mirror of
https://github.com/gravitational/teleport
synced 2024-10-22 10:13:21 +00:00
Update tctl docs to include new global flags and remote functionality. (#6771)
This commit is contained in:
parent
9c60d1c21a
commit
896d0054b3
|
@ -532,9 +532,7 @@ registered devices using [`tsh mfa ls`](cli-docs.mdx#tsh-mfa-ls).
|
|||
|
||||
## tctl
|
||||
|
||||
`tctl` is an admin CLI tool used to administer a Teleport cluster. It connects
|
||||
to an Auth Server, meaning that it must be run on the same host with the role
|
||||
`auth` . If you run `tctl` on a non- `auth` node it will show an error.
|
||||
`tctl` is a CLI tool used to administer a Teleport cluster.
|
||||
|
||||
`tctl` allows a cluster administrator to manage all resources in a cluster
|
||||
including nodes, users, tokens, and certificates.
|
||||
|
@ -542,12 +540,30 @@ including nodes, users, tokens, and certificates.
|
|||
`tctl` can also be used to modify the dynamic configuration of the cluster, like
|
||||
creating new user roles or connecting trusted clusters.
|
||||
|
||||
By default, `tctl` connects to a local Auth server, meaning it will fail if you
|
||||
attempt to run `tctl` on a non-`auth` host.
|
||||
|
||||
`tctl` can also connect to a remote Auth server if the `--identity` and
|
||||
`--auth-server` flags are used. An identity file for use with `--identity`
|
||||
can be exported with `tctl auth sign` or `tsh login --out=<output-path>`.
|
||||
|
||||
<Admonition type="note">
|
||||
Note that when a `tctl` command is run locally on an Auth server, the audit logs will
|
||||
show that it was performed by the Auth server itself. To properly audit admin actions
|
||||
at scale, it is important to limit direct ssh access to the Auth server with
|
||||
[Access Controls](./access-controls/introduction.mdx) and ensure that admins use `tctl`
|
||||
remotely with the `--identity` flag instead.
|
||||
</Admonition>
|
||||
|
||||
### tctl Global Flags
|
||||
|
||||
| Name | Default Value(s) | Allowed Value(s) | Description |
|
||||
| - | - | - | - |
|
||||
| `-d, --debug` | none | none | Enable verbose logging to stderr |
|
||||
| `-c, --config` | `/etc/teleport.yaml` | **string** filepath | Path to a configuration file |
|
||||
| `--auth-server` | none | `host:port` | Attempts to connect to specific auth/proxy address(es) instead of local auth [127.0.0.1:3025] |
|
||||
| `-i, --identity` | none | **string** filepath | Path to an identity file. Must be provided to make remote connections to auth. An identity file can be exported with 'tctl auth sign' |
|
||||
| `--insecure` | none | none | When specifying a proxy address in --auth-server, do not verify its TLS certificate. Danger: any data you send can be intercepted or modified by an attacker |
|
||||
|
||||
### tctl help
|
||||
|
||||
|
|
|
@ -119,9 +119,10 @@ func Run(commands []CLICommand) {
|
|||
app.Flag("config-string",
|
||||
"Base64 encoded configuration string").Hidden().Envar(defaults.ConfigEnvar).StringVar(&ccf.ConfigString)
|
||||
app.Flag("auth-server",
|
||||
fmt.Sprintf("Address of the auth server or the proxy [%v]. Can be supplied multiple times", defaults.AuthConnectAddr().Addr)).
|
||||
fmt.Sprintf("Attempts to connect to specific auth/proxy address(es) instead of local auth [%v]", defaults.AuthConnectAddr().Addr)).
|
||||
StringsVar(&ccf.AuthServerAddr)
|
||||
app.Flag("identity", "Path to the identity file exported with 'tctl auth sign'").
|
||||
app.Flag("identity",
|
||||
"Path to an identity file. Must be provided to make remote connections to auth. An identity file can be exported with 'tctl auth sign'").
|
||||
Short('i').
|
||||
StringVar(&ccf.IdentityFilePath)
|
||||
app.Flag("insecure", "When specifying a proxy address in --auth-server, do not verify its TLS certificate. Danger: any data you send can be intercepted or modified by an attacker.").
|
||||
|
|
Loading…
Reference in a new issue