Package events contains event related types and logic required by the Teleport API.

Package wrappers provides protobuf wrappers for common teleport map and list types.

BoolDefaultTrue returns true if v is not set (pointer is nil) otherwise returns real boolean value.

CombineLabels combines the passed in static and dynamic labels.

CopyRulesSlice copies input slice of Rules and returns the copy.

DeduplicateApps deduplicates apps by combination of app name and public address.

DeduplicateDatabases deduplicates databases by name.

DeduplicateKubeClusters deduplicates kube clusters by name.

DefaultAgentMeshTunnelStrategy sets default values for a agent mesh tunnel strategy.

DefaultAuthPreference returns the default authentication preferences.

DefaultClusterAuditConfig returns the default audit log configuration.

DefaultClusterNetworkingConfig returns the default cluster networking config.

DefaultNamespace returns the default namespace.

DefaultProxyPeeringTunnelStrategy sets default values for a proxy peering tunnel strategy.

DefaultSessionRecordingConfig returns the default session recording configuration.

DefaultStaticTokens is used to get the default static tokens (empty list) when nothing is specified in file configuration.

DefaultTunnelStrategy is the default tunnel strategy used when one is not specified.

DeviceFromResource converts a resource DeviceV1 to an API devicepb.Device.

DeviceToResource converts an API devicepb.Device to a resource DeviceV1 and assigns all default fields.

FriendlyName will return the friendly name for a resource if it has one.

GenerateSchedule generates schedule based on the time period, using even time periods between rotation phases.

GetExpiry returns the expiration, if one can be obtained, otherwise returns an empty time `time.Time{}`, which is equivalent to no expiry.

GetGitHubOrgFromNodeAddr parses the organization from the node address.

GetKind returns the kind, if one can be obtained, otherwise an empty string is returned.

GetName fetches the name of the supplied resource.

GetOrigin returns the value set for the [OriginLabel].

GetRevision returns the revision, if one can be obtained, otherwise an empty string is returned.

GetSortByFromString expects a string in format `<fieldName>:<asc|desc>` where index 0 is fieldName and index 1 is direction.

IsMaxFailedRecoveryAttempt determines if user reached their max failed attempts.

IsOpenSSHNodeSubKind returns whether the Node SubKind is from a server which accepts connections over the OpenSSH daemon (instead of a Teleport Node).

IsSystemResource checks to see if the given resource is considered part of the teleport system, as opposed to some user created resource or preset.

IsUnsupportedAuthorityErr returns whether an error is due to an unsupported CertAuthType.

IsValidLabelKey checks if the supplied string matches the label key regexp.

IsValidNamespace checks if the namespace provided is valid.

LabelsToV2 converts labels from interface to V2 spec.

LegacySecondFactorFromSecondFactors returns a suitable legacy second factor for the given list of second factors.

LegacyTo153Metadata converts a legacy [Metadata] object an RFD153-style [headerv1.Metadata] block.

LegacyToResource153 converts a legacy [Resource] into a [Resource153].

LocalServiceMappings returns the subset of role mappings which happen to be true Teleport services (e.g.

MakeGitHubOrgServerDomain creates a special domain name used in server's host address to identify the GitHub organization.

MatchKinds takes an array of strings that represent a Kind and returns true if the resource's kind matches any item in the given array.

MatchLabels takes a map of labels and returns `true` if the resource has ALL of them.

MatchSearch goes through select field values from a resource and tries to match against the list of search values, ignoring case and order.

MaxDuration returns the maximum duration value.

Metadata153ToLegacy converts RFD153-style resource metadata to legacy metadata.

MustCreateProvisionToken returns a new valid provision token or panics, used in tests.

MustNewInstallerV1 creates a new installer resource from the provided script.

NewAccessRequest assembles an AccessRequest resource.

NewAccessRequestAllowedPromotions returns a new AccessRequestAllowedPromotions resource.

NewAccessRequestWithResources assembles an AccessRequest resource with requested resources.

NewAppServerForAWSOIDCIntegration creates a new AppServer that will be used to grant AWS App Access using the AWSOIDC credentials.

NewAppServerV3 creates a new app server instance.

NewAppServerV3FromApp creates a new app server from the provided app.

NewAppV3 creates a new app resource.

NewAuthPreference is a convenience method to to create AuthPreferenceV2.

NewAuthPreferenceFromConfigFile is a convenience method to create AuthPreferenceV2 labeled as originating from config file.

NewBool returns Bool struct based on bool value.

NewBoolOption returns Bool struct based on bool value.

NewBoolP returns Bool pointer.

NewCertAuthority returns new cert authority.

NewClusterAlert creates a new cluster alert.

NewClusterAuditConfig is a convenience method to to create ClusterAuditConfigV2.

NewClusterMaintenanceConfig creates a new maintenance config with no parameters set.

NewClusterName is a convenience wrapper to create a ClusterName resource.

NewClusterNetworkingConfigFromConfigFile is a convenience method to create ClusterNetworkingConfigV2 labeled as originating from config file.

NewConnectionDiagnosticV1 creates a new ConnectionDiagnosticV1 resource.

NewDatabaseServerV3 creates a new database server instance.

NewDatabaseServiceV1 creates a new DatabaseService instance.

