367d692d3b73..a2f5267fca4d5 100644
--- a/docs/pages/enroll-resources/application-access/protect-apps/protect-apps.mdx
+++ b/docs/pages/enroll-resources/application-access/protect-apps/protect-apps.mdx
@@ -1,6 +1,7 @@
---
title: Protecting Applications with Teleport
-sidebar_label: Protecting Applications
+sidebar_label: Internal Applications
+sidebar_position: 3
description: Provides step-by-step instructions to protecting different kinds of applications with Teleport.
---
diff --git a/docs/pages/enroll-resources/application-access/protect-apps/tcp.mdx b/docs/pages/enroll-resources/application-access/protect-apps/tcp.mdx
index 655aa5381dbb7..a1c830625ca2d 100644
--- a/docs/pages/enroll-resources/application-access/protect-apps/tcp.mdx
+++ b/docs/pages/enroll-resources/application-access/protect-apps/tcp.mdx
@@ -217,6 +217,6 @@ wide port range that happens to include ports that are meant to be available.
### Further reading
-- Learn about [access controls](../controls.mdx) for applications.
+- Learn about [access controls](../configuration/controls.mdx) for applications.
- Learn how to [connect to TCP apps with VNet](../../../connect-your-client/teleport-clients/vnet.mdx) and
- [configure VNet for custom `public_addr`](../guides/vnet.mdx).
+ [configure VNet for custom `public_addr`](../vnet.mdx).
diff --git a/docs/pages/enroll-resources/application-access/troubleshooting-apps.mdx b/docs/pages/enroll-resources/application-access/troubleshooting-apps.mdx
index e768e3c13862a..784413b44681b 100644
--- a/docs/pages/enroll-resources/application-access/troubleshooting-apps.mdx
+++ b/docs/pages/enroll-resources/application-access/troubleshooting-apps.mdx
@@ -1,5 +1,6 @@
---
title: Troubleshooting Application Access
+sidebar_label: Troubleshooting
description: Describes common issues and solutions for access to applications protected by Teleport.
tags:
- how-to
diff --git a/docs/pages/enroll-resources/application-access/guides/vnet.mdx b/docs/pages/enroll-resources/application-access/vnet.mdx
similarity index 87%
rename from docs/pages/enroll-resources/application-access/guides/vnet.mdx
rename to docs/pages/enroll-resources/application-access/vnet.mdx
index 8c8a9567a85f8..4fccc1d751e14 100644
--- a/docs/pages/enroll-resources/application-access/guides/vnet.mdx
+++ b/docs/pages/enroll-resources/application-access/vnet.mdx
@@ -1,6 +1,7 @@
---
title: VNet
description: How to configure custom DNS zones for VNet
+sidebar_position: 5
tags:
- how-to
- zero-trust
@@ -9,7 +10,7 @@ tags:
VNet automatically proxies connections made to TCP applications available under the public address
of a Proxy Service. This guide explains how to configure VNet to support apps with [custom public
-addresses](../protect-apps/connecting-apps.mdx#customize-public-address).
+addresses](protect-apps/connecting-apps.mdx#customize-public-address).
## How it works
@@ -35,7 +36,7 @@ to first update the VNet config in the Auth Service to include a matching DNS zo
- A domain name under your control.
{/* vale messaging.protocol-products = NO */}
-In this guide, we'll use the example app from [TCP Application Access guide](../protect-apps/tcp.mdx) and make it
+In this guide, we'll use the example app from [TCP Application Access guide](protect-apps/tcp.mdx) and make it
available through VNet at with
as the custom DNS zone.
{/* vale messaging.protocol-products = YES */}
@@ -88,7 +89,7 @@ app_service:
## Step 3/3. Connect
-Once you [start VNet](../../../connect-your-client/teleport-clients/vnet.mdx), you should be able to connect to the
+Once you [start VNet](../../connect-your-client/teleport-clients/vnet.mdx), you should be able to connect to the
application over the custom `public_addr` using the application client you would normally use to
connect to it. You might need to restart VNet if it was already running while you were making
changes to the cluster.
@@ -135,7 +136,7 @@ an address for the TUN device from a range offered by one of those clusters.
### Configuring leaf cluster apps
-To make a [leaf cluster](../../../zero-trust-access/management/admin/trustedclusters.mdx) app accessible over a custom
+To make a [leaf cluster](../../zero-trust-access/management/admin/trustedclusters.mdx) app accessible over a custom
`public_addr`, you need to follow the same steps while being logged in directly to the leaf cluster.
```code
@@ -144,9 +145,9 @@ $ tsh login --proxy=leaf.example.com --user=email@example.com
### Accessing web apps through VNet
-VNet does not officially support [web apps](../protect-apps/connecting-apps.mdx) yet.
+VNet does not officially support [web apps](protect-apps/connecting-apps.mdx) yet.
However, since all web apps are served over TCP, it's possible to convert a web
-app to [a TCP app](../protect-apps/tcp.mdx) to make it available via VNet.
+app to [a TCP app](protect-apps/tcp.mdx) to make it available via VNet.
You'll need to change the `uri` of the application to use `tcp://` instead of `https://`.
Exposing plain HTTP web apps or APIs via VNet is not recommended.
@@ -167,10 +168,10 @@ There are a few more caveats when converting a Teleport web app to a TCP app:
above in this guide to an address that is not a subdomain of the proxy address.
- HTTPS Applications must handle their own TLS connections and have
a valid certificate for the app `public_addr`.
-- [JWT Tokens](../jwt/introduction.mdx), [redirects](../protect-apps/connecting-apps.mdx#rewrite-redirect) and
- [header rewrites](../protect-apps/connecting-apps.mdx#headers-passthrough) are not available for TCP apps.
+- [JWT Tokens](jwt/introduction.mdx), [redirects](protect-apps/connecting-apps.mdx#rewrite-redirect) and
+ [header rewrites](protect-apps/connecting-apps.mdx#headers-passthrough) are not available for TCP apps.
- Teleport records the start and the end of a session for TCP apps in the audit log, but [session
- chunks](../../../reference/architecture/session-recording.mdx) are not captured.
+ chunks](../../reference/architecture/session-recording.mdx) are not captured.
The important thing to understand is that VNet doesn't do anything extra with a
TCP connection, it tunnels it directly to the target application's `uri`.
@@ -179,6 +180,6 @@ clients.
### Further reading
-- Read our VNet usage [guide](../../../connect-your-client/teleport-clients/vnet.mdx) for end-users
+- Read our VNet usage [guide](../../connect-your-client/teleport-clients/vnet.mdx) for end-users
accessing your applications with VNet.
- Read [RFD 163](https://github.com/gravitational/teleport/blob/master/rfd/0163-vnet.md) to learn how VNet works on a technical level.
diff --git a/docs/pages/enroll-resources/auto-discovery/auto-discovery.mdx b/docs/pages/enroll-resources/auto-discovery/auto-discovery.mdx
index b05841ce0b958..6ec1b23e7ef7f 100644
--- a/docs/pages/enroll-resources/auto-discovery/auto-discovery.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/auto-discovery.mdx
@@ -5,7 +5,7 @@ template: doc-page
tags:
- zero-trust
- infrastructure-identity
-sidebar_position: 8
+sidebar_position: 1
---
import DocHero from "@site/src/components/Pages/Landing/DocHero";
@@ -43,7 +43,7 @@ tagLists={
},
{
name: "Azure",
- href: "../database-access/enroll-azure-databases/",
+ href: "../database-access/enrollment/azure/",
icon: "azure",
},
]
@@ -122,4 +122,4 @@ href="./kubernetes-applications/"
>
Teleport can automatically detect applications running in your Kubernetes clusters and register them with Teleport for secure access.
-
\ No newline at end of file
+
diff --git a/docs/pages/enroll-resources/auto-discovery/databases/aws.mdx b/docs/pages/enroll-resources/auto-discovery/databases/aws.mdx
index 460b82ae78ab7..c3fefec31a1e5 100644
--- a/docs/pages/enroll-resources/auto-discovery/databases/aws.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/databases/aws.mdx
@@ -1,5 +1,6 @@
---
title: AWS Database Discovery
+sidebar_label: AWS
description: How to configure Teleport to auto-discover AWS databases.
tags:
- how-to
@@ -296,7 +297,7 @@ Additional Teleport RBAC configuration and possibly IAM configuration may also
be required to connect to the discovered databases via Teleport.
Refer to the appropriate guide in
-[Enroll AWS Databases](../../database-access/enroll-aws-databases/enroll-aws-databases.mdx)
+[Enroll AWS Databases](../../database-access/enrollment/aws/aws.mdx)
for information about database user provisioning and configuration.
@@ -304,9 +305,9 @@ for information about database user provisioning and configuration.
- Learn about [Dynamic Registration](../../database-access/guides/dynamic-registration.mdx) by the
Teleport Database Service.
- Get started by [connecting](../../database-access/guides/guides.mdx) your database.
-- Connect AWS databases in [external AWS accounts](../../database-access/enroll-aws-databases/aws-cross-account.mdx).
+- Connect AWS databases in [external AWS accounts](../../database-access/enrollment/aws/aws-cross-account.mdx).
- Refer to the appropriate guide in
-[Enroll AWS Databases](../../database-access/enroll-aws-databases/enroll-aws-databases.mdx)
+[Enroll AWS Databases](../../database-access/enrollment/aws/aws.mdx)
for information about database user provisioning and configuration.
## Troubleshooting
diff --git a/docs/pages/enroll-resources/auto-discovery/databases/databases.mdx b/docs/pages/enroll-resources/auto-discovery/databases/databases.mdx
index 8365dd6d1cb95..a8d0b5226d602 100644
--- a/docs/pages/enroll-resources/auto-discovery/databases/databases.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/databases/databases.mdx
@@ -1,5 +1,6 @@
---
title: Database Discovery
+sidebar_label: Databases
description: Detailed guides for configuring database discovery.
tags:
- conceptual
@@ -13,7 +14,7 @@ them with your Teleport cluster.
## Supported clouds
- [AWS](aws.mdx): Discovery for AWS databases.
-- [Azure](../../database-access/enroll-azure-databases/enroll-azure-databases.mdx): Discovery for Azure databases.
+- [Azure](../../database-access/enrollment/azure/azure.mdx): Discovery for Azure databases.
{/* TODO(gavin): Add an Azure discovery guide and permission reference */}
## Architecture overview
diff --git a/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/get-started.mdx b/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/get-started.mdx
index 308a30cded1a6..5060a718873f0 100644
--- a/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/get-started.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/get-started.mdx
@@ -1,5 +1,6 @@
---
title: Get Started with Kubernetes Application Discovery
+sidebar_label: Get Started
description: Detailed guide for configuring Kubernetes Application Discovery.
tags:
- get-started
diff --git a/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/kubernetes-applications.mdx b/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/kubernetes-applications.mdx
index 0552112ddfbbd..f613f68fccb02 100644
--- a/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/kubernetes-applications.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/kubernetes-applications.mdx
@@ -1,5 +1,6 @@
---
title: "Enroll Kubernetes Services as Teleport Applications"
+sidebar_label: Kubernetes Services
description: "Teleport can automatically detect applications running in your Kubernetes clusters and register them with Teleport for secure access."
tags:
- zero-trust
@@ -23,6 +24,6 @@ traffic to them.
application discovery with the `teleport-kube-agent` Helm chart.
- [Architecture](../../../reference/architecture/kubernetes-applications-architecture.mdx): Learn how
automatic application discovery works.
-- [Reference](../reference/kubernetes-application-discovery.mdx): Consult this guide
+- [Reference](reference.mdx): Consult this guide
for options and Kubernetes annotations you can use to configure automatic
Kubernetes application discovery.
diff --git a/docs/pages/enroll-resources/auto-discovery/reference/kubernetes-application-discovery.mdx b/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/reference.mdx
similarity index 99%
rename from docs/pages/enroll-resources/auto-discovery/reference/kubernetes-application-discovery.mdx
rename to docs/pages/enroll-resources/auto-discovery/kubernetes-applications/reference.mdx
index ff2dcfd6a9115..f8c79637a660e 100644
--- a/docs/pages/enroll-resources/auto-discovery/reference/kubernetes-application-discovery.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/reference.mdx
@@ -1,6 +1,6 @@
---
title: Kubernetes Application Discovery Reference
-sidebar_label: Kubernetes Application Discovery
+sidebar_label: Configuration Reference
description: This guide is a comprehensive reference of configuration options for automatically enrolling Kubernetes applications with Teleport.
tags:
- reference
diff --git a/docs/pages/enroll-resources/auto-discovery/kubernetes/kubernetes.mdx b/docs/pages/enroll-resources/auto-discovery/kubernetes/kubernetes.mdx
index b1a593513a087..0bedb0be774bd 100644
--- a/docs/pages/enroll-resources/auto-discovery/kubernetes/kubernetes.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/kubernetes/kubernetes.mdx
@@ -1,5 +1,6 @@
---
-title: Kubernetes Clusters Discovery
+title: Kubernetes Cluster Discovery
+sidebar_label: Kubernetes Clusters
description: Detailed guides for configuring Kubernetes Clusters Discovery.
tags:
- conceptual
diff --git a/docs/pages/enroll-resources/auto-discovery/reference/labels.mdx b/docs/pages/enroll-resources/auto-discovery/reference/labels.mdx
index 915e2edd8d74c..255349fc1b96d 100644
--- a/docs/pages/enroll-resources/auto-discovery/reference/labels.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/reference/labels.mdx
@@ -75,7 +75,7 @@ See the Azure VM auto-discovery [guide](../../../enroll-resources/auto-discovery
### Databases
-See the Azure Databases auto-discovery [guide](../../../enroll-resources/database-access/enroll-azure-databases/enroll-azure-databases.mdx).