NewDatabaseV3 creates a new database resource.

NewDuration converts the given time.Duration value to a duration.

NewDynamicWindowsDesktopV1 creates a new DynamicWindowsDesktopV1 resource.

NewNode is a convenience method to create an EICE Node.

NewGithubConnector creates a new Github connector from name and spec.

NewGitHubServer creates a new Git server for GitHub.

NewGitHubServerWithName creates a new Git server for GitHub with provided name.

NewHeadlessAuthentication creates a new a headless authentication resource.

NewInstallerV1 returns a new installer resource.

NewInstance assembles a new instance resource.

NewIntegrationAWSOIDC returns a new `aws-oidc` subkind Integration.

NewIntegrationAzureOIDC returns a new `azure-oidc` subkind Integration.

NewIntegrationGitHub returns a new `github` subkind Integration.

NewKubernetesClusterV3 creates a new Kubernetes cluster resource.

NewKubernetesClusterV3FromLegacyCluster creates a new Kubernetes cluster resource from the legacy type.

NewKubernetesClusterV3WithoutSecrets creates a new copy of the provided cluster but without secrets/credentials.

NewKubernetesPodV1 creates a new kubernetes resource with kind "pod".

NewKubernetesResourceV1 creates a new kubernetes resource .

NewKubernetesServerV3 creates a new kube server instance.

NewKubernetesServerV3FromCluster creates a new kubernetes server from the provided clusters.

NewLicense is a convenience method to create LicenseV3.

NewLock is a convenience method to create a Lock resource.

NewMFADevice creates a new MFADevice with the given name.

NewNamespace returns new namespace.

NewNetworkRestrictions creates a new NetworkRestrictions with the given name.

NewNode is a convenience method to create a Server of Kind Node.

NewOIDCConnector returns a new OIDCConnector based off a name and OIDCConnectorSpecV3.

NewOktaAssignment creates a new Okta assignment object.

NewOktaImportRule returns a new OktaImportRule.

NewPluginData configures a new PluginData instance associated with the supplied resource name (currently, this must be the name of an access request).

NewPluginStaticCredentials creates a new PluginStaticCredentialsV1 resource.

NewPluginV1 creates a new PluginV1 resource.

NewProvisionToken returns a new provision token with the given roles.

NewProvisionTokenFromSpec returns a new provision token with the given spec.

NewRecoveryCodes creates a new RecoveryCodes with the given codes and created time.

NewRemoteCluster is a convenience way to create a RemoteCluster resource.

NewReverseTunnel returns new version of reverse tunnel.

NewRole constructs new standard V7 role.

NewRoleWithVersion constructs new standard role with the version specified.

NewRule creates a rule based on a resource name and a list of verbs.

NewSAMLConnector returns a new SAMLConnector based off a name and SAMLConnectorSpecV2.

NewSAMLIdPServiceProvider returns a new SAMLIdPServiceProvider based off a metadata object and SAMLIdPServiceProviderSpecV1.

NewServer creates an instance of Server.

NewServerInfo creates an instance of ServerInfo.

NewServerWithLabels is a convenience method to create ServerV2 with a specific map of labels.

NewSessionRecordingConfigFromConfigFile is a convenience method to create SessionRecordingConfigV2 labeled as originating from config file.

NewStaticTokens is a convenience wrapper to create a StaticTokens resource.

NewTeleportRoles return a list of teleport roles from slice of strings.

NewTraceDiagnosticConnection creates a new Connection Diagnostic Trace.

NewTrustedCluster is a convenience way to create a TrustedCluster resource.

NewTunnelConnection returns new connection from V2 spec.

NewUser creates new empty user.

NewUserGroup returns a new UserGroup.

NewUserToken creates an instance of UserToken.

NewUserTokenSecrets creates an instance of UserTokenSecrets.

NewWatchStatus returns a new WatchStatus resource.

NewWebSession returns new instance of the web session based on the V2 spec.

NewWebToken returns a new web token with the given expiration and spec.

NewWindowsDesktopServiceV3 creates a new WindowsDesktopServiceV3 resource.

NewWindowsDesktopV3 creates a new WindowsDesktopV3 resource.

OktaAssignmentStatusProtoToString will convert the Okta status known to protobuf into the internal notion of an Okta status.

OktaAssignmentStatusToProto will convert the internal notion of an Okta status into the Okta status message understood by protobuf.

ParseTeleportRoles takes a comma-separated list of roles and returns a slice of teleport roles, or an error if parsing failed.

ParseWeekday attempts to interpret a string as a time.Weekday.

ParseWeekdays attempts to parse a slice of strings representing week days.

ProcessNamespace returns the default namespace in case the namespace is empty.

ProtoResource153ToLegacy transforms an RFD 153 style resource implemented by a proto-generated struct into a legacy [Resource] type.

ProvisionTokensFromStatic converts static tokens to resource list.

ProvisionTokensToV1 converts provision tokens to V1 list.

RemoveCASecrets removes private (SSH, TLS, and JWT) keys from certificate authority.

Resource153ToLegacy transforms an RFD 153 style resource into a legacy [Resource] type.

Resource153ToResourceWithLabels wraps a [Resource153]-style resource in the legacy [Resource] and [ResourceWithLabels] interfaces.