+See the Azure Databases auto-discovery [guide](../../database-access/enrollment/azure/azure.mdx).
| Label | Description |
|-------------------------------------------|---------------------------------------------------------------------------------------------------------------|
diff --git a/docs/pages/enroll-resources/auto-discovery/reference/reference.mdx b/docs/pages/enroll-resources/auto-discovery/reference/reference.mdx
index fbd53bec11e32..536b44ea2f15a 100644
--- a/docs/pages/enroll-resources/auto-discovery/reference/reference.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/reference/reference.mdx
@@ -8,6 +8,4 @@ tags:
- infrastructure-identity
---
-- [AWS IAM](aws-iam.mdx)
-- [Kubernetes Applications](kubernetes-application-discovery.mdx)
-- [Labels](labels.mdx)
+
diff --git a/docs/pages/enroll-resources/auto-discovery/servers/azure-discovery.mdx b/docs/pages/enroll-resources/auto-discovery/servers/azure-discovery.mdx
index e838c30f8112d..fca90b846138f 100644
--- a/docs/pages/enroll-resources/auto-discovery/servers/azure-discovery.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/servers/azure-discovery.mdx
@@ -1,5 +1,6 @@
---
title: Automatically Discover Azure Virtual Machines
+sidebar_label: Azure Virtual Machines
description: How to configure Teleport to automatically enroll Azure virtual machines.
tags:
- how-to
diff --git a/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery-guided.mdx b/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery-guided.mdx
index e8009db70b30a..8550fe4236f74 100644
--- a/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery-guided.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery-guided.mdx
@@ -1,5 +1,6 @@
---
title: Guided EC2 Auto-Discovery Configuration
+sidebar_label: Guided
description: How to configure Teleport EC2 auto-discovery using Teleport to configure permissions
tags:
- how-to
diff --git a/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery-manual.mdx b/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery-manual.mdx
index dbaafef810ffb..8d7e4a24b3ef7 100644
--- a/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery-manual.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery-manual.mdx
@@ -1,5 +1,6 @@
---
title: Manual EC2 Auto-Discovery Configuration
+sidebar_label: Manual
description: How to configure Teleport EC2 auto-discovery with manually configured permissions
tags:
- how-to
diff --git a/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery.mdx b/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery.mdx
index 69ccfead3952c..2f0c76b36f2dc 100644
--- a/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery.mdx
@@ -1,5 +1,6 @@
---
title: Server Auto-Discovery for Amazon EC2
+sidebar_label: Amazon EC2
description: How to configure Teleport to automatically enroll EC2 instances.
tags:
- how-to
diff --git a/docs/pages/enroll-resources/auto-discovery/servers/gcp-discovery.mdx b/docs/pages/enroll-resources/auto-discovery/servers/gcp-discovery.mdx
index 71bbc8fd721b5..256b1329cf6ac 100644
--- a/docs/pages/enroll-resources/auto-discovery/servers/gcp-discovery.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/servers/gcp-discovery.mdx
@@ -1,5 +1,6 @@
---
title: Automatically Discover GCP Compute Instances
+sidebar_label: Google Compute Engine
description: How to configure Teleport to automatically enroll GCP compute instances.
tags:
- how-to
diff --git a/docs/pages/enroll-resources/auto-discovery/servers/servers.mdx b/docs/pages/enroll-resources/auto-discovery/servers/servers.mdx
index 584f68ba8a687..c4ac9ccc5e2fa 100644
--- a/docs/pages/enroll-resources/auto-discovery/servers/servers.mdx
+++ b/docs/pages/enroll-resources/auto-discovery/servers/servers.mdx
@@ -1,5 +1,6 @@
---
title: Server Auto-Discovery
+sidebar_label: Linux Servers
description: You can set up the Teleport Discovery Service to automatically enroll servers in your infrastructure.
tags:
- zero-trust
diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx
index daf92d12c5c09..f0eb7132b7e0c 100644
--- a/docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx
+++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx
@@ -1,5 +1,6 @@
---
title: Database Automatic User Provisioning
+sidebar_label: Auto User Provisioning
description: Configure automatic user provisioning for databases.
tags:
- zero-trust
diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/aws-redshift.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/aws-redshift.mdx
index a843f46346a5c..ab31bf41790dc 100644
--- a/docs/pages/enroll-resources/database-access/auto-user-provisioning/aws-redshift.mdx
+++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/aws-redshift.mdx
@@ -16,7 +16,7 @@ tags:
## Prerequisites
- Teleport cluster with a configured [Amazon
- Redshift](../enroll-aws-databases/postgres-redshift.mdx) database.
+ Redshift](../enrollment/aws/postgres-redshift.mdx) database.
- Ability to connect to and create user accounts in the target database.
diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/mariadb.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/mariadb.mdx
index 48160ade006d8..7949d247c0436 100644
--- a/docs/pages/enroll-resources/database-access/auto-user-provisioning/mariadb.mdx
+++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/mariadb.mdx
@@ -15,7 +15,7 @@ tags:
## Prerequisites
- Teleport cluster with a configured [self-hosted
- MariaDB](../enroll-self-hosted-databases/mysql-self-hosted.mdx) or [RDS MariaDB](../enroll-aws-databases/rds/mysql-postgres-mariadb.mdx)
+ MariaDB](../enrollment/self-hosted/mysql-self-hosted.mdx) or [RDS MariaDB](../enrollment/aws/rds/mysql-postgres-mariadb.mdx)
database.
- Ability to connect to and create user accounts in the target database.
diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/mongodb.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/mongodb.mdx
index 4497d8ef53937..8b612291733ef 100644
--- a/docs/pages/enroll-resources/database-access/auto-user-provisioning/mongodb.mdx
+++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/mongodb.mdx
@@ -16,7 +16,7 @@ tags:
- A Teleport cluster.
- A self-hosted MongoDB database enrolled with your Teleport cluster. Follow
- the [Teleport documentation](../enroll-self-hosted-databases/mongodb-self-hosted.mdx) to learn how
+ the [Teleport documentation](../enrollment/self-hosted/mongodb-self-hosted.mdx) to learn how
to enroll your database.
Your MongoDB database must have Role-Based Access Control (RBAC) enabled by
setting
diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/mysql.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/mysql.mdx
index b98dc11c7cae7..774c5dfae6d0d 100644
--- a/docs/pages/enroll-resources/database-access/auto-user-provisioning/mysql.mdx
+++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/mysql.mdx
@@ -34,7 +34,7 @@ stripping its privileges.
## Prerequisites
- Teleport cluster with a configured [self-hosted
- MySQL](../enroll-self-hosted-databases/mysql-self-hosted.mdx) or [RDS MySQL](../enroll-aws-databases/rds/mysql-postgres-mariadb.mdx)
+ MySQL](../enrollment/self-hosted/mysql-self-hosted.mdx) or [RDS MySQL](../enrollment/aws/rds/mysql-postgres-mariadb.mdx)
database.
- Ability to connect to and create user accounts in the target database.
- Automatic user provisioning is not compatible with MySQL versions lower than
diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx
index 923b87dfb7c40..dc2386b1a666f 100644
--- a/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx
+++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx
@@ -15,8 +15,8 @@ tags:
## Prerequisites
- Teleport cluster with a configured [self-hosted
- PostgreSQL](../enroll-self-hosted-databases/postgres-self-hosted.mdx) or [RDS
- PostgreSQL](../enroll-aws-databases/rds/mysql-postgres-mariadb.mdx) database. To configure
+ PostgreSQL](../enrollment/self-hosted/postgres-self-hosted.mdx) or [RDS
+ PostgreSQL](../enrollment/aws/rds/mysql-postgres-mariadb.mdx) database. To configure
permissions for database objects like tables, your cluster must be on version
v15.2 or above.
- Ability to connect to and create user accounts in the target database.
@@ -84,7 +84,7 @@ hostssl all all ::/0 cert
hostssl all all 0.0.0.0/0 cert
```
-Refer to the [self-hosted PostgreSQL guide](../enroll-self-hosted-databases/postgres-self-hosted.mdx#step-35-configure-your-postgresql-server)
+Refer to the [self-hosted PostgreSQL guide](../enrollment/self-hosted/postgres-self-hosted.mdx#step-35-configure-your-postgresql-server)
to ensure that your configuration is correct.
diff --git a/docs/pages/enroll-resources/database-access/database-access.mdx b/docs/pages/enroll-resources/database-access/database-access.mdx
index 7af00be0fd665..4cba98dba409d 100644
--- a/docs/pages/enroll-resources/database-access/database-access.mdx
+++ b/docs/pages/enroll-resources/database-access/database-access.mdx
@@ -31,11 +31,11 @@ agent services.
## Guides
-- [Enroll AWS Databases (section)](./enroll-aws-databases/): Provides instructions on protecting databases in your AWS-managed infrastructure with Teleport.
-- [Enroll Azure Databases (section)](./enroll-azure-databases/): Provides instructions on protecting databases in your Azure-managed infrastructure with Teleport.
-- [Enroll Google Cloud Databases (section)](./enroll-google-cloud-databases/): Provides instructions on protecting databases in your Google Cloud-managed infrastructure with Teleport.
-- [Enroll Cloud-Hosted Database Platforms (section)](./enroll-managed-databases/): Provides instructions on protecting managed databases in your infrastructure with Teleport.
-- [Enroll Self-Hosted Databases (section)](./enroll-self-hosted-databases/): Provides instructions on protecting self-hosted databases in your infrastructure with Teleport.
+- [Enroll AWS Databases (section)](./enrollment/aws/): Provides instructions on protecting databases in your AWS-managed infrastructure with Teleport.
+- [Enroll Azure Databases (section)](./enrollment/azure/): Provides instructions on protecting databases in your Azure-managed infrastructure with Teleport.
+- [Enroll Google Cloud Databases (section)](./enrollment/google-cloud/): Provides instructions on protecting databases in your Google Cloud-managed infrastructure with Teleport.
+- [Enroll Cloud-Hosted Database Platforms (section)](./enrollment/managed/): Provides instructions on protecting managed databases in your infrastructure with Teleport.
+- [Enroll Self-Hosted Databases (section)](./enrollment/self-hosted/): Provides instructions on protecting self-hosted databases in your infrastructure with Teleport.
- [Database Automatic User Provisioning (section)](./auto-user-provisioning/): Configure automatic user provisioning for databases.
## Configuration & management
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-cassandra-keyspaces.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-cassandra-keyspaces.mdx
similarity index 93%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-cassandra-keyspaces.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/aws-cassandra-keyspaces.mdx
index a8abed3b8ca9b..ca6164a1252e0 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-cassandra-keyspaces.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-cassandra-keyspaces.mdx
@@ -17,10 +17,10 @@ tags:
-
+
-
+
@@ -96,7 +96,7 @@ Create an AWS IAM Role that will be used as your Keyspaces user.
Go to the IAM -> Access Management -> [Roles](https://console.aws.amazon.com/iamv2/home#/roles).
Press Create Role.
-
+
AWS provides the `AmazonKeyspacesReadOnlyAccess` and `AmazonKeyspacesFullAccess` IAM policies that you can incorporate into your Keyspaces user's role.
You can choose `AmazonKeyspacesReadOnlyAccess` for read-only access to Amazon Keyspaces or `AmazonKeyspacesFullAccess` for full access.
@@ -107,9 +107,9 @@ You can choose `AmazonKeyspacesReadOnlyAccess` for read-only access to Amazon Ke
You can also create your own custom Amazon Keyspaces Permissions Policies: [Amazon Keyspaces identity-based policy examples](https://docs.aws.amazon.com/keyspaces/latest/devguide/security_iam_id-based-policy-examples.html).
-
+
Enter a role name and press "Create role".
-
+
## Step 4/5. Give Teleport permissions to assume roles
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-cross-account.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-cross-account.mdx
similarity index 97%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-cross-account.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/aws-cross-account.mdx
index e6f72bda3c72d..fa72de4e556bc 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-cross-account.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-cross-account.mdx
@@ -1,6 +1,7 @@
---
title: AWS Cross-Account Database Access
-sidebar_label: Cross-Account Database Access
+sidebar_label: Cross-Account
+sidebar_position: 1
description: How to connect AWS databases in external AWS accounts to Teleport.
tags:
- conceptual
@@ -37,7 +38,7 @@ Teleport Database Service to connect to the databases.
This guide does not cover AWS network configuration, because it depends on your
specific AWS network setup and the kind(s) of AWS databases you wish to connect
to Teleport. For more information, see [how to connect your
-database](enroll-aws-databases.mdx).
+database](aws.mdx).
## Teleport configuration
@@ -143,7 +144,7 @@ Save the configuration to a file like `database.yaml` and create it with `tctl`:
$ tctl create database.yaml
```
For more information about database registration using dynamic database
-resources, see: [Dynamic Registration](../guides/dynamic-registration.mdx).
+resources, see: [Dynamic Registration](../../guides/dynamic-registration.mdx).
@@ -233,4 +234,4 @@ role, then the trust policy might look like:
## Next steps
-- Get started by [connecting](../guides/guides.mdx) your database.
+- Get started by [connecting](../../guides/guides.mdx) your database.
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-docdb.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-docdb.mdx
similarity index 93%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-docdb.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/aws-docdb.mdx
index c4aa8f3cb123c..1953bdd94391c 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-docdb.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-docdb.mdx
@@ -17,10 +17,10 @@ tags:
-
+
-
+
@@ -119,12 +119,12 @@ page](https://console.aws.amazon.com/iamv2/home#/roles) of the AWS Console,
then press "Create Role". Under **Trusted entity type** select "AWS service".
Under **Use case** select "EC2" or the intended use case, then click **Next**.
-
+
On the "Add Permissions" page, find and select the
`TeleportDatabaseAccessDocumentDB` policy that is created in the previous step.
-
+
Click "Next" and give the role a name. In this guide, we will use the example
name `TeleportDatabaseService` for this role. Once you have chosen a name,
@@ -149,7 +149,7 @@ Navigate back to the Roles page on the AWS Web Console and create a new role.
Select the "AWS account" option, which creates a default trust policy to allow
other entities in this account to assume this role:
-
+
Skip the "Add Permissions" page by clicking "Next", and give the role a name.
In this guide, we will use the example "teleport-docdb-user" for this role.
@@ -157,7 +157,7 @@ In this guide, we will use the example "teleport-docdb-user" for this role.
Now click **Add new tag** at Step 3, use `TeleportDatabaseService` for the key
and `Allowed` for the value. Then click **Create Role** to complete the process.
-
+
### Create a DocumentDB user
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-dynamodb.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-dynamodb.mdx
similarity index 92%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-dynamodb.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/aws-dynamodb.mdx
index a62278bcbb573..57529284a2cf5 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-dynamodb.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-dynamodb.mdx
@@ -22,10 +22,10 @@ request with credentials from AWS, then forwards it to the DynamoDB API.
-
+
-
+
@@ -62,7 +62,7 @@ Visit the [IAM > Roles page](https://console.aws.amazon.com/iamv2/home#/roles) o
the AWS Console, then press "Create Role". Under **Trusted entity type** select
"AWS service". Under **Use case** select "EC2", then click **Next**.