Resource153ToUnifiedResource wraps an RFD153-style resource in a type that implements the legacy [ResourceWithLabels] interface and is suitable for use with the Teleport Unified Resources Cache.

ResourceDeviceEnrollStatusFromString converts a string representation of DeviceEnrollStatus suitable for resource fields to DeviceEnrollStatus.

ResourceDeviceEnrollStatusToString converts DeviceEnrollStatus to a string representation suitable for use in resource fields.

ResourceIDFromString parses a ResourceID from a string.

ResourceIDsFromString parses a list of resource IDs from a single string.

ResourceIDsFromStrings parses a list of ResourceIDs from a list of strings.

ResourceIDsToString marshals a list of ResourceIDs to a string.

ResourceIDToString marshals a ResourceID to a string.

ResourceOSTypeFromString converts a string representation of OSType suitable for resource fields to OSType.

ResourceOSTypeToString converts OSType to a string representation suitable for use in resource fields.

ServerInfoForServer returns a ServerInfo from a Server.

ServerInfoNameFromAWS gets the name of the ServerInfo that matches the node with the given AWS account ID and instance ID.

ServerInfoNameFromNodeName gets the name of the ServerInfo that matches the node with the given name.

SetRevision updates the revision if v supports the concept of revisions.

SortClusterAlerts applies the default cluster alert sorting, prioritizing elements by a combination of severity and creation time.

V2ToLabels converts concrete type to command label interface.

ValidateAssumeStartTime returns error if start time is in an invalid range.

ValidateDatabaseName returns an error if a given string is not a valid Database name.

ValidateGitHubOrganizationName returns an error if a given string is not a valid GitHub organization name.

ValidateJamfSpecV1 validates a [JamfSpecV1] instance.

ValidateKubeClusterName returns an error if a given string is not a valid KubeCluster name.

ValidateNamespaceDefault ensures that the namespace is the "default" namespace.

ValidateResourceName validates a resource name using a given regexp.

WithAlertCreated sets the alert's creation time.

WithAlertExpires sets the alerts expiry time.

WithAlertLabel constructs an alert with the specified label.

WithAlertSeverity sets the severity of an alert (defaults to MEDIUM).

DEFAULT allows all requests to be viewed.

MY_REQUESTS will return only requests created by the requester.

NEEDS_REVIEW will return only requests that were not created by the requester and do not include a review made by the requester.

REVIEWED will return only requests that were not created by the requester and have a review submitted by the requester.

ActionRead grants read access (get, list).

ActionWrite allows to write (create, update, delete).

ADLabel is a resource metadata label name used to identify if resource is part of Active Directory.

AgentMesh requires agents to create a reverse tunnel to every proxy server.

AlertLicenseExpired is an internal label that indicates that the license has expired.

AlertLink is an internal label that indicates that an alert is a link.

AlertLinkText is a text that will be rendered by Web UI on the action button accompanying the alert.

AlertOnLogin is an internal label that indicates an alert should be displayed to users on login.

AlertPermitAll is an internal label that indicates that an alert is suitable for display to all users.

AlertSupersedes is an internal label used to indicate when one alert supersedes another.

AlertVerbPermit is an internal label that permits a user to view the alert if they hold a specific resource permission verb (e.g.

Allow is the set of conditions that allow access.

ApplicationProtocolHTTP is the HTTP (Web) apps protocol.

ApplicationProtocolTCP is the TCP apps protocol.

These represent the possible values for the kind field in session trackers.

AppTunnel is a tunnel where the application proxy dials back to the proxy.

AWSAccountIDLabel is used to identify nodes by AWS account ID found via automatic discovery, to avoid re-running installation commands on the node.

AWSAgentlessInstallerDocument is the name of the default AWS document that will be called when executing the SSM command .

AWSIC_CREDENTIALS_SOURCE_OIDC indicates that the Identity Center plugin will draw its credentials from a configured Teleport OIDC integration and authenticate woth OIDC.

AWSIC_CREDENTIALS_SOURCE_SYSTEM indicates that the Identity Center plugin will rely on system-provided credentials.

AWSIC_CREDENTIALS_SOURCE_UNKNOWN is used when the credentials source is not specified.

DONE denotes that the group and group members import operation was completed.

FAILED denotes that the group and group members import met with an error.

UNSPECIFIED denotes that a status is unknown.

AWSInstallerDocument is the name of the default AWS document that will be called when executing the SSM command.

AWSInstanceIDLabel is used to identify nodes by EC2 instance ID found via automatic discovery, to avoid re-running installation commands on the node.

AWSInstanceRegion is used to identify the region an EC2 instance is running in.

AWSMatcherDocumentDB is the AWS matcher type for DocumentDB databases.

AWSMatcherEC2 is the AWS matcher type for EC2 instances.

AWSMatcherEKS is the AWS matcher type for AWS Kubernetes.

AWSMatcherElastiCache is the AWS matcher type for ElastiCache databases.

AWSMatcherMemoryDB is the AWS matcher type for MemoryDB databases.

AWSMatcherOpenSearch is the AWS matcher type for OpenSearch databases.

AWSMatcherRDS is the AWS matcher type for RDS databases.