-
+
On the "Add Permissions" page, you can simply click **Next** since this role does not require any permissions. In this guide, we will use the example name `TeleportDatabaseService` for this role. Once you have chosen a name, click **Create Role** to complete the process.
@@ -72,11 +72,11 @@ Navigate back to the Roles page and create a new role. Select the "AWS account"
option, which creates a default trust policy to allow other entities in this
account to assume this role:
-
+
Click **Next**. Find the AWS-managed policy `AmazonDynamoDBFullAccess` and then select the policy:
-
+
The `AmazonDynamoDBFullAccess` policy may grant more permissions than desired.
@@ -225,7 +225,7 @@ $ aws dynamodb list-tables --endpoint-url=http://localhost:8000
```
{/* vale messaging.protocol-products = NO */}
-You can also connect to this database from the AWS NoSQL Workbench, as documented in our [Database Access GUI Clients](../../../connect-your-client/third-party/gui-clients.mdx#nosql-workbench) guide.
+You can also connect to this database from the AWS NoSQL Workbench, as documented in our [Database Access GUI Clients](../../../../connect-your-client/third-party/gui-clients.mdx#nosql-workbench) guide.
{/* vale messaging.protocol-products = YES */}
You can also use this tunnel for programmatic access. The example below uses the `boto3` SDK from AWS:
@@ -244,7 +244,7 @@ Type "help", "copyright", "credits" or "license" for more information.
## Next Steps
-- See [Dynamic Database Registration](../guides/dynamic-registration.mdx) to
+- See [Dynamic Database Registration](../../guides/dynamic-registration.mdx) to
learn how to use resource labels to keep Teleport up to date with accessible
databases in your infrastructure.
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-memorydb.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-memorydb.mdx
similarity index 96%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-memorydb.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/aws-memorydb.mdx
index 1f2b56b1d3e8c..41e2d5f41800a 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-memorydb.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-memorydb.mdx
@@ -17,10 +17,10 @@ tags:
-
+
-
+
@@ -144,7 +144,7 @@ MemoryDB](https://docs.aws.amazon.com/memorydb/latest/devguide/clusters.acls.htm
Once an MemoryDB user is created with the desired access, add an AWS resource
tag `teleport.dev/managed` with the value `true` to this user:
-
+
The Database Service will automatically discover this user if it is associated
with a registered database. Keep in mind that it may take the Database Service
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-opensearch.mdx
similarity index 92%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/aws-opensearch.mdx
index b410559bf6cb8..b5e6062363074 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/aws-opensearch.mdx
@@ -23,10 +23,10 @@ requests with AWS credentials, and forwards them to the OpenSearch API.
-
+
-
+
@@ -57,7 +57,7 @@ access conventions. You should adjust the AWS IAM permissions to fit your needs.
To access the OpenSearch Dashboard deployed within private VPC subnets using
Teleport, you can enroll the Dashboard as a [Web
-application](../../application-access/protect-apps/connecting-apps.mdx)
+application](../../../application-access/protect-apps/connecting-apps.mdx)
in Teleport.
@@ -75,7 +75,7 @@ Visit the [IAM > Roles page](https://console.aws.amazon.com/iamv2/home#/roles) o
the AWS Console, then press "Create Role". Under **Trusted entity type** select
"AWS service". Under **Use case** select "EC2", then click **Next**.
-
+
On the "Add Permissions" page, you can simply click **Next** since this role
does not require any permissions. In this guide, we will use the example name
@@ -88,7 +88,7 @@ Navigate back to the Roles page and create a new role. Select the "AWS account"
option, which creates a default trust policy to allow other entities in this
account to assume this role:
-
+
Click **Next**. On the next page, enter a role name. In this guide we'll use
the example name `ExampleTeleportOpenSearchRole` for this role.
@@ -125,18 +125,18 @@ where the IAM role or user is mapped to the OpenSearch role.
In order to configure Role Mapping log into OpenSearch Domain Dashboard using
the master user and go to the `Security` settings:
-
+
Create a new role with least privilege permissions, or select an existing one.
For the purpose of this example the `readall` OpenSearch role will be used.
Select the OpenSearch role and go to the `Mapped users` tab:
-
+
Add mapping between the OpenSearch role and AWS IAM `ExampleTeleportOpenSearchRole`
role created in the previous step.
-
+
Finally, click the **Map** button to apply the settings.
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/aws.mdx
similarity index 95%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/aws.mdx
index bfaccc5083d7d..de1ad878ebe3d 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/aws.mdx
@@ -13,7 +13,7 @@ Teleport.
You can configure Teleport to discover databases in your AWS account and enroll
them with your cluster automatically. Read more about setting up
-[Database Auto-Discovery](../../auto-discovery/databases/databases.mdx).
+[Database Auto-Discovery](../../../auto-discovery/databases/databases.mdx).
It is also possible to protect databases across your AWS accounts. Read the
instructions in [AWS Cross-Account Database
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/elasticache-serverless.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/elasticache-serverless.mdx
similarity index 96%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/elasticache-serverless.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/elasticache-serverless.mdx
index 91ac9a86f5578..d63f94ac51476 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/elasticache-serverless.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/elasticache-serverless.mdx
@@ -17,10 +17,10 @@ The Teleport Database Service connects on user behalf using IAM authentication a
-
+
-
+
@@ -150,7 +150,7 @@ $ aws elasticache modify-serverless-cache \
Once the ElastiCache user has been created, verify that the user is configured
to satisfy the requirements for IAM authentication:
-
+
(!docs/pages/includes/database-access/aws-redis-no-auth.mdx dbType="ElastiCache Serverless"!)
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/postgres-redshift.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/postgres-redshift.mdx
similarity index 94%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/postgres-redshift.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/postgres-redshift.mdx
index 3fcf15526a323..4af888b101b6a 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/postgres-redshift.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/postgres-redshift.mdx
@@ -18,10 +18,10 @@ tags:
-
+
-
+
@@ -202,7 +202,7 @@ to the Redshift database.
- Learn more about [using IAM authentication to generate database user
credentials](https://docs.aws.amazon.com/redshift/latest/mgmt/generating-user-credentials.html) for Amazon Redshift.
-- Learn how to [restrict access](../rbac.mdx) to certain users and databases.
-- View the [High Availability (HA)](../guides/ha.mdx) guide.
-- Take a look at the YAML configuration [reference](../reference/configuration.mdx).
+- Learn how to [restrict access](../../rbac.mdx) to certain users and databases.
+- View the [High Availability (HA)](../../guides/ha.mdx) guide.
+- Take a look at the YAML configuration [reference](../../reference/configuration.mdx).
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-mysql.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-mysql.mdx
similarity index 100%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-mysql.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-mysql.mdx
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-postgres.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-postgres.mdx
similarity index 100%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-postgres.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-postgres.mdx
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-sqlserver.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-sqlserver.mdx
similarity index 100%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-sqlserver.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-sqlserver.mdx
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy.mdx
similarity index 100%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy.mdx
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/mysql-postgres-mariadb.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/rds/mysql-postgres-mariadb.mdx
similarity index 97%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/mysql-postgres-mariadb.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/rds/mysql-postgres-mariadb.mdx
index 29783fa6542c5..800c19948a1a1 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/mysql-postgres-mariadb.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/rds/mysql-postgres-mariadb.mdx
@@ -17,10 +17,10 @@ tags:
-
+
-
+
@@ -331,5 +331,5 @@ $ tsh db logout rds-example
## Next steps
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
-- Set up [automatic database user provisioning](../../auto-user-provisioning/auto-user-provisioning.mdx).
+- Set up [automatic database user provisioning](../../../auto-user-provisioning/auto-user-provisioning.mdx).
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/rds-oracle.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/rds/rds-oracle.mdx
similarity index 98%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/rds-oracle.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/rds/rds-oracle.mdx
index 647676d5be868..c04d9732927dd 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/rds-oracle.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/rds/rds-oracle.mdx
@@ -222,7 +222,7 @@ be merged into the same `teleport.keytab` file.
To check if the user has any SPNs assigned, go to the user's page in AWS Console and locate the "Account settings - optional" section.
- 
+ 
Alternatively, run the following command on the
Windows machine joined to your Active Directory domain:
@@ -391,7 +391,7 @@ Other clients can use:
- a custom JDBC connection string: 'jdbc:oracle:thin:@tcps://localhost:12345/ORCL?TNS_ADMIN=/home/alice/.tsh/keys/teleport.example.com/alice-db/teleport.example.com/oracle-wallet'
```
-This method also enables use of various graphical clients, as explained in [Oracle graphical clients](../../../../connect-your-client/third-party/gui-clients.mdx#oracle-graphical-clients) section.
+This method also enables use of various graphical clients, as explained in [Oracle graphical clients](../../../../../connect-your-client/third-party/gui-clients.mdx#oracle-graphical-clients) section.
## Next steps
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/rds.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/rds/rds.mdx
similarity index 100%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/rds.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/rds/rds.mdx
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/sql-server-ad.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/rds/sql-server-ad.mdx
similarity index 98%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/sql-server-ad.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/rds/sql-server-ad.mdx
index 076a5920a3c88..b90897eca1248 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds/sql-server-ad.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/rds/sql-server-ad.mdx
@@ -26,10 +26,10 @@ Database Service forwards user traffic to the database.
-
+
-
+
@@ -311,7 +311,7 @@ Alternatively, you can look SPNs up in the Attribute Editor of the Active Direct
Users and Computers dialog on your AD-joined Windows machine. The RDS SQL Server
object typically resides under the AWS Reserved / RDS path:
-
+
If you don't see Attribute Editor tab, make sure that "View > Advanced Features"
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/redis-aws.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/redis-aws.mdx
similarity index 95%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/redis-aws.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/redis-aws.mdx
index 1a86d8ed80dc9..dbfd0a121a7a4 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/redis-aws.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/redis-aws.mdx
@@ -17,10 +17,10 @@ tags:
-
+
-
+
@@ -145,7 +145,7 @@ $ aws elasticache modify-replication-group \
Once the ElastiCache user has been created, verify that the user is configured
to satisfy the requirements for IAM authentication:
-
+
@@ -158,7 +158,7 @@ ElastiCache](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/Clusters.RB
Once an ElastiCache user is created with the desired access, add an AWS resource
tag `teleport.dev/managed` with the value `true` to this user:
-
+
The Database Service will automatically discover this user if it is associated
with a registered database. Keep in mind that it may take the Database Service
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/redshift-serverless.mdx b/docs/pages/enroll-resources/database-access/enrollment/aws/redshift-serverless.mdx
similarity index 95%
rename from docs/pages/enroll-resources/database-access/enroll-aws-databases/redshift-serverless.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/aws/redshift-serverless.mdx
index a1f132f66935f..1f13068bab298 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/redshift-serverless.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/aws/redshift-serverless.mdx
@@ -22,10 +22,10 @@ This guide will help you to:
-
+
-
+
@@ -265,7 +265,7 @@ prior to logging in as this new IAM role to avoid or resolve user permission iss
- Learn more about [using IAM authentication to generate database user
credentials](https://docs.aws.amazon.com/redshift/latest/mgmt/generating-user-credentials.html) for Amazon Redshift.
-- Learn how to [restrict access](../rbac.mdx) to certain users and databases.
-- View the [High Availability (HA)](../guides/ha.mdx) guide.
-- Take a look at the YAML configuration [reference](../reference/configuration.mdx).
+- Learn how to [restrict access](../../rbac.mdx) to certain users and databases.
+- View the [High Availability (HA)](../../guides/ha.mdx) guide.
+- Take a look at the YAML configuration [reference](../../reference/configuration.mdx).
diff --git a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx b/docs/pages/enroll-resources/database-access/enrollment/azure/azure-postgres-mysql.mdx
similarity index 96%
rename from docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/azure/azure-postgres-mysql.mdx
index 2f0c03138729b..c80d19e1e69d3 100644
--- a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/azure/azure-postgres-mysql.mdx
@@ -24,10 +24,10 @@ database.
-
+
-
+
@@ -100,11 +100,11 @@ more information.
Go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade) page and select a subscription.
Click on *Access control (IAM)* in the subscription and select *Add > Add custom role*:
-
+
In the custom role creation page, click the *JSON* tab and click *Edit*, then paste the JSON example
and replace the subscription in "assignableScopes" with your own subscription id:
-
+
### Create a role assignment for the Teleport Database Service principal
@@ -125,21 +125,21 @@ Entra ID users.
Go to your database's **Authentication** page and set the AD
admin using the edit button:
-
+
Go to your database's **Authentication** page and set the AD
admin by selecting **+ Add Entra ID Admins**:
-
+
Go to your database's *Active Directory admin* page
and set the AD admin using the *Set admin* button:
-
+
diff --git a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-redis.mdx b/docs/pages/enroll-resources/database-access/enrollment/azure/azure-redis.mdx
similarity index 96%
rename from docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-redis.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/azure/azure-redis.mdx
index 1100944ca660d..899380b6b04ee 100644
--- a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-redis.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/azure/azure-redis.mdx
@@ -20,11 +20,11 @@ Azure as a principal with permissions to manage the database.
-
+
-
+
@@ -145,11 +145,11 @@ you want to further limit the `assignableScopes`, you can use a resource group
Now go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade) page and select a subscription.
Click on *Access control (IAM)* in the subscription and select *Add > Add custom role*:
-
+
In the custom role creation page, click the *JSON* tab and click *Edit*, then paste the JSON example
and replace the subscription in `assignableScopes` with your own subscription id:
-
+
### Create a role assignment for the Teleport Database Service principal
diff --git a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-sql-server-ad.mdx b/docs/pages/enroll-resources/database-access/enrollment/azure/azure-sql-server-ad.mdx
similarity index 93%
rename from docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-sql-server-ad.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/azure/azure-sql-server-ad.mdx
index 9878546bdb150..8850fda0786cf 100644
--- a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-sql-server-ad.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/azure/azure-sql-server-ad.mdx
@@ -22,10 +22,10 @@ forwards user traffic to the database.
-
+
-
+
@@ -55,7 +55,7 @@ Select **Microsoft Entra ID** under "Settings" in the left-hand column.
Select **Set Admin**, and choose an account that will be added as an admin
login to SQL Server.
-
+
## Step 3/8. Configure IAM permissions for Teleport
@@ -110,13 +110,13 @@ page and select a subscription.
Click on **Access control (IAM)** in the subscription and select **Add** >
**Add custom role**:
-
+
In the custom role creation page, click the **JSON** tab and click **Edit**,
then paste the JSON example and replace the subscription in `assignableScopes`
with your own subscription id:
-
+
## Step 4/8. Configure virtual machine identities
@@ -124,7 +124,7 @@ In the Teleport Database Service virtual machine's **Identity**
section, enable the system assigned identity. This is used by Teleport to access
Azure APIs.
-
+
To grant Teleport permissions, the custom role you created must be assigned to
the virtual machine system assigned identity. On the same page, click on the **Azure
@@ -150,13 +150,13 @@ To create a new user-assigned managed identity, go to the **Managed Identities**
page in your [Azure Portal](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.ManagedIdentity%2FuserAssignedIdentities)
and click on *Create*. Choose a name and resource group for it and create:
-
+
Next, go to the **Teleport Database Service virtual machine instance**,
**Identity** section, select **User assigned**, and add the identity we just
created:
-
+
## Step 5/8. Enable managed identities login on SQL Server
diff --git a/docs/pages/enroll-resources/database-access/enroll-azure-databases/enroll-azure-databases.mdx b/docs/pages/enroll-resources/database-access/enrollment/azure/azure.mdx
similarity index 100%
rename from docs/pages/enroll-resources/database-access/enroll-azure-databases/enroll-azure-databases.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/azure/azure.mdx
diff --git a/docs/pages/enroll-resources/database-access/enrollment/enrollment.mdx b/docs/pages/enroll-resources/database-access/enrollment/enrollment.mdx
new file mode 100644
index 0000000000000..93f69c0c131db
--- /dev/null
+++ b/docs/pages/enroll-resources/database-access/enrollment/enrollment.mdx
@@ -0,0 +1,13 @@
+---
+title: Database Enrollment Guides
+sidebar_label: Enrollment Guides
+sidebar_position: 2
+description: Provides instructions on enrolling databases with your Teleport cluster for secure access, authentication, authorization, and audit.
+---
+
+The guides in this section show you how to enroll your database with Teleport
+for secure access, authentication, authorization, and audit.
+
+Teleport supports the following kinds of databases:
+
+
diff --git a/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/alloydb.mdx b/docs/pages/enroll-resources/database-access/enrollment/google-cloud/alloydb.mdx
similarity index 90%
rename from docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/alloydb.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/google-cloud/alloydb.mdx
index feae14dcfbf90..3d05f57565f5d 100644
--- a/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/alloydb.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/google-cloud/alloydb.mdx
@@ -15,7 +15,7 @@ tags:
(!docs/pages/includes/database-access/how-it-works/iam.mdx db="AlloyDB" cloud="Google Cloud"!)
-
+
## Prerequisites
@@ -42,7 +42,7 @@ behalf of authorized Teleport users.
Go to the [Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts)
page and create a service account:
-
+
The Teleport Database Service needs permissions to call Google Cloud APIs to fetch
database connection information and generate client certificates.
@@ -52,7 +52,7 @@ Assign the predefined
role to the `teleport-db-service` service account. This role grants the
necessary permissions.
-
+
### Create a service account for a database user
@@ -65,7 +65,7 @@ Teleport uses service accounts to connect to AlloyDB databases.
Go to the IAM & Admin [Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts)
page and create a new service account named `alloydb-user`:
-
+
Click "Create and continue".
@@ -75,7 +75,7 @@ Assign the following [predefined roles](https://cloud.google.com/alloydb/docs/re
* Cloud AlloyDB Client (`roles/alloydb.client`)
* [Service Usage Consumer (`roles/serviceusage.serviceUsageConsumer`)](https://cloud.google.com/service-usage/docs/access-control#serviceusage.serviceUsageConsumer)
-
+
### Grant access to the service account
@@ -83,12 +83,12 @@ The Teleport Database Service must be able to impersonate this service account.
Navigate to the `alloydb-user` service account overview page and select the
"Principals with Access" tab:
-
+
Click "Grant Access" and add the `teleport-db-service` principal ID.
Select the "Service Account Token Creator" role and save the change:
-
+
## Step 2/5: Database configuration
@@ -102,7 +102,7 @@ with AlloyDB instances.
Ensure that your instance is configured to use IAM authentication. Navigate to your instance settings and check
the presence of the `alloydb.iam_authentication` flag under Advanced Configuration Options section.
-
+
### Create a database user
@@ -115,11 +115,11 @@ Go to the Users page of your AlloyDB instance and add a new user
account. In the sidebar, choose "Cloud IAM" authentication type and add the
`alloydb-user` service account that you created earlier.
-
+
Press "Add" and your Users table should look similar to this:
-
+
## Step 3/5: Create a host for the Database Service
@@ -229,7 +229,7 @@ The connection URI has the format `projects/PROJECT/locations/REGION/clusters/CL
You can copy it from the AlloyDB instance details page in the Google Cloud
console.
-
+
Run the command as follows. Make sure to include the mandatory `alloydb://` prefix in the specified URI.
@@ -328,7 +328,7 @@ $ tsh db ls
type="note"
>
You will only be able to see databases that your Teleport role has
-access to. See our [RBAC](../rbac.mdx) guide for more details.
+access to. See our [RBAC](../../rbac.mdx) guide for more details.
When connecting to the database, use the name of the database's service account
@@ -345,7 +345,7 @@ $ tsh db connect --db-user=alloydb-user@.iam --db-name=p
```
- Starting from version `17.1`, you can now [access your PostgreSQL databases using the Web UI.](../../../connect-your-client/teleport-clients/web-ui.mdx#starting-a-database-session)
+ Starting from version `17.1`, you can now [access your PostgreSQL databases using the Web UI.](../../../../connect-your-client/teleport-clients/web-ui.mdx#starting-a-database-session)
To log out of the database and remove credentials:
diff --git a/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/enroll-google-cloud-databases.mdx b/docs/pages/enroll-resources/database-access/enrollment/google-cloud/google-cloud.mdx
similarity index 100%
rename from docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/enroll-google-cloud-databases.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/google-cloud/google-cloud.mdx
diff --git a/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/mysql-cloudsql.mdx b/docs/pages/enroll-resources/database-access/enrollment/google-cloud/mysql-cloudsql.mdx
similarity index 96%
rename from docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/mysql-cloudsql.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/google-cloud/mysql-cloudsql.mdx
index da85b6f318adb..29ca7859d251d 100644
--- a/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/mysql-cloudsql.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/google-cloud/mysql-cloudsql.mdx
@@ -17,10 +17,10 @@ tags:
-
+
-
+
@@ -114,7 +114,7 @@ account. In the sidebar, choose "Cloud IAM" authentication type and add the
"cloudsql-user" service account you created in
[the second step](#step-29-create-a-service-account-for-a-database-user):
-
+
Press "Add". See [Creating and managing IAM
users](https://cloud.google.com/sql/docs/mysql/add-manage-iam-users) in Google
@@ -185,7 +185,7 @@ $ tsh db ls
type="note"
>
You will only be able to see databases that your Teleport role has
-access to. See our [RBAC](../rbac.mdx) guide for more details.
+access to. See our [RBAC](../../rbac.mdx) guide for more details.
When connecting to the database, use either the database user name or the
diff --git a/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/postgres-cloudsql.mdx b/docs/pages/enroll-resources/database-access/enrollment/google-cloud/postgres-cloudsql.mdx
similarity index 93%
rename from docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/postgres-cloudsql.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/google-cloud/postgres-cloudsql.mdx
index 24d00a0fe71a0..918fe46d6ede6 100644
--- a/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/postgres-cloudsql.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/google-cloud/postgres-cloudsql.mdx
@@ -18,10 +18,10 @@ tags:
-
+
-
+
@@ -67,11 +67,11 @@ account. In the sidebar, choose "Cloud IAM" authentication type and add the
"cloudsql-user" service account that you created in
[the second step](#step-29-create-a-service-account-for-a-database-user):
-
+
Press "Add" and your Users table should look similar to this:
-
+
See [Creating and managing IAM users](https://cloud.google.com/sql/docs/postgres/create-manage-iam-users)
in Google Cloud documentation for more info.
@@ -141,7 +141,7 @@ $ tsh db ls
type="note"
>
You will only be able to see databases that your Teleport role has
-access to. See our [RBAC](../rbac.mdx) guide for more details.
+access to. See our [RBAC](../../rbac.mdx) guide for more details.
When connecting to the database, use the name of the database's service account
diff --git a/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/spanner.mdx b/docs/pages/enroll-resources/database-access/enrollment/google-cloud/spanner.mdx
similarity index 89%
rename from docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/spanner.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/google-cloud/spanner.mdx
index a3d9a235c0f13..8421cac87cac9 100644
--- a/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/spanner.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/google-cloud/spanner.mdx
@@ -18,11 +18,11 @@ tags:
-
+
-
+
@@ -58,7 +58,7 @@ Teleport users, but for this guide we will just create one.
Go to the IAM & Admin [Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts)
page and create a new service account named "spanner-user":
-
+
Ignore the optional steps - just click "Done".
Rather than granting access at the project level, we will grant this service
@@ -70,12 +70,12 @@ Navigate to the
[Spanner instance overview page](https://console.cloud.google.com/spanner/instances)
and check the box of your Spanner instance, then click "Permissions".
-
+
In the permissions blade, click "Add Principal" then add the "spanner-user" service
account as a principal and assign it the "Cloud Spanner Database User" role:
-
+
Click "Save".
@@ -93,12 +93,12 @@ The Teleport Database Service must be able to impersonate this service account.
Navigate to the "spanner-user" service account overview page and select the
"permissions" tab:
-
+
Click "Grant Access" and add the "teleport-db-service" principal ID.
Select the "Service Account Token Creator" role and save the change:
-
+
The "Service Account Token Creator" IAM role includes more permissions than
@@ -187,7 +187,7 @@ spanner-example GCP Cloud Spanner [*] env=dev
type="note"
>
You will only be able to see databases that your Teleport role has
-access to. See our [RBAC](../rbac.mdx) guide for more details.
+access to. See our [RBAC](../../rbac.mdx) guide for more details.
When connecting to the database, use the name of the service account
@@ -218,7 +218,7 @@ $ tsh db logout
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
-- Learn how to [connect with a GUI client](../../../connect-your-client/third-party/gui-clients.mdx#cloud-spanner-datagrip).
+- Learn how to [connect with a GUI client](../../../../connect-your-client/third-party/gui-clients.mdx#cloud-spanner-datagrip).
- Learn more about [authenticating as a service
account](https://cloud.google.com/docs/authentication#service-accounts) in
Google Cloud.
diff --git a/docs/pages/enroll-resources/database-access/enroll-managed-databases/enroll-managed-databases.mdx b/docs/pages/enroll-resources/database-access/enrollment/managed/managed.mdx
similarity index 81%
rename from docs/pages/enroll-resources/database-access/enroll-managed-databases/enroll-managed-databases.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/managed/managed.mdx
index 9cbb6529a6c73..c317912d8c545 100644
--- a/docs/pages/enroll-resources/database-access/enroll-managed-databases/enroll-managed-databases.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/managed/managed.mdx
@@ -1,6 +1,6 @@
---
-title: Enroll Cloud-Hosted Database Platforms
-sidebar_label: Cloud-Hosted Database Platforms
+title: Enroll Managed Databases
+sidebar_label: Managed Databases
description: "Provides instructions on protecting managed databases in your infrastructure with Teleport."
tags:
- zero-trust
diff --git a/docs/pages/enroll-resources/database-access/enroll-managed-databases/mongodb-atlas.mdx b/docs/pages/enroll-resources/database-access/enrollment/managed/mongodb-atlas.mdx
similarity index 93%
rename from docs/pages/enroll-resources/database-access/enroll-managed-databases/mongodb-atlas.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/managed/mongodb-atlas.mdx
index d07e283fa24d1..c5b50e05a11ea 100644
--- a/docs/pages/enroll-resources/database-access/enroll-managed-databases/mongodb-atlas.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/managed/mongodb-atlas.mdx
@@ -28,10 +28,10 @@ or AWS IAM:
-
+
-
+
@@ -106,7 +106,7 @@ db_service:
(!docs/pages/includes/start-teleport.mdx service="the Teleport Database Service"!)
-See the full [YAML reference](../reference/configuration.mdx) for details.
+See the full [YAML reference](../../reference/configuration.mdx) for details.
@@ -117,12 +117,12 @@ See below for details on how to configure the Teleport Database Service.
You will need to provide your Atlas cluster's connection endpoint for the `db_service.databases[*].uri` configuration option or `--uri` CLI flag. You can find this via the Connect dialog on the Database Deployments overview page:
-
+
Go through the "Setup connection security" step and select "Connect with the
MongoDB shell" to view the connection string:
-
+
Use only the scheme and hostname parts of the connection string in the URI:
@@ -159,7 +159,7 @@ You can discard the other `mongo.crt` file.
Go to the Security / Advanced configuration section of your Atlas cluster and
toggle "Self-managed X.509 Authentication" on:
-
+
Paste the contents of `mongo.cas` file in the Certificate Authority edit box and
click Save.
@@ -171,7 +171,7 @@ On the Security / Database Access page add a new database user with Certificate
authentication method:
{/*vale messaging.protocol-products = YES*/}
-
+
Make sure to specify the user as `CN=` as shown above since MongoDB
treats the entire certificate subject as a username. When connecting to a
@@ -229,7 +229,7 @@ User Privileges** section, give the user sufficient privileges to access the
desired database data.
{/*vale messaging.protocol-products = YES*/}
-
+
Please note that Teleport does not support authentication using AWS IAM users;
it exclusively supports authentication using AWS IAM roles.
diff --git a/docs/pages/enroll-resources/database-access/enroll-managed-databases/oracle-exadata.mdx b/docs/pages/enroll-resources/database-access/enrollment/managed/oracle-exadata.mdx
similarity index 99%
rename from docs/pages/enroll-resources/database-access/enroll-managed-databases/oracle-exadata.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/managed/oracle-exadata.mdx
index 4a9e55ff4b332..28f8a1ff1779c 100644
--- a/docs/pages/enroll-resources/database-access/enroll-managed-databases/oracle-exadata.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/managed/oracle-exadata.mdx
@@ -16,10 +16,10 @@ tags:
-
+
-
+
diff --git a/docs/pages/enroll-resources/database-access/enroll-managed-databases/snowflake.mdx b/docs/pages/enroll-resources/database-access/enrollment/managed/snowflake.mdx
similarity index 94%
rename from docs/pages/enroll-resources/database-access/enroll-managed-databases/snowflake.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/managed/snowflake.mdx
index fd19bd9381cd9..fd6598765c4e0 100644
--- a/docs/pages/enroll-resources/database-access/enroll-managed-databases/snowflake.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/managed/snowflake.mdx
@@ -20,10 +20,10 @@ forwards the user's requests to Snowflake as Teleport-authenticated messages.