AWSMatcherRDSProxy is the AWS matcher type for RDS Proxy databases.

AWSMatcherRedshift is the AWS matcher type for Redshift databases.

AWSMatcherRedshiftServerless is the AWS matcher type for Redshift Serverless databases.

AWSOIDCAgentLabel is a label that indicates that the service was deployed into ECS/Fargate using the AWS OIDC Integration.

AzureDatabaseNameOverrideLabel is the label key containing the database name override for discovered Azure databases.

AzureInviteTokenName is the name of the default token to use when templating the script to be executed on Azure.

AzureKubeClusterNameOverrideLabel is the label key containing the kubernetes cluster name override for discovered Azure kube clusters.

AzureMatcherKubernetes is the Azure matcher type for Azure Kubernetes.

AzureMatcherMySQL is the Azure matcher type for Azure MySQL databases.

AzureMatcherPostgres is the Azure matcher type for Azure Postgres databases.

AzureMatcherRedis is the Azure matcher type for Azure Cache for Redis databases.

AzureMatcherSQLServer is the Azure matcher type for SQL Server databases.

AzureMatcherVM is the Azure matcher type for Azure VMs.

BotGenerationLabel is a label used to record the certificate generation counter.

BotLabel is a label used to identify a resource used by a certificate renewal bot.

EXTENSION represents a cert extension that may or may not be honored by the server.

SSH is used when extending an ssh certificate.

CloudAWS identifies that a resource was discovered in AWS.

CloudAzure identifies that a resource was discovered in Azure.

CloudGCP identifies that a resource was discovered in GCP.

CloudHostnameTag is the name of the tag in a cloud instance used to override a node's hostname.

CloudLabel is used to identify the cloud where the resource was discovered.

FIPS_DISABLED explicitly disables FIPS support for AWS S3/Dynamo.

FIPS_ENABLED explicitly enables FIPS support for AWS S3/Dynamo.

FIPS_UNSET allows setting FIPS state for AWS S3/Dynamo using configuration files or environment variables.

ClusterLabel is a label that identifies the current cluster when creating resources on another systems.

CONNECTIVITY is for network connectivity checks.

DATABASE_DB_NAME is used when checking whether the Database has the requested Database Name.

DATABASE_DB_USER is used when checking whether the Database has the requested Database User.

KUBE_PRINCIPAL is used when checking if the Kube Cluster has at least one user principals.

NODE_PRINCIPAL is used when checking if the Node has the requested principal.

RBAC_DATABASE is for RBAC checks to database access (db_labels).

RBAC_DATABASE_LOGIN is for RBAC checks to database login (db_name and db_user).

RBAC_KUBE is for RBAC checks to kubernetes the cluster.

RBAC_NODE is for RBAC checks for the node.

RBAC_PRINCIPAL is used when checking if the principal is allowed per RBAC rules.

UNKNOWN_ERROR is used when we don't know the error.

ConnectMyComputerNodeOwnerLabel is a label used to control access to the node managed by Teleport Connect as part of Connect My Computer.

DB_USER_MODE_BEST_EFFORT_DROP allows user creation and tries to drop user at session end.

DB_USER_MODE_KEEP allows user creation and disable users at session end.

DB_USER_MODE_OFF disables user creation.

Deprecated: Do not use.

HOST_USER_MODE_INSECURE_DROP enables host user creation without a home directory and deletes users at session end.

HOST_USER_MODE_KEEP enables host user creation and leaves users behind at session end.

HOST_USER_MODE_OFF disables host user creation.

CredPurposeOKTAAPITokenWithSCIMOnlyIntegration is used when okta integration was enabled without app groups sync.

DatabaseAdminDefaultDatabaseLabel is used to identify the database that the admin user logs into by default.

DatabaseAdminLabel is used to identify database admin user for auto- discovered databases.

DatabaseCA is a certificate authority used as a server CA in database access.

DatabaseClientCA is a certificate authority used as a client CA in database access.

DatabaseProtocolClickHouse is the ClickHouse database native write protocol.

DatabaseProtocolClickHouseHTTP is the ClickHouse database HTTP protocol.

DatabaseProtocolCockroachDB is the CockroachDB database protocol.

DatabaseProtocolMongoDB is the MongoDB database protocol.

DatabaseProtocolMySQL is the MySQL database protocol.

DatabaseProtocolPostgreSQL is the PostgreSQL database protocol.

These represent the possible values for the kind field in session trackers.

INSECURE accepts any certificate provided by server.

VERIFY_CA works the same as VERIFY_FULL, but it skips the hostname check.

VERIFY_FULL performs full certificate validation.

DatabaseTunnel is a tunnel where a database proxy dials back to the proxy.

DatabaseTypeAWSKeyspaces is AWS-hosted Keyspaces database (Cassandra).

DatabaseTypeAzure is Azure-hosted database.

DatabaseTypeCassandra is AWS-hosted Keyspace database.

DatabaseTypeCloudSQL is GCP-hosted Cloud SQL database.

DatabaseTypeDocumentDB is the database type for AWS-hosted DocumentDB.

DatabaseTypeDynamoDB is a DynamoDB database.

DatabaseTypeElastiCache is AWS-hosted ElastiCache database.