- 
+ 
- 
+ 
@@ -38,7 +38,7 @@ forwards the user's requests to Snowflake as Teleport-authenticated messages.
- A host where you will run the Teleport Database Service.
- See [Installation](../../../installation/installation.mdx) for details.
+ See [Installation](../../../../installation/installation.mdx) for details.
- (!docs/pages/includes/tctl.mdx!)
@@ -162,7 +162,7 @@ authentication. Snowsight activity is not audited or recorded through Teleport.
Follow [Using Teleport as a SAML identity
-provider](../../../identity-governance/idps/saml-guide.mdx) and [Configuring
+provider](../../../../identity-governance/idps/saml-guide.mdx) and [Configuring
Snowflake to use federated
authentication](https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-security-integration)
to setup Teleport as an IDP.
@@ -187,7 +187,7 @@ Teleport.
By default, Teleport passes your Teleport username as the Snowsight account
name. For custom mappings, see [SAML Idp Attribute
-Mapping](../../../identity-governance/idps/saml-attribute-mapping.mdx).
+Mapping](../../../../identity-governance/idps/saml-attribute-mapping.mdx).
## Next steps
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/cassandra-self-hosted.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/cassandra-self-hosted.mdx
similarity index 98%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/cassandra-self-hosted.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/cassandra-self-hosted.mdx
index 2fdaaf498929e..8a78dd0e1368c 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/cassandra-self-hosted.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/cassandra-self-hosted.mdx
@@ -16,10 +16,10 @@ tags:
-
+
-
+
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/clickhouse-self-hosted.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/clickhouse-self-hosted.mdx
similarity index 98%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/clickhouse-self-hosted.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/clickhouse-self-hosted.mdx
index 7c3ad812b7733..a770542c3c189 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/clickhouse-self-hosted.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/clickhouse-self-hosted.mdx
@@ -32,10 +32,10 @@ include audit logs for database query activity.
-
+
-
+
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/cockroachdb-self-hosted.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/cockroachdb-self-hosted.mdx
similarity index 98%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/cockroachdb-self-hosted.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/cockroachdb-self-hosted.mdx
index aaebbd07df3d1..d295767076f00 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/cockroachdb-self-hosted.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/cockroachdb-self-hosted.mdx
@@ -16,10 +16,10 @@ tags:
-
+
-
+
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/elastic.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/elastic.mdx
similarity index 96%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/elastic.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/elastic.mdx
index 332c8eb5d61bd..67ebce48c9eaf 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/elastic.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/elastic.mdx
@@ -22,7 +22,7 @@ tags:
- A host where you will run the Teleport Database Service.
- See [Installation](../../../installation/installation.mdx) for details.
+ See [Installation](../../../../installation/installation.mdx) for details.
- Optional: a certificate authority that issues certificates for
your self-hosted database.
@@ -81,7 +81,7 @@ $ curl -u elastic:your_elasticsearch_password -X POST "https://elasticsearch.exa
Role Mapping with wildcards
-In a scenario where Teleport is using [single sign-on](../../../zero-trust-access/sso/sso.mdx) you may want to define a mapping for all users to a role:
+In a scenario where Teleport is using [single sign-on](../../../../zero-trust-access/sso/sso.mdx) you may want to define a mapping for all users to a role:
```code
$ curl -u elastic:your_elasticsearch_password -X POST "https://elasticsearch.example.com:9200/_security/role_mapping/mapping1?pretty" -H 'Content-Type: application/json' -d'
@@ -188,7 +188,7 @@ Use one of the following commands to connect to the database:
Note the assigned port, and provide it to your GUI client:
-
+
## Next steps
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/mongodb-self-hosted.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/mongodb-self-hosted.mdx
similarity index 98%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/mongodb-self-hosted.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/mongodb-self-hosted.mdx
index e3af025e00f36..55a199d05af64 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/mongodb-self-hosted.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/mongodb-self-hosted.mdx
@@ -17,10 +17,10 @@ tags:
-
+
-
+
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/mysql-self-hosted.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/mysql-self-hosted.mdx
similarity index 97%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/mysql-self-hosted.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/mysql-self-hosted.mdx
index 0eddf282aade4..7a362a83bff0b 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/mysql-self-hosted.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/mysql-self-hosted.mdx
@@ -16,10 +16,10 @@ tags:
-
+
-
+
@@ -185,7 +185,7 @@ $ tsh db ls
Note that you will only be able to see databases your role has access to. See
-the [RBAC](../rbac.mdx) guide for more details.
+the [RBAC](../../rbac.mdx) guide for more details.
To retrieve credentials for a database and connect to it:
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/oracle-self-hosted.mdx
similarity index 97%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/oracle-self-hosted.mdx
index 7035c094c2b26..18a5d86852586 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/oracle-self-hosted.mdx
@@ -16,10 +16,10 @@ tags:
-
+
-
+
@@ -39,7 +39,7 @@ tags:
-To modify an existing user to provide access to the Database Service, see [Database Access Controls](../../database-access/rbac.mdx)
+To modify an existing user to provide access to the Database Service, see [Database Access Controls](../../rbac.mdx)
@@ -64,7 +64,7 @@ $ tctl users add \
For more detailed information about database access controls and how to restrict
-access see [RBAC](../../database-access/rbac.mdx) documentation.
+access see [RBAC](../../rbac.mdx) documentation.
## Step 2/6. Create a certificate/key pair and Teleport Oracle Wallet
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/postgres-self-hosted.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/postgres-self-hosted.mdx
similarity index 94%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/postgres-self-hosted.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/postgres-self-hosted.mdx
index 2bc6187a95eb7..672c4c92f0730 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/postgres-self-hosted.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/postgres-self-hosted.mdx
@@ -16,10 +16,10 @@ tags:
-
+
-
+
@@ -139,7 +139,7 @@ $ tsh db ls
Note that you will only be able to see databases your role has access to. See
-[RBAC](../rbac.mdx) section for more details.
+[RBAC](../../rbac.mdx) section for more details.
To retrieve credentials for a database and connect to it:
@@ -166,6 +166,6 @@ $ tsh db logout
## Next steps
-- Set up [automatic database user provisioning](../auto-user-provisioning/postgres.mdx).
+- Set up [automatic database user provisioning](../../auto-user-provisioning/postgres.mdx).
(!docs/pages/includes/database-access/guides-next-steps.mdx!)
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/redis-cluster.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/redis-cluster.mdx
similarity index 98%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/redis-cluster.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/redis-cluster.mdx
index 7454a5901c445..ab1ab28e11e54 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/redis-cluster.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/redis-cluster.mdx
@@ -20,10 +20,10 @@ If you want to configure Redis Standalone, please read [Database Access with Red
-
+
-
+
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/redis.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/redis.mdx
similarity index 95%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/redis.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/redis.mdx
index ac4687bca0ff8..e9833c11236a0 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/redis.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/redis.mdx
@@ -20,10 +20,10 @@ If you want to configure Redis Cluster, please read [Database Access with Redis
-
+
-
+
@@ -42,7 +42,7 @@ If you want to configure Redis Cluster, please read [Database Access with Redis
- A host where you will run the Teleport Database Service.
- See [Installation](../../../installation/installation.mdx) for details.
+ See [Installation](../../../../installation/installation.mdx) for details.
- Optional: a certificate authority that issues certificates for
your self-hosted database.
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/enroll-self-hosted-databases.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/self-hosted.mdx
similarity index 95%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/enroll-self-hosted-databases.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/self-hosted.mdx
index e319d1af0e9d7..ed48343eff95b 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/enroll-self-hosted-databases.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/self-hosted.mdx
@@ -1,6 +1,6 @@
---
title: Enroll Self-Hosted Databases
-sidebar_label: Self-Hosted
+sidebar_label: Self-Hosted Databases
description: "Provides instructions on protecting self-hosted databases in your infrastructure with Teleport."
tags:
- zero-trust
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/sql-server-ad-pkinit.mdx
similarity index 98%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/sql-server-ad-pkinit.mdx
index 2e2e7d24d8d5a..c557920555d61 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/sql-server-ad-pkinit.mdx
@@ -22,10 +22,10 @@ Teleport Database Service forwards user traffic to the database.
-
+
-
+
@@ -131,7 +131,7 @@ You will need to repeat these steps if you rotate Teleport's database certificat
1. Click through the wizard, selecting your CA file (`db-ca.cer`).
- 
+ 
### Enable smart card service
@@ -146,7 +146,7 @@ Teleport performs certificate-based authentication by emulating a smart card.
1. Double click on `Smart Card`, select `Define this policy setting` and switch
to `Automatic` then click `OK`.
- 
+ 
You will be modifying GPOs, and sometimes GPO modifications can take some time
diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/vitess.mdx b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/vitess.mdx
similarity index 97%
rename from docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/vitess.mdx
rename to docs/pages/enroll-resources/database-access/enrollment/self-hosted/vitess.mdx
index bd7789b9eda1a..ff2db3208532f 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/vitess.mdx
+++ b/docs/pages/enroll-resources/database-access/enrollment/self-hosted/vitess.mdx
@@ -16,10 +16,10 @@ tags:
-
+
-
+
@@ -189,7 +189,7 @@ $ tsh db ls
Note that you will only be able to see databases your role has access to. See
-the [RBAC](../rbac.mdx) guide for more details.
+the [RBAC](../../rbac.mdx) guide for more details.
To retrieve credentials for a database and connect to it:
diff --git a/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx b/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx
index 3d309ce80d1c7..6df298b07ed33 100644
--- a/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx
+++ b/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx
@@ -1,5 +1,6 @@
---
title: Dynamic Database Registration
+sidebar_label: Dynamic Registration
description: Register/unregister databases without restarting Teleport.
tags:
- conceptual
diff --git a/docs/pages/enroll-resources/database-access/guides/guides.mdx b/docs/pages/enroll-resources/database-access/guides/guides.mdx
index 8edb7615567e0..ddbd22346cacf 100644
--- a/docs/pages/enroll-resources/database-access/guides/guides.mdx
+++ b/docs/pages/enroll-resources/database-access/guides/guides.mdx
@@ -1,5 +1,6 @@
---
title: Using the Teleport Database Service
+sidebar_label: Configuration Guides
description: Guides to possibilities for running the Teleport Database Service.
template: "no-toc"
tags:
diff --git a/docs/pages/enroll-resources/database-access/guides/ha.mdx b/docs/pages/enroll-resources/database-access/guides/ha.mdx
index 8efae562ee3c3..487ff8226adc1 100644
--- a/docs/pages/enroll-resources/database-access/guides/ha.mdx
+++ b/docs/pages/enroll-resources/database-access/guides/ha.mdx
@@ -1,5 +1,6 @@
---
title: Database Access High Availability (HA)
+sidebar_label: High Availability
description: How to configure Teleport database access in a Highly Available (HA) configuration.
tags:
- conceptual
diff --git a/docs/pages/enroll-resources/database-access/reference/reference.mdx b/docs/pages/enroll-resources/database-access/reference/reference.mdx
index 0c50d13fbf0c8..a918dbc14725f 100644
--- a/docs/pages/enroll-resources/database-access/reference/reference.mdx
+++ b/docs/pages/enroll-resources/database-access/reference/reference.mdx
@@ -1,7 +1,7 @@
---
title: Database Access Reference
sidebar_label: Reference
-sidebar_position: 12
+sidebar_position: 8
description: Configuration and CLI reference for the Teleport Database Service.
tags:
- zero-trust
diff --git a/docs/pages/enroll-resources/database-access/troubleshooting.mdx b/docs/pages/enroll-resources/database-access/troubleshooting.mdx
index 2e79b2cbff4b1..99446135a0d9f 100644
--- a/docs/pages/enroll-resources/database-access/troubleshooting.mdx
+++ b/docs/pages/enroll-resources/database-access/troubleshooting.mdx
@@ -1,5 +1,6 @@
---
title: Troubleshooting Database Access
+sidebar_label: Troubleshooting
description: Common issues and resolutions for protecting databases with Teleport.
tags:
- how-to
@@ -45,12 +46,12 @@ Service can reach the PostgreSQL server.
Each database uses a different format. You can check your database guide for more
details and examples:
-- [PostgreSQL](./enroll-self-hosted-databases/postgres-self-hosted.mdx#step-25-create-a-certificatekey-pair)
-- [MySQL/MariaDB](./enroll-self-hosted-databases/mysql-self-hosted.mdx#step-24-create-a-certificatekey-pair)
-- [MongoDB](./enroll-self-hosted-databases/mongodb-self-hosted.mdx#set-up-mutual-tls)
-- [CockroachDB](./enroll-self-hosted-databases/cockroachdb-self-hosted.mdx#set-up-mutual-tls)
-- [Redis](./enroll-self-hosted-databases/redis.mdx#step-45-set-up-mutual-tls)
-- [Redis Cluster](./enroll-self-hosted-databases/redis-cluster.mdx#step-46-set-up-mutual-tls)
+- [PostgreSQL](enrollment/self-hosted/postgres-self-hosted.mdx#step-25-create-a-certificatekey-pair)
+- [MySQL/MariaDB](enrollment/self-hosted/mysql-self-hosted.mdx#step-24-create-a-certificatekey-pair)
+- [MongoDB](enrollment/self-hosted/mongodb-self-hosted.mdx#set-up-mutual-tls)
+- [CockroachDB](enrollment/self-hosted/cockroachdb-self-hosted.mdx#set-up-mutual-tls)
+- [Redis](enrollment/self-hosted/redis.mdx#step-45-set-up-mutual-tls)
+- [Redis Cluster](enrollment/self-hosted/redis-cluster.mdx#step-46-set-up-mutual-tls)
After the new certificate is issued, update your database to make it take effect.
diff --git a/docs/pages/enroll-resources/desktop-access/active-directory.mdx b/docs/pages/enroll-resources/desktop-access/active-directory.mdx
index dc1865448bf2d..d05d5dc2c0f76 100644
--- a/docs/pages/enroll-resources/desktop-access/active-directory.mdx
+++ b/docs/pages/enroll-resources/desktop-access/active-directory.mdx
@@ -1,5 +1,6 @@
---
-title: Configure access for Active Directory manually
+title: Configure Access for Active Directory Manually
+sidebar_label: Manual Registration
description: Explains how to manually connect Teleport to an Active Directory domain.
videoBanner: YvMqgcq0MTQ
tags:
diff --git a/docs/pages/enroll-resources/desktop-access/desktop-access.mdx b/docs/pages/enroll-resources/desktop-access/desktop-access.mdx
index 18794bdd9002e..a906b7c857cc5 100644
--- a/docs/pages/enroll-resources/desktop-access/desktop-access.mdx
+++ b/docs/pages/enroll-resources/desktop-access/desktop-access.mdx
@@ -1,6 +1,7 @@
---
title: Windows Desktops
description: Protect Windows Resources with Teleport's passwordless access and other features.