DatabaseTypeMemoryDB is AWS-hosted MemoryDB database.

DatabaseTypeMongoAtlas.

DatabaseTypeOpenSearch is AWS-hosted OpenSearch instance.

DatabaseTypeRDS is AWS-hosted RDS or Aurora database.

DatabaseTypeRDSProxy is an AWS-hosted RDS Proxy.

DatabaseTypeRedshift is AWS Redshift database.

DatabaseTypeRedshiftServerless is AWS Redshift Serverless database.

DatabaseTypeSelfHosted is the self-hosted type of database.

DatabaseTypeSpanner is a GCP Spanner instance.

DatadogCredentialAPIKey indicates that the credential is used as a Datadog API key.

DatadogCredentialApplicationKey indicates that the credential is used as a Datadog Application key.

DatadogCredentialLabel is used by Datadog-managed PluginStaticCredentials to indiciate credential type.

DefaultAPIGroup is a default group of permissions API, lets us to add different permission types.

DefaultInstallerScriptName is the name of the by default populated, EC2 installer script.

DefaultInstallerScriptNameAgentless is the name of the by default populated, EC2 installer script when agentless mode is enabled for a matcher.

DefaultReleaseServerAddr is the default release service URL.

Deny is the set of conditions that prevent access.

DiagnosticMessageFailed is the message used when we the Connection failed.

DiagnosticMessageSuccess is the message used when we the Connection was successful.

DiscoveredNameLabel is a resource metadata label name used to identify the discovered name of a resource, i.e.

DiscoveredResourceAgentlessNode identifies a discovered agentless SSH node.

DiscoveredResourceApp identifies a discovered Kubernetes App.

DiscoveredResourceDatabase identifies a discovered database.

DiscoveredResourceEICENode identifies a discovered AWS EC2 Instance using the EICE access method.

DiscoveredResourceKubernetes identifies a discovered kubernetes cluster.

DiscoveredResourceNode identifies a discovered SSH node.

DiscoveryAppIgnore specifies if a Kubernetes service should be ignored by discovery service.

DiscoveryAppInsecureSkipVerify specifies the TLS verification enforcement for a discovered app created from Kubernetes service.

DiscoveryAppNameLabel specifies explicitly name of an app created from Kubernetes service.

DiscoveryAppRewriteLabel specifies rewrite rules for a discovered app created from Kubernetes service.

DiscoveryLabelAccountID is the label key containing AWS account ID.

DiscoveryLabelAWSArn is an internal label that contains AWS Arn of the resource.

DiscoveryLabelAzureReplicationRole is the replication role of an Azure DB Flexible server, e.g.

DiscoveryLabelAzureResourceGroup is the label key for the Azure resource group name.

DiscoveryLabelAzureSourceServer is the source server for replica Azure DB Flexible servers.

DiscoveryLabelAzureSubscriptionID is the label key for Azure subscription ID.

DiscoveryLabelEndpointType is the label key containing the endpoint type.

DiscoveryLabelEngine is the label key containing database engine name.

DiscoveryLabelEngineVersion is the label key containing database engine version.

DiscoveryLabelGCPLocation is the label key for GCP location.

DiscoveryLabelGCPProjectID is the label key for GCP project ID.

DiscoveryLabelLDAPPrefix is the prefix used when applying any custom labels per the discovery LDAP attribute labels configuration.

DiscoveryLabelNamespace is the label key for namespace name.

DiscoveryLabelRegion identifies a discovered cloud resource's region.

DiscoveryLabelStatus is the label key containing the database status, e.g.

DiscoveryLabelVPCID is the label key containing the VPC ID.

DiscoveryLabelWindowsComputerName is the name of an LDAP object.

DiscoveryLabelWindowsDNSHostName is the DNS hostname of an LDAP object.

DiscoveryLabelWindowsDomain is an Active Directory domain name.

DiscoveryLabelWindowsIsDomainController is whether an LDAP object is a domain controller.

DiscoveryLabelWindowsOS is the operating system of an LDAP object.

DiscoveryLabelWindowsOSVersion operating system version of an LDAP object.

DiscoveryLabelWindowsOU is an LDAP objects's OU.

DiscoveryLabelWorkgroup is the label key for workgroup name.

DiscoveryPortLabel specifies preferred port for a discovered app created from Kubernetes service.

DiscoveryProtocolLabel specifies protocol for a discovered app created from Kubernetes service.

DiscoveryTypeLabel specifies type of discovered service that should be created from Kubernetes service.

EnterpriseReleaseEndpoint is the endpoint of Teleport Enterprise releases on the release server.

EntraDisplayNameLabel is the label for the display name of the object in the Entra ID directory.

ENTRAID_CREDENTIALS_SOURCE_OIDC indicates that the plugin will authenticate with Azure/Entra ID using OIDC.

ENTRAID_CREDENTIALS_SOURCE_SYSTEM_CREDENTIALS means the plugin will rely on system-provided credentials for authentication with Azure Entra ID, especially for clusters with no internet access.

ENTRAID_CREDENTIALS_SOURCE_UNKNOWN is used when the credentials source is not specified.

EntraSAMAccountNameLabel is the label for user's on-premises sAMAccountName.