+sidebar_position: 7
template: doc-page
tags:
- zero-trust
@@ -103,4 +104,4 @@ Provide secure, passwordless access to Microsoft Windows desktops and servers, b
href: "./directory-sharing/"
},
]}
-/>
\ No newline at end of file
+/>
diff --git a/docs/pages/enroll-resources/desktop-access/dynamic-registration.mdx b/docs/pages/enroll-resources/desktop-access/dynamic-registration.mdx
index 18edd5cf96e63..2611133726a2b 100644
--- a/docs/pages/enroll-resources/desktop-access/dynamic-registration.mdx
+++ b/docs/pages/enroll-resources/desktop-access/dynamic-registration.mdx
@@ -1,5 +1,6 @@
---
title: Dynamic Windows Desktop Registration
+sidebar_label: Dynamic Registration
description: Register/unregister Windows desktops without restarting Teleport.
tags:
- conceptual
diff --git a/docs/pages/enroll-resources/desktop-access/getting-started.mdx b/docs/pages/enroll-resources/desktop-access/getting-started.mdx
index ecc19be1084d0..00b1243d97a9f 100644
--- a/docs/pages/enroll-resources/desktop-access/getting-started.mdx
+++ b/docs/pages/enroll-resources/desktop-access/getting-started.mdx
@@ -1,5 +1,6 @@
---
-title: Configure access for local Windows users
+title: Configure Access for Local Windows Users
+sidebar_label: Local Windows Users
description: Use Teleport to configure passwordless access for local Windows users.
videoBanner: 9DyKQbg4ORc
tags:
diff --git a/docs/pages/enroll-resources/desktop-access/introduction.mdx b/docs/pages/enroll-resources/desktop-access/introduction.mdx
index 8b8e7ced89ec1..e6e029b5118cf 100644
--- a/docs/pages/enroll-resources/desktop-access/introduction.mdx
+++ b/docs/pages/enroll-resources/desktop-access/introduction.mdx
@@ -1,5 +1,6 @@
---
title: Manage Access to Windows Resources
+sidebar_label: Introduction
description: Demonstrates how you can manage access to Windows desktops with Teleport.
videoBanner: n2h0GisWdss
tags:
diff --git a/docs/pages/enroll-resources/desktop-access/rbac.mdx b/docs/pages/enroll-resources/desktop-access/rbac.mdx
index b066dd41e71da..da66a0897acd9 100644
--- a/docs/pages/enroll-resources/desktop-access/rbac.mdx
+++ b/docs/pages/enroll-resources/desktop-access/rbac.mdx
@@ -1,5 +1,6 @@
---
title: Role-Based Access Control for Desktops
+sidebar_label: Access Controls
description: Role-based access control (RBAC) for desktops protected by Teleport.
tags:
- conceptual
diff --git a/docs/pages/enroll-resources/desktop-access/troubleshooting.mdx b/docs/pages/enroll-resources/desktop-access/troubleshooting.mdx
index fe7a691eb2875..aa80ebd40512c 100644
--- a/docs/pages/enroll-resources/desktop-access/troubleshooting.mdx
+++ b/docs/pages/enroll-resources/desktop-access/troubleshooting.mdx
@@ -1,5 +1,6 @@
---
title: Troubleshooting Desktop Access
+sidebar_label: Troubleshooting
description: Common issues and resolutions for Teleport's desktop access
tags:
- how-to
diff --git a/docs/pages/enroll-resources/enroll-resources.mdx b/docs/pages/enroll-resources/enroll-resources.mdx
index 69313c08751c8..5e95406729fa1 100644
--- a/docs/pages/enroll-resources/enroll-resources.mdx
+++ b/docs/pages/enroll-resources/enroll-resources.mdx
@@ -74,7 +74,7 @@ tagLists={
},
{
name: "more",
- href: "./application-access/guides/",
+ href: "./application-access/configuration/",
arrow: true,
}
]
@@ -95,17 +95,17 @@ tagLists={
[
{
name: "AWS",
- href: "./database-access/enroll-aws-databases/",
+ href: "./database-access/enrollment/aws/",
icon: "aws",
},
{
name: "Azure",
- href: "./database-access/enroll-azure-databases/",
+ href: "./database-access/enrollment/azure/",
icon: "azure",
},
{
name: "Google Cloud",
- href: "./database-access/enroll-google-cloud-databases/",
+ href: "./database-access/enrollment/google-cloud/",
icon: "googleCloud",
},
{
@@ -257,4 +257,4 @@ Secure the vibes with access controls and auditability for all Model Context Pro
]}
>
Automatically detect and enroll resources in your Teleport cluster with the Teleport Discovery Service.
-
\ No newline at end of file
+
diff --git a/docs/pages/enroll-resources/kubernetes-access/controls.mdx b/docs/pages/enroll-resources/kubernetes-access/controls.mdx
index fb44b17116ecf..88a92dab44e66 100644
--- a/docs/pages/enroll-resources/kubernetes-access/controls.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/controls.mdx
@@ -1,5 +1,6 @@
---
title: Teleport Kubernetes Access Controls
+sidebar_label: Access Controls Reference
description: How the Teleport Kubernetes Service applies RBAC to manage access to Kubernetes
tags:
- conceptual
diff --git a/docs/pages/enroll-resources/kubernetes-access/faq.mdx b/docs/pages/enroll-resources/kubernetes-access/faq.mdx
index 038e0a39fae13..ae71adaa88de1 100644
--- a/docs/pages/enroll-resources/kubernetes-access/faq.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/faq.mdx
@@ -1,5 +1,6 @@
---
title: Kubernetes Access FAQ
+sidebar_label: FAQ
description: Frequently asked questions about protecting Kubernetes clusters with Teleport.
tags:
- faq
diff --git a/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx b/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx
index 9f53f3da4c433..2db7a7980a543 100644
--- a/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx
@@ -1,5 +1,6 @@
---
-title: Enroll a Kubernetes Cluster
+title: Get Started with Enrolling a Kubernetes Cluster
+sidebar_label: Getting Started
description: Demonstrates how to enroll a Kubernetes cluster as a resource protected by Teleport.
videoBanner: 3AUGrOZ5me0
tags:
diff --git a/docs/pages/enroll-resources/kubernetes-access/health-checks.mdx b/docs/pages/enroll-resources/kubernetes-access/health-checks.mdx
index f5e0d36e66ed3..4b773df7598a3 100644
--- a/docs/pages/enroll-resources/kubernetes-access/health-checks.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/health-checks.mdx
@@ -1,6 +1,7 @@
---
title: Teleport Kubernetes Health Checks
sidebar_label: Health Checks
+sidebar_position: 6
description: How to configure Teleport Kubernetes health checks and view health.
tags:
- conceptual
diff --git a/docs/pages/enroll-resources/kubernetes-access/introduction.mdx b/docs/pages/enroll-resources/kubernetes-access/introduction.mdx
index 44eb92f229024..9e671fa2a08e0 100644
--- a/docs/pages/enroll-resources/kubernetes-access/introduction.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/introduction.mdx
@@ -1,5 +1,6 @@
---
title: Introduction to Enrolling Kubernetes Clusters
+sidebar_label: Introduction
description: Learn how Teleport can protect your Kubernetes clusters with RBAC, audit logging, and more.
tags:
- conceptual
diff --git a/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx b/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx
index 8f2d625a64734..2dc23551c167f 100644
--- a/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx
@@ -1,5 +1,6 @@
---
title: Setting Up Access Controls for Kubernetes
+sidebar_label: Access Controls Guide
description: How to configure Teleport roles to access clusters, groups, users, and resources in Kubernetes.
tags:
- how-to
diff --git a/docs/pages/enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx b/docs/pages/enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx
index 336ec4eb0521f..a3291eda9c260 100644
--- a/docs/pages/enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx
@@ -1,5 +1,7 @@
---
title: Registering Kubernetes Clusters with Teleport
+sidebar_label: Registering Clusters
+sidebar_position: 3
description: How to manually add a Kubernetes cluster to Teleport after creating it.
template: "no-toc"
tags:
diff --git a/docs/pages/enroll-resources/kubernetes-access/troubleshooting.mdx b/docs/pages/enroll-resources/kubernetes-access/troubleshooting.mdx
index 824feebfb2ab6..74b8b33eb5933 100644
--- a/docs/pages/enroll-resources/kubernetes-access/troubleshooting.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/troubleshooting.mdx
@@ -1,5 +1,6 @@
---
title: Kubernetes Access Troubleshooting
+sidebar_label: Troubleshooting
description: Troubleshooting common issues with Kubernetes access
tags:
- how-to
@@ -410,4 +411,4 @@ Diagnose the Kubernetes cluster with `kubectl`.
```bash
kubectl cluster-info
kubectl get --raw /readyz
-```
\ No newline at end of file
+```
diff --git a/docs/pages/enroll-resources/mcp-access/dynamic-registration.mdx b/docs/pages/enroll-resources/mcp-access/dynamic-registration.mdx
index f49ff17d4452f..805f7b8cc65d5 100644
--- a/docs/pages/enroll-resources/mcp-access/dynamic-registration.mdx
+++ b/docs/pages/enroll-resources/mcp-access/dynamic-registration.mdx
@@ -1,5 +1,6 @@
---
title: Dynamic MCP Server Registration
+sidebar_label: Dynamic Server Registration
sidebar_position: 5
description: Register/unregister MCP servers without restarting Teleport.
tags:
diff --git a/docs/pages/enroll-resources/mcp-access/enrolling-mcp-servers/enrolling-mcp-servers.mdx b/docs/pages/enroll-resources/mcp-access/enrolling-mcp-servers/enrolling-mcp-servers.mdx
index e02a010ed2437..ea951bf378ba6 100644
--- a/docs/pages/enroll-resources/mcp-access/enrolling-mcp-servers/enrolling-mcp-servers.mdx
+++ b/docs/pages/enroll-resources/mcp-access/enrolling-mcp-servers/enrolling-mcp-servers.mdx
@@ -1,5 +1,6 @@
---
title: Protecting MCP Servers
+sidebar_label: Enrollment Guides
description: Provides guidance on enrolling various kinds of MCP servers with Teleport.
---
diff --git a/docs/pages/enroll-resources/mcp-access/getting-started.mdx b/docs/pages/enroll-resources/mcp-access/getting-started.mdx
index 857e157220d8c..eb27b96e1dc5d 100644
--- a/docs/pages/enroll-resources/mcp-access/getting-started.mdx
+++ b/docs/pages/enroll-resources/mcp-access/getting-started.mdx
@@ -1,5 +1,6 @@
---
title: MCP Access Getting Started Guide
+sidebar_label: Getting Started
sidebar_position: 1
description: Getting started with Teleport MCP access.
tags:
diff --git a/docs/pages/enroll-resources/mcp-access/integration-guides/integration-guides.mdx b/docs/pages/enroll-resources/mcp-access/integration-guides/integration-guides.mdx
index 6945c77adf103..d7c8ecaa3d4a2 100644
--- a/docs/pages/enroll-resources/mcp-access/integration-guides/integration-guides.mdx
+++ b/docs/pages/enroll-resources/mcp-access/integration-guides/integration-guides.mdx
@@ -1,5 +1,6 @@
---
title: MCP Server Integration Guides
+sidebar_label: Integration Guides
description: How to configure popular services and connect their MCP servers through Teleport.
sidebar_position: 6
tags:
@@ -11,4 +12,4 @@ tags:
Guides on how to configure popular services with the credentials and transports
required to run their MCP servers and connect them through Teleport.
-
\ No newline at end of file
+
diff --git a/docs/pages/enroll-resources/mcp-access/jwt.mdx b/docs/pages/enroll-resources/mcp-access/jwt.mdx
index 45664e53eaf6b..777d02056dc4f 100644
--- a/docs/pages/enroll-resources/mcp-access/jwt.mdx
+++ b/docs/pages/enroll-resources/mcp-access/jwt.mdx
@@ -1,5 +1,6 @@
---
-title: JWT Authentication to MCP Server
+title: JWT Authentication to MCP Servers
+sidebar_label: JWT Authentication
sidebar_position: 4
description: How to use Teleport JWT to authenticate your MCP servers
tags:
diff --git a/docs/pages/enroll-resources/mcp-access/rbac.mdx b/docs/pages/enroll-resources/mcp-access/rbac.mdx
index 0fb0700f631c8..e5b660a7c1b8c 100644
--- a/docs/pages/enroll-resources/mcp-access/rbac.mdx
+++ b/docs/pages/enroll-resources/mcp-access/rbac.mdx
@@ -1,5 +1,6 @@
---
title: MCP Access Controls
+sidebar_label: Access Controls
sidebar_position: 2
description: Role-based access control (RBAC) for Teleport MCP access.
tags:
diff --git a/docs/pages/enroll-resources/mcp-access/troubleshooting.mdx b/docs/pages/enroll-resources/mcp-access/troubleshooting.mdx
index 9227bc3905b4b..8f2ade4a59035 100644
--- a/docs/pages/enroll-resources/mcp-access/troubleshooting.mdx
+++ b/docs/pages/enroll-resources/mcp-access/troubleshooting.mdx
@@ -1,5 +1,6 @@
---
title: Troubleshooting MCP Access
+sidebar_label: Troubleshooting
sidebar_position: 7
description: Describes common issues and solutions for access to MCP servers protected by Teleport.
tags:
@@ -95,4 +96,4 @@ necessary permissions to execute the configured command.
## `tsh` path errors in your MCP clients
-(!docs/pages/includes/mcp-access/troubleshoot-tsh-binary-enoent.mdx!)