EntraTenantIDLabel is the label for the Entra tenant ID.

EntraUniqueIDLabel is the label for the unique identifier of the object in the Entra ID directory.

EntraUPNLabel is the label for the user principal name in Entra ID.

EventOrderAscending is an ascending event order.

EventOrderDescending is an descending event order.

GCPInviteTokenName is the name of the default token to use when templating the script to be executed on GCP.

GCPKubeClusterNameOverrideLabel is the label key containing the kubernetes cluster name override for discovered GCP kube clusters.

GCPMatcherCompute is the GCP matcher for GCP VMs.

GCPMatcherKubernetes is the GCP matcher type for GCP kubernetes.

GitHubOrgLabel is the label for GitHub organization.

GitHubOrgServerDomain is the sub domain used in the hostname of a types.Server to indicate the GitHub organization of a Git server.

These represent the possible values for the kind field in session trackers.

authentication approved.

authentication denied.

authentication pending.

HomeEnvVar specifies the home location for tsh configuration and data.

HostCA identifies the key as a host certificate authority.

HostedPluginLabel defines the name for the hosted plugin label.

IAMInviteTokenName is the name of the default Teleport IAM token to use when templating the script to be executed.

IAM_POLICY_STATUS_FAILED represents a state where an error occured while checking for IAM policy status eg: no AWS credentials provider found or the policy was misconfigured.

IAM_POLICY_STATUS_PENDING represents a state where iam policy status is pending to be checked.

IAM_POLICY_STATUS_SUCCESS represents a state where IAM policy was configured correctly.

IAM_POLICY_STATUS_UNSPECIFIED represents a zero value where nothing has been attempted yet.

InstallMethodAWSOIDCDeployServiceEnvVar is the env var used to detect if the agent was installed using the DeployService action of the AWS OIDC integration.

INSTALL_PARAM_ENROLL_MODE_EICE uses EC2 Instance Connect Endpoint to access the node and DiscoveryService handles the heartbeat.

INSTALL_PARAM_ENROLL_MODE_SCRIPT runs a script on the target host.

INSTALL_PARAM_ENROLL_MODE_UNSPECIFIED uses the EICE mode for EC2 Matchers with an Integration and SCRIPT mode otherwise.

IntegrationAWSOIDCAudience is the client id used to generate the JWT.

IntegrationAWSOIDCAudienceAWSIdentityCenter is an audience name for the Teleport AWS Idenity Center plugin.

IntegrationAWSOIDCAudienceUnspecified denotes an empty audience value.

IntegrationAWSOIDCSubject identifies the system that is going to use the token as the Teleport Proxy.

IntegrationAWSOIDCSubject identifies the system that is going to use the token as the Teleport Auth service.

IntegrationLabel is a resource metadata label name used to identify the integration name that created the resource.

IntegrationSubKindAWSOIDC is an integration with AWS that uses OpenID Connect as an Identity Provider.

IntegrationSubKindAzureOIDC is an integration with Azure that uses OpenID Connect as an Identity Provider.

IntegrationSubKindGitHub is an integration with GitHub.

InternalResourceIDLabel is a label used to store an ID to correlate between two resources A pratical example of this is to create a correlation between a Node Provision Token and the Node that used that token to join the cluster.

JamfOnMissingDelete is the textual representation for the DELETE on_missing action.

JamfOnMissingNOOP is the textual representation for the NOOP on_missing action.

JoinMethodAzure indicates that the node will join with the Azure join method.

JoinMethodBitbucket indicates that the node will join using the Bitbucket join method.

JoinMethodCircleCI indicates that the node will join with the CircleCI\ join method.

JoinMethodEC2 indicates that the node will join with the EC2 join method.

JoinMethodGCP indicates that the node will join with the GCP join method.

JoinMethodGitHub indicates that the node will join with the GitHub join method.

JoinMethodGitLab indicates that the node will join with the GitLab join method.

JoinMethodIAM indicates that the node will join with the IAM join method.

JoinMethodKubernetes indicates that the node will join with the Kubernetes join method.

JoinMethodOracle indicates that the node will join using the Oracle join method.

JoinMethodSpacelift indicates the node will join with the SpaceLift join method.

JoinMethodTerraformCloud indicates that the node will join using the Terraform join method.

JoinMethodToken is the default join method, nodes join the cluster by presenting a secret token.

JoinMethodTPM indicates that the node will join with the TPM join method.

JWTClaimsRewriteNone include neither traits nor roles in the JWT token.

JWTClaimsRewriteRoles includes only the roles in the JWT token.

JWTClaimsRewriteRolesAndTraits includes both roles and traits in the JWT token.

JWTClaimsRewriteTraits includes only the traits in the JWT token.

JWTSigner identifies type of certificate authority as JWT signer.

"app_server", KindAppServer.

"db_server", KindDatabaseServer.

"db_service", KindDatabaseService.

"kube_server", KindKubeServer.

"node", KindNode.

"windows_desktop_service", KindWindowsDesktopService.

KindAccessGraph is the RBAC kind for access graph.

KindAccessGraphSecretAuthorizedKey is a authorized key entry found in a Teleport SSH node type.

KindAccessGraphSecretPrivateKey is a private key entry found in a managed device.