\ No newline at end of file
+(!docs/pages/includes/mcp-access/troubleshoot-tsh-binary-enoent.mdx!)
diff --git a/docs/pages/enroll-resources/server-access/getting-started.mdx b/docs/pages/enroll-resources/server-access/getting-started.mdx
index c7794da181060..289486a6c819e 100644
--- a/docs/pages/enroll-resources/server-access/getting-started.mdx
+++ b/docs/pages/enroll-resources/server-access/getting-started.mdx
@@ -1,5 +1,6 @@
---
title: Server Access Getting Started Guide
+sidebar_label: Getting Started
description: Getting started with Teleport server access.
videoBanner: LnaRP0xKWRI
tags:
diff --git a/docs/pages/enroll-resources/server-access/guides/encrypted-session-recordings/rotating-keys.mdx b/docs/pages/enroll-resources/server-access/guides/encrypted-session-recordings/rotating-keys.mdx
index e577484f42037..0c616a8eeb684 100644
--- a/docs/pages/enroll-resources/server-access/guides/encrypted-session-recordings/rotating-keys.mdx
+++ b/docs/pages/enroll-resources/server-access/guides/encrypted-session-recordings/rotating-keys.mdx
@@ -1,5 +1,6 @@
---
title: Rotating Session Recording Encryption Keys
+sidebar_label: Key Rotation (Automatic)
description: How to rotate automatically provisioned session recording encryption keys.
tags:
- session-recording
diff --git a/docs/pages/enroll-resources/server-access/guides/encrypted-session-recordings/rotating-manual-keys.mdx b/docs/pages/enroll-resources/server-access/guides/encrypted-session-recordings/rotating-manual-keys.mdx
index 4a9ca818dfac7..f4a7d4a517ca2 100644
--- a/docs/pages/enroll-resources/server-access/guides/encrypted-session-recordings/rotating-manual-keys.mdx
+++ b/docs/pages/enroll-resources/server-access/guides/encrypted-session-recordings/rotating-manual-keys.mdx
@@ -1,5 +1,6 @@
---
title: Rotating Manual Session Recording Encryption Keys
+sidebar_label: Key Rotation (Manual)
description: How to rotate private keys for encrypted session recordings while designating certain keys only for decryption.
tags:
- session-recording
diff --git a/docs/pages/enroll-resources/server-access/guides/guides.mdx b/docs/pages/enroll-resources/server-access/guides/guides.mdx
index 204b56c05bc06..0578cb863dafd 100644
--- a/docs/pages/enroll-resources/server-access/guides/guides.mdx
+++ b/docs/pages/enroll-resources/server-access/guides/guides.mdx
@@ -1,5 +1,6 @@
---
-title: Server Access Guides
+title: Server Access Configuration Guides
+sidebar_label: Configuration Guides
description: Teleport server access guides.
template: "no-toc"
tags:
@@ -7,14 +8,4 @@ tags:
- infrastructure-identity
---
-- [Using Teleport with PAM](ssh-pam.mdx): How to configure Teleport SSH with PAM (Pluggable Authentication Modules).
-- [Agentless OpenSSH Integration](../openssh/openssh-agentless.mdx): How to use Teleport in agentless mode on systems with OpenSSH and `sshd`.
-- [Agentless OpenSSH Integration (Manual Installation)](../openssh/openssh-manual-install.mdx): How to use Teleport in agentless mode
- on systems with OpenSSH and `sshd` that can't run `teleport`.
-- [BPF Session Recording](bpf-session-recording.mdx): How to use BPF to record SSH session commands, modified files and network connections.
-- [Visual Studio Code](../../../connect-your-client/third-party/vscode.mdx): How to remotely develop with Visual Studio Code and Teleport.
-- [JetBrains SFTP](../../../connect-your-client/third-party/jetbrains-sftp.mdx): How to use a JetBrains IDE to access SFTP with Teleport.
-- [Host User Creation](host-user-creation.mdx): How to configure Teleport to automatically create transient host users.
-- [Linux Auditing System](auditd.mdx): How to integrate Teleport with the Linux Auditing System (auditd).
-- [Using Teleport with Ansible](ansible.mdx): How to use Ansible with
- Teleport-issued SSH credentials.
+
diff --git a/docs/pages/enroll-resources/server-access/introduction.mdx b/docs/pages/enroll-resources/server-access/introduction.mdx
deleted file mode 100644
index db424266dd1fb..0000000000000
--- a/docs/pages/enroll-resources/server-access/introduction.mdx
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Introduction to Enrolling Servers
-description: Teleport server access features and introduction.
-videoBanner: EsEvO5ndNDI
-tags:
- - conceptual
- - zero-trust
- - infrastructure-identity
----
-
-Teleport consolidates SSH access across all environments, decreases
-configuration complexity, supports industry best practices and compliance while
-giving complete visibility over all sessions and events.
-
-Teleport server access is designed for the following kinds of scenarios:
-
-- When up to a vast number of clusters must be managed using the command-line (`tsh`) or programmatically (through the Teleport API) and you want to simplify your stack, security, and configuration complexity.
-- When security team members must track and audit every user session.
-- When Teleport users require a complete, dedicated, and secure SSH option (Teleport Node running in SSH mode) and more than a certificate authority (Teleport Auth) with proxy (Teleport Proxy).
-- When resource and network security must be maximized: SSH certificates over secret keys, multi-factor authentication (MFA), Single Sign-On (SSO), and short-lived certificates.
-
-
-
-Teleport protects servers through the Teleport SSH Service, which is a Teleport
-agent service. For more information on agent services, read [Teleport Agent
-Architecture](../../reference/architecture/agents.mdx). You can also learn how to deploy a
-[pool of Teleport Agents](../agents/agents.mdx) to run multiple agent
-services.
-
-## Getting started
-
-- [Get started](getting-started.mdx): Get started using Teleport server access
- in 10 minutes. Server access for most common SSH use-cases.
-
-## Enrolling OpenSSH servers
-
-You can protect OpenSSH servers with Teleport, which makes it easier to protect
-legacy infrastructure, using an [agentless architecture](openssh/openssh-agentless.mdx).
-Read the [Teleport OpenSSH guides](openssh/openssh.mdx) to learn more.
-
-## Guides
-
-- [Using Teleport with PAM](./guides/ssh-pam.mdx): How to configure Teleport SSH with PAM (Pluggable Authentication Modules).
-- [Agentless OpenSSH Servers](./openssh/openssh-agentless.mdx): How to register OpenSSH servers before transitioning to the Teleport SSH Service.
-- [BPF Session Recording](./guides/bpf-session-recording.mdx): How to use BPF to record SSH session commands, modified files and network connections.
-- [Visual Studio Code](../../connect-your-client/third-party/vscode.mdx): How to remotely develop with Visual Studio Code and Teleport.
diff --git a/docs/pages/enroll-resources/server-access/openssh/openssh.mdx b/docs/pages/enroll-resources/server-access/openssh/openssh.mdx
index e2426c27e0ee5..bcbd82d5397d3 100644
--- a/docs/pages/enroll-resources/server-access/openssh/openssh.mdx
+++ b/docs/pages/enroll-resources/server-access/openssh/openssh.mdx
@@ -1,5 +1,6 @@
---
-title: OpenSSH Guides
+title: Enrolling OpenSSH Servers with Teleport
+sidebar_label: OpenSSH Servers
description: Teleport Agentless OpenSSH integration guides.
template: "no-toc"
tags:
diff --git a/docs/pages/enroll-resources/server-access/rbac.mdx b/docs/pages/enroll-resources/server-access/rbac.mdx
index c8ed439832e36..1b074f2ec2ae8 100644
--- a/docs/pages/enroll-resources/server-access/rbac.mdx
+++ b/docs/pages/enroll-resources/server-access/rbac.mdx
@@ -1,5 +1,6 @@
---
title: Access Controls for Servers
+sidebar_label: Access Controls
description: Role-based access control (RBAC) for Teleport server access.
tags:
- conceptual
diff --git a/docs/pages/enroll-resources/server-access/server-access.mdx b/docs/pages/enroll-resources/server-access/server-access.mdx
index 69a13205998b2..2ef7b9ec605f3 100644
--- a/docs/pages/enroll-resources/server-access/server-access.mdx
+++ b/docs/pages/enroll-resources/server-access/server-access.mdx
@@ -96,7 +96,7 @@ Teleport protects servers through the Teleport SSH Service, which is a Teleport
title: "Ansible",
description: "Run Ansible playbooks with Teleport-issued SSH certificates.",
iconComponent: ansibleSvg,
- href: "./guides/ansible/"
+ href: "../../connect-your-client/third-party/ansible/"
},
]}
/>
diff --git a/docs/pages/enroll-resources/server-access/troubleshooting-server.mdx b/docs/pages/enroll-resources/server-access/troubleshooting-server.mdx
index e8898d4e9a681..9bc3c9d5263ac 100644
--- a/docs/pages/enroll-resources/server-access/troubleshooting-server.mdx
+++ b/docs/pages/enroll-resources/server-access/troubleshooting-server.mdx
@@ -1,5 +1,6 @@
---
title: Troubleshooting Server Access
+sidebar_label: Troubleshooting
description: Describes common issues and solutions for access to servers.
tags:
- how-to
diff --git a/docs/pages/identity-governance/integrations/okta/user-sync.mdx b/docs/pages/identity-governance/integrations/okta/user-sync.mdx
index 53daf3792aa0e..f79a8ebf8e2e3 100644
--- a/docs/pages/identity-governance/integrations/okta/user-sync.mdx
+++ b/docs/pages/identity-governance/integrations/okta/user-sync.mdx
@@ -47,7 +47,7 @@ group assignments in Okta and can make changes within Okta based on your
Teleport RBAC configuration. To limit the scope of the integration, ensure that:
- In the Teleport roles you have assigned to users, no role contains an
- [app_labels](../../../enroll-resources/application-access/controls.mdx) field
+ [app_labels](../../../enroll-resources/application-access/configuration/controls.mdx) field
with a wildcard value. Since Teleport uses this field to govern access to Okta
applications, wildcard values will grant Teleport users access to all Okta
applications.
diff --git a/docs/pages/includes/database-access/aws-troubleshooting-max-policy-size.mdx b/docs/pages/includes/database-access/aws-troubleshooting-max-policy-size.mdx
index 48fcec4d07645..d2b2deabdc0a8 100644
--- a/docs/pages/includes/database-access/aws-troubleshooting-max-policy-size.mdx
+++ b/docs/pages/includes/database-access/aws-troubleshooting-max-policy-size.mdx
@@ -207,7 +207,7 @@ the IAM identity of the host running the Database Service.
The `assume_role_arn` is not limited to the same AWS account so you can also
use this feature for [AWS Cross-Account
-Access](../../enroll-resources/database-access/enroll-aws-databases/aws-cross-account.mdx).
+Access](../../enroll-resources/database-access/enrollment/aws/aws-cross-account.mdx).
diff --git a/docs/pages/includes/database-access/rds-proxy.mdx b/docs/pages/includes/database-access/rds-proxy.mdx
index 94e24422a333e..4804e4d56c416 100644
--- a/docs/pages/includes/database-access/rds-proxy.mdx
+++ b/docs/pages/includes/database-access/rds-proxy.mdx
@@ -15,9 +15,9 @@
Teleport currently supports RDS Proxy instances with engine family
-[PostgreSQL](../../enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-postgres.mdx),
-[MariaDB/MySQL](../../enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-postgres.mdx) or
-[Microsoft SQL Server](../../enroll-resources/database-access/enroll-aws-databases/rds-proxy/rds-proxy-sqlserver.mdx).
+[PostgreSQL](../../enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-postgres.mdx),
+[MariaDB/MySQL](../../enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-postgres.mdx) or
+[Microsoft SQL Server](../../enroll-resources/database-access/enrollment/aws/rds-proxy/rds-proxy-sqlserver.mdx).
(!docs/pages/includes/database-access/auto-discovery-tip.mdx dbType="RDS Proxy" providerType="AWS"!)
diff --git a/docs/pages/includes/discovery/database-service-troubleshooting.mdx b/docs/pages/includes/discovery/database-service-troubleshooting.mdx
index 8786e37d0de31..bb2f003d6d2a2 100644
--- a/docs/pages/includes/discovery/database-service-troubleshooting.mdx
+++ b/docs/pages/includes/discovery/database-service-troubleshooting.mdx
@@ -40,7 +40,7 @@ spec:
This section assumes you have already provisioned a database user and configured
Teleport RBAC for that database user by following a specific guide in
-[Enroll AWS Databases](../../enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx).
+[Enroll AWS Databases](../../enroll-resources/database-access/enrollment/aws/aws.mdx).
If there are connection errors when you try to connect to a database, then
@@ -68,5 +68,5 @@ guide](../../enroll-resources/database-access/troubleshooting.mdx) for more
general troubleshooting steps.
Additionally, a guide specific to the type of database in
-[Enroll AWS Databases](../../enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx).
+[Enroll AWS Databases](../../enroll-resources/database-access/enrollment/aws/aws.mdx).
may have more specific troubleshooting information.
diff --git a/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx b/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx
index 0eccfc7c872eb..13d5b9286d747 100644
--- a/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx
+++ b/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx
@@ -228,7 +228,7 @@ appResources:
Once `appResources` is set, you can dynamically register application with
-`tsh` by following [the Dynamic App Registration guide](../../enroll-resources/application-access/guides/dynamic-registration.mdx).
+`tsh` by following [the Dynamic App Registration guide](../../enroll-resources/application-access/configuration/dynamic-registration.mdx).
## `clusterDomain`
@@ -251,7 +251,7 @@ to match your cluster domain if it is different from the default value `cluster.
`awsDatabases` configures AWS database auto-discovery.
- For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enroll-aws-databases/rds/mysql-postgres-mariadb.mdx#step-36-create-iam-policies-for-teleport).
+ For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enrollment/aws/rds/mysql-postgres-mariadb.mdx#step-36-create-iam-policies-for-teleport).
After configuring a role, you can use an `eks.amazonaws.com/role-arn` annotation with the `annotations.serviceAccount` value to associate it with the service account and grant permissions:
```yaml
@@ -296,7 +296,7 @@ annotations:
`azureDatabases` configures Azure database auto-discovery.
- For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-25-configure-iam-permissions-for-teleport).
+ For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enrollment/azure/azure-postgres-mysql.mdx#step-25-configure-iam-permissions-for-teleport).
After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods.
The easiest way is to use an Azure client secret.
diff --git a/docs/pages/index.mdx b/docs/pages/index.mdx
index a22cab58ac799..c0c96d133ae14 100644
--- a/docs/pages/index.mdx
+++ b/docs/pages/index.mdx
@@ -127,7 +127,7 @@ import listBulletsSvg from "@site/src/components/Icon/teleport-svg/list-bullets.
{
title: 'VNet: Build without VPNs',
description: 'Secure app & SSH access with no VPNs or proxies',
- href: './enroll-resources/application-access/guides/vnet/'
+ href: './enroll-resources/application-access/vnet/'
},
{
title: 'Secure MCP (Protect the Vibes)',
@@ -417,7 +417,7 @@ import listBulletsSvg from "@site/src/components/Icon/teleport-svg/list-bullets.
},
{
title: 'Snowflake',
- href: './enroll-resources/database-access/enroll-managed-databases/snowflake/',
+ href: './enroll-resources/database-access/enrollment/managed/snowflake/',
iconColor: '#29B5E81A',
iconComponent: snowflakeSvg,
},
diff --git a/docs/pages/installation/amazon-ecs.mdx b/docs/pages/installation/amazon-ecs.mdx
index d0822c5ae4b75..8e0a819641b28 100644
--- a/docs/pages/installation/amazon-ecs.mdx
+++ b/docs/pages/installation/amazon-ecs.mdx
@@ -245,4 +245,4 @@ Navigate to the [Amazon ECS console](https://console.aws.amazon.com/ecs/v2/clust
## Next steps
Use this guide as a starting point for implementing Auto Discovery for AWS resources:
- [EKS clusters](../enroll-resources/auto-discovery/kubernetes/aws.mdx)
-- [AWS databases](../enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx)
+- [AWS databases](../enroll-resources/database-access/enrollment/aws/aws.mdx)
diff --git a/docs/pages/installation/installation.mdx b/docs/pages/installation/installation.mdx
index e44778e5110a3..28547d56ffbda 100644
--- a/docs/pages/installation/installation.mdx
+++ b/docs/pages/installation/installation.mdx
@@ -93,7 +93,7 @@ If you wish to uninstall Teleport at any time, see our documentation on [Uninsta
Now that you know how to install Teleport, you can enable access to all of your
infrastructure. Get started with enrolling resources in your Teleport cluster:
-- [SSH servers](../enroll-resources/server-access/introduction.mdx)
+- [SSH servers](../enroll-resources/server-access/server-access.mdx)
- [Kubernetes clusters](../enroll-resources/kubernetes-access/introduction.mdx)
- [Databases](../enroll-resources/database-access/database-access.mdx)
- [Applications](../enroll-resources/application-access/application-access.mdx)
diff --git a/docs/pages/reference/access-controls/roles.mdx b/docs/pages/reference/access-controls/roles.mdx
index 49cbd280ad4ff..057955db3b0d3 100644
--- a/docs/pages/reference/access-controls/roles.mdx
+++ b/docs/pages/reference/access-controls/roles.mdx
@@ -756,7 +756,7 @@ Labels for resources enrolled with Teleport:
|Role Field|Teleport Resource|
|---|---|
-|`app_labels`|[Applications](../../enroll-resources/application-access/controls.mdx)|
+|`app_labels`|[Applications](../../enroll-resources/application-access/configuration/controls.mdx)|
|`cluster_labels`|[Trusted Clusters](../../zero-trust-access/management/admin/trustedclusters.mdx)|
|`db_labels`|[Databases](../../enroll-resources/database-access/rbac.mdx)|
|`db_service_labels`|[Database Service](../../enroll-resources/database-access/database-access.mdx) instances|
diff --git a/docs/pages/reference/architecture/agents.mdx b/docs/pages/reference/architecture/agents.mdx
index 8f295a48a718d..53ce0dc342eb1 100644
--- a/docs/pages/reference/architecture/agents.mdx
+++ b/docs/pages/reference/architecture/agents.mdx
@@ -177,7 +177,7 @@ To learn more about the mechanism an agent uses to authenticate to an
infrastructure resource, read the guide to enrolling that resource in your
Teleport cluster:
-- [Applications](../../enroll-resources/application-access/guides/guides.mdx)
+- [Applications](../../enroll-resources/application-access/application-access.mdx)
- [Cloud provider APIs](../../enroll-resources/application-access/cloud-apis/cloud-apis.mdx)
- [Databases](../../enroll-resources/database-access/guides/guides.mdx)
- [Kubernetes clusters](../../enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx)
diff --git a/docs/pages/reference/architecture/kubernetes-applications-architecture.mdx b/docs/pages/reference/architecture/kubernetes-applications-architecture.mdx
index 50f9cbb4cf378..833a717ed390f 100644
--- a/docs/pages/reference/architecture/kubernetes-applications-architecture.mdx
+++ b/docs/pages/reference/architecture/kubernetes-applications-architecture.mdx
@@ -23,12 +23,12 @@ The Discovery Service running in a Kubernetes cluster will periodically list ser
according to the matchers specified in `kubernetes` field of the service config. You can filter services based on
types, namespaces and service labels. Services running in the `kube-system` and `kube-public` namespaces are
automatically ignored. All services by default currently
-are considered of an "app" type, but it can be changed for a service by Kubernetes annotation [`teleport.dev/discovery-type`](../../enroll-resources/auto-discovery/reference/kubernetes-application-discovery.mdx).
+are considered of an "app" type, but it can be changed for a service by Kubernetes annotation [`teleport.dev/discovery-type`](../../enroll-resources/auto-discovery/kubernetes-applications/reference.mdx).
If type of a service doesn't equal the one specified in the matcher, service is ignored.
By default name of the created Teleport app will consist of Kubernetes service name, namespace and
Kubernetes cluster name: `$SERVICE_NAME-$NAMESPACE-$KUBE_CLUSTER_NAME`. That name can be changed by Kubernetes annotation
-[`teleport.dev/name`](../../enroll-resources/auto-discovery/reference/kubernetes-application-discovery.mdx).
+[`teleport.dev/name`](../../enroll-resources/auto-discovery/kubernetes-applications/reference.mdx).
Every port that is exposed by the service is considered separately, so one Kubernetes service can result in creation of multiple Teleport app resources,
if more than one port is exposed on the service. In that case port name will be added to the app name.
@@ -43,7 +43,7 @@ values `http`/`https` it will be used in the URI.
- Teleport will perform HTTP request to the port to see if it serves HTTP/HTTPS requests
- if exposed port's name is `http` or it has numeric value 80 or 8080, `http` will be used.
-Otherwise, this port is ignored. But if annotation [`teleport.dev/protocol`](../../enroll-resources/auto-discovery/reference/kubernetes-application-discovery.mdx) is used on the service and its value is
+Otherwise, this port is ignored. But if annotation [`teleport.dev/protocol`](../../enroll-resources/auto-discovery/kubernetes-applications/reference.mdx) is used on the service and its value is
"tcp", then this port will be exposed as a TCP app.
### Creating Teleport apps and proxying requests to them
diff --git a/docs/pages/reference/helm-reference/teleport-kube-agent.mdx b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx
index a29896d6fc218..405e13314b484 100644
--- a/docs/pages/reference/helm-reference/teleport-kube-agent.mdx
+++ b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx
@@ -28,7 +28,7 @@ The `teleport-kube-agent` chart can run any or all of three Teleport services:
| Teleport service | Name for `roles` and `tctl tokens add` | Purpose |
|---------------------------------------------------------------------------|----------------------------------------|----------------------------------------------------------------------------------------------|
| [`kubernetes_service`](../../enroll-resources/kubernetes-access/introduction.mdx) | `kube` | Uses Teleport to handle authentication
with and proxy access to a Kubernetes cluster |
-| [`application_service`](../../enroll-resources/application-access/guides/guides.mdx) | `app` | Uses Teleport to handle authentication
with and proxy access to web-based applications |
+| [`application_service`](../../enroll-resources/application-access/application-access.mdx) | `app` | Uses Teleport to handle authentication
with and proxy access to web-based applications |
| [`database_service`](../../enroll-resources/database-access/guides/guides.mdx) | `db` | Uses Teleport to handle authentication
with and proxy access to databases |
| [`discovery_service`](../../enroll-resources/auto-discovery/auto-discovery.mdx) | `discovery` | Uses Teleport to discover new resources
and dynamically add them to the cluster |
| [`jamf_service`](../../identity-governance/device-trust/jamf-integration.mdx) | `jamf` | Uses Teleport to integrate with Jamf Pro
and sync devices with Device Trust inventory |
diff --git a/docs/pages/reference/infrastructure-as-code/teleport-resources/vnet-config.mdx b/docs/pages/reference/infrastructure-as-code/teleport-resources/vnet-config.mdx
index e63c0d69424b7..5d56f0576d0ce 100644
--- a/docs/pages/reference/infrastructure-as-code/teleport-resources/vnet-config.mdx
+++ b/docs/pages/reference/infrastructure-as-code/teleport-resources/vnet-config.mdx
@@ -7,7 +7,7 @@ description: Provides a comprehensive list of fields for the Teleport VNet confi
The VNet config resource contains cluster-specific options VNet should use when
setting up connections to resources from this cluster.
-See [VNet](../../../enroll-resources/application-access/guides/vnet.mdx) for more details.
+See [VNet](../../../enroll-resources/application-access/vnet.mdx) for more details.
```yaml
kind: vnet_config
diff --git a/docs/pages/zero-trust-access/api/rbac.mdx b/docs/pages/zero-trust-access/api/rbac.mdx
index cccd252cd2a3a..537343423d10c 100644
--- a/docs/pages/zero-trust-access/api/rbac.mdx
+++ b/docs/pages/zero-trust-access/api/rbac.mdx
@@ -964,7 +964,7 @@ resources:
- [Databases](../../enroll-resources/database-access/rbac.mdx)
- [Kubernetes clusters](../../enroll-resources/kubernetes-access/controls.mdx)
- [Windows Desktops](../../enroll-resources/desktop-access/rbac.mdx)
-- [Applications](../../enroll-resources/application-access/controls.mdx)
+- [Applications](../../enroll-resources/application-access/configuration/controls.mdx)
For general guidance, read our [Access Controls
Reference](../../reference/access-controls/roles.mdx).
diff --git a/docs/pages/zero-trust-access/deploy-a-cluster/helm-deployments/ibm.mdx b/docs/pages/zero-trust-access/deploy-a-cluster/helm-deployments/ibm.mdx
index 6d9dee076d531..90f000e10fbc6 100644
--- a/docs/pages/zero-trust-access/deploy-a-cluster/helm-deployments/ibm.mdx
+++ b/docs/pages/zero-trust-access/deploy-a-cluster/helm-deployments/ibm.mdx
@@ -313,7 +313,7 @@ In this step you will create a new user and access the web UI:
## Next Steps
As next steps you can:
-- enroll [servers](../../../enroll-resources/server-access/introduction.mdx),
+- enroll [servers](../../../enroll-resources/server-access/server-access.mdx),
[Kubernetes clusters](../../../enroll-resources/kubernetes-access/introduction.mdx),
[databases](../../../enroll-resources/database-access/getting-started.mdx),
[applications](../../../enroll-resources/application-access/getting-started.mdx),
diff --git a/docs/pages/zero-trust-access/rbac-get-started/role-demo.mdx b/docs/pages/zero-trust-access/rbac-get-started/role-demo.mdx
index 6e66ba5e865b0..004d59485a95d 100644
--- a/docs/pages/zero-trust-access/rbac-get-started/role-demo.mdx
+++ b/docs/pages/zero-trust-access/rbac-get-started/role-demo.mdx
@@ -315,7 +315,7 @@ your RBAC for each kind of resource:
- [Databases](../../enroll-resources/database-access/rbac.mdx)
- [Kubernetes clusters](../../enroll-resources/kubernetes-access/controls.mdx)
- [Remote desktops](../../enroll-resources/desktop-access/rbac.mdx)
-- [Web applications](../../enroll-resources/application-access/controls.mdx)
+- [Web applications](../../enroll-resources/application-access/configuration/controls.mdx)
### Reference guide
diff --git a/docs/pages/zero-trust-access/zero-trust-access.mdx b/docs/pages/zero-trust-access/zero-trust-access.mdx
index e8a38ce9689e3..c6b30972302d0 100644
--- a/docs/pages/zero-trust-access/zero-trust-access.mdx
+++ b/docs/pages/zero-trust-access/zero-trust-access.mdx
@@ -65,7 +65,7 @@ import mcpAndAiSvg from "@site/src/components/Icon/teleport-svg/mcp-and-ai.svg";
{
title: "VNet: Build without VPNs",
description: "Connect to internal, non-browser TCP and SSH resources without VPNs. Use familiar tools and workflows while eliminating exposure to public internet.",
- href: "../enroll-resources/application-access/guides/vnet/",
+ href: "../enroll-resources/application-access/vnet/",
tags: [
{
name: "Teleport VNet demo",
@@ -173,7 +173,7 @@ import mcpAndAiSvg from "@site/src/components/Icon/teleport-svg/mcp-and-ai.svg";
{
title: "VNet: Build without VPNs",
description: "Secure app and SSH access with no VPNs or proxies",
- href: "../enroll-resources/application-access/guides/vnet/",
+ href: "../enroll-resources/application-access/vnet/",
},
{
title: "Secure MCP",
diff --git a/examples/chart/teleport-kube-agent/values.yaml b/examples/chart/teleport-kube-agent/values.yaml
index 3b6635e9ce676..4a1eccda6d7e5 100644
--- a/examples/chart/teleport-kube-agent/values.yaml
+++ b/examples/chart/teleport-kube-agent/values.yaml
@@ -179,7 +179,7 @@ apps: []
#
#
# Once `appResources` is set, you can dynamically register application with
-# `tsh` by following [the Dynamic App Registration guide](../../enroll-resources/application-access/guides/dynamic-registration.mdx).
+# `tsh` by following [the Dynamic App Registration guide](../../enroll-resources/application-access/configuration/dynamic-registration.mdx).
#
appResources: []
@@ -199,7 +199,7 @@ clusterDomain: "cluster.local"
# awsDatabases(list) -- configures AWS database auto-discovery.
#
#
-# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enroll-aws-databases/rds/mysql-postgres-mariadb.mdx#step-36-create-iam-policies-for-teleport).
+# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enrollment/aws/rds/mysql-postgres-mariadb.mdx#step-36-create-iam-policies-for-teleport).
# After configuring a role, you can use an `eks.amazonaws.com/role-arn` annotation with the `annotations.serviceAccount` value to associate it with the service account and grant permissions:
#
# ```yaml
@@ -239,7 +239,7 @@ awsDatabases: []
# azureDatabases(list) -- configures Azure database auto-discovery.
#
-# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-25-configure-iam-permissions-for-teleport).
+# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enrollment/azure/azure-postgres-mysql.mdx#step-25-configure-iam-permissions-for-teleport).
#
# After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods.
# The easiest way is to use an Azure client secret.