KindAccessGraphSettings is a resource which holds cluster-wide configuration for dynamic access graph settings.

KindAccessList is an AccessList resource.

KindAccessListMember is an AccessListMember resource.

KindAccessListReview is an AccessListReview resource.

KindAccessMonitoringRule is an access monitoring rule resource.

KindAccessPluginData is a resource directive that applies only to plugin data associated with access requests.

KindAccessRequest is an AccessRequest resource.

KindApp is a web app resource.

KindAppOrSAMLIdPServiceProvider represent an App Server resource or a SAML IdP Service Provider (SAML Application) resource.

KindAppServer is an application server resource.

KindAppSession represents an application specific web session.

KindAuditQuery is an AuditQuery resource.

KindAuthConnector allows access to OIDC and SAML connectors.

KindAuthServer is auth server resource.

KindAutoUpdateAgentRollout is the resource that controls and tracks agent rollouts.

KindAutoUpdateConfig is the resource with autoupdate configuration.

KindAutoUpdateVersion is the resource with autoupdate versions.

KindBilling represents access to cloud billing features.

KindBot is a Machine ID bot resource.

KindBotInstance is an instance of a Machine ID bot.

KindCertAuthority is a certificate authority resource.

KindClusterAlert is a resource that conveys a cluster-level alert message.

KindClusterAuditConfig is the resource that holds cluster audit configuration.

KindClusterAuthPreference is the type of authentication for this cluster.

KindClusterConfig is the resource that holds cluster level configuration.

KindClusterMaintenanceConfig determines maintenance times for the cluster.

KindClusterName is a type of configuration resource that contains the cluster name.

KindClusterNetworkingConfig is the resource that holds cluster networking configuration.

KindConnectionDiagnostic is a resource that tracks the result of testing a connection.

KindConnectors is a shortcut for all authentication connector.

KindContact is a resource that holds contact information for Teleport Enterprise customers.

KindCrownJewel is a crown jewel resource.

KindDatabase is a database resource.

KindDatabaseCertificate is a resource to control db CA cert generation.

KindDatabaseObject is a database object resource.

KindDatabaseObjectImportRule is a database object import rule resource.

KindDatabaseServer is a database proxy server resource.

KindDatabaseService is a database service resource.

KindDevice represents a registered or trusted device.

KindDiscoveryConfig is a DiscoveryConfig resource.

KindDownload represents Teleport binaries downloads.

KindDynamicWindowsDesktop is a dynamic Windows desktop host.

KindEvent is structured audit logging event.

KindExternalAuditStorage the resource kind for External Audit Storage configuration.

KindGithub is Github connector resource.

KindGithubConnector is Github OAuth2 connector resource.

KindGithubRequest is Github auth request resource.

KindGitServer represents a Git server that can proxy git commands.

KindGlobalNotification is a global notification resource.

KindHeadlessAuthentication is a headless authentication resource.

KindHostCert is a host certificate.

KindIdentity is local on disk identity resource.

KindIdentityCenter is an umbrella kind, representing all KindIdentityCenter* resource kinds in RBAC checks.

KindIdentityCenterAccount describes an Identity-Center managed AWS Account.

KindIdentityCenterAccountAssignment describes an AWS Account and Permission Set pair that can be requested by a Teleport User.

KindIdentityCenterPermissionSet describes an AWS Identity Center Permission Set.

KindIdentityCenterPermissionSet describes an AWS Principal Assignment, representing a collection Account Assignments assigned to a Teleport User or AccessList.

KindInstaller is a resource that holds a node installer script used to install teleport on discovered nodes.

KindInstance represents a teleport instance independent of any specific service.

KindIntegration is a connection to a 3rd party system API.

KindJWT is a JWT token signer.

KindKubeCertificateSigningRequest is a Certificate Signing Request resource type.

KindKubeClusterRole is a Kubernetes ClusterRole resource type.

KindKubeClusterRoleBinding is a Kubernetes Cluster Role Binding resource type.

KindKubeConfigMap is a Kubernetes Configmap resource type.

KindKubeCronjob is a Kubernetes Cronjob resource type.

KindKubeDaemonSet is a Kubernetes Daemonset resource type.

KindKubeDeployment is a Kubernetes Deployment resource type.

KindKubeIngress is a Kubernetes Ingress resource type.

KindKubeJob is a Kubernetes job resource type.

KindKubeNamespace is a Kubernetes namespace resource type.

KindKubeNode is a Kubernetes Node resource type.

KindKubePersistentVolume is a Kubernetes Persistent Volume resource type.

KindKubePersistentVolumeClaim is a Kubernetes Persistent Volume Claim resource type.

KindKubePod is a Kubernetes Pod resource type.

KindKubeReplicaSet is a Kubernetes Replicaset resource type.

KindKubernetesCluster is a Kubernetes cluster.

KindKubeRole is a Kubernetes Role resource type.

KindKubeRoleBinding is a Kubernetes Role Binding resource type.

KindKubeSecret is a Kubernetes Secret resource type.

KindKubeServer is an kubernetes server resource.

KindKubeService is a Kubernetes Service resource type.

KindKubeServiceAccount is an Kubernetes Service Account resource type.

KindKubeStatefulset is a Kubernetes Statefulset resource type.

KindKubeWaitingContainer is a Kubernetes ephemeral container that are waiting to be created until moderated session conditions are met.

KindLicense is a license resource.

KindLock is a lock resource.

KindLoginRule is a login rule resource.

KindMFADevice is an MFA device for a user.

KindNamespace is a namespace.

KindNetworkRestrictions are restrictions for SSH sessions.

KindNode is node resource.

KindNotification is a notification resource.

KindOIDC is OIDC connector resource.

KindOIDCConnector is a OIDC connector resource.

KindOIDCRequest is OIDC auth request resource.

KindOktaAssignment is a set of actions to apply to Okta.

KindOktaImportRule is a rule for importing Okta objects.

KindPlugin represents a plugin instance.

KindPluginData is a PluginData resource.

KindPluginStaticCredentials represents plugin static credentials.

KindProvisioningPrincipalState is a resource that tracks provisioning of a user or access list in a downstream SCIM server.

KindProxy is proxy resource.

KindRecoveryCodes is a resource that holds users recovery codes.

KindRemoteCluster represents remote cluster connected via reverse tunnel to proxy.

KindReverseTunnel is a reverse tunnel connection.

KindRole is a role resource.

KindSAML is SAML connector resource.

KindSAMLConnector is a SAML connector resource.

KindSAMLIdPServiceProvider is a SAML service provider for the built in Teleport IdP.

KindSAMLIdPSession represents a SAML IdP session.

KindSAMLRequest is SAML auth request resource.

KindSecurityReport is a SecurityReport resource.

KindSecurityReportCostLimiter const limiter.

KindSecurityReportState is a SecurityReportState resource.

KindSemaphore is the resource that provides distributed semaphore functionality.

KindServerInfo contains info that should be applied to joining Nodes.

KindSession is a recorded SSH session.

KindSessionRecordingConfig is the resource for session recording configuration.

KindSessionTracker is a resource that tracks a live session.

KindSnowflakeSession represents a Snowflake specific web session.

KindSPIFFEFederation is a SPIFFE federation resource.

KindSSHSession represents an active SSH session in early versions of Teleport prior to the introduction of moderated sessions.

KindStableUNIXUser is the RBAC-only kind to refer to interactions with stable UNIX users.

KindState is local on disk process state.

KindStaticHostUser is a host user to be created on matching SSH nodes.

KindStaticTokens is a type of configuration resource that contains static tokens.

KindToken is a provisioning token resource.

KindTrustedCluster is a resource that contains trusted cluster configuration.

KindTunnelConnection specifies connection of a reverse tunnel to proxy.

KindUIConfig is a resource that holds configuration for the UI served by the proxy service.

KindUnifiedResource is a meta Kind that is used for the unified resource search present on the webUI and Connect.

KindUniqueNotificationIdentifier is a resource which tracks a unique identifier for a notification and is used to prevent duplicate notifications in certain cases.

KindUsageEvent is an external cluster usage event.

KindUser is a user resource.

KindUserGroup is an externally sourced user group.

KindUserLastSeenNotification is a resource which stores the timestamp of a user's last seen notification.

KindUserLoginState is a UserLoginState resource.

KindUserNotificationState is a resource which tracks whether a user has clicked on or dismissed a notification.

KindUserTask is a task representing an issue with some other resource.

KindUserToken is a user token used for various user related actions.

KindUserTokenSecrets is user token secrets.

KindVnetConfig is a resource which holds cluster-wide configuration for VNet.

KindWatchStatus is a kind for WatchStatus resource which contains information about a successful Watch request.

KindWebSession is a web session resource.

KindWebToken is a web token resource.

KindWindowsDesktop is a Windows desktop host.

KindWindowsDesktopService is a Windows desktop service resource.

KindWorkloadIdentity is the WorkloadIdentity resource.

KindWorkloadIdentityX509Revocation is the WorkloadIdentityX509Revocation resource.

KubernetesClusterLabel indicates name of the kubernetes cluster for auto-discovered services inside kubernetes.

KubernetesMatchersApp is app matcher type for Kubernetes services.

These represent the possible values for the kind field in session trackers.

KubeTunnel is a tunnel where the kubernetes service dials back to the proxy.

KubeVerbCreate is the Kubernetes verb for "create".

KubeVerbDelete is the Kubernetes verb for "delete".

KubeVerbDeleteCollection is the Kubernetes verb for "deletecollection".

KubeVerbExec is the Kubernetes verb for "pod/exec".

KubeVerbGet is the Kubernetes verb for "get".

KubeVerbList is the Kubernetes verb for "list".

KubeVerbPatch is the Kubernetes verb for "patch".

KubeVerbPortForward is the Kubernetes verb for "pod/portforward".

KubeVerbUpdate is the Kubernetes verb for "update".

KubeVerbWatch is the Kubernetes verb for "watch".

MetaNameAccessGraphSettings is the exact name of the singleton resource holding access graph settings.

MetaNameAutoUpdateAgentRollout is the name of the autoupdate agent rollout resource.

MetaNameAutoUpdateConfig is the name of a configuration resource for autoupdate config.

MetaNameAutoUpdateVersion is the name of a resource for autoupdate version.

MetaNameClusterAuditConfig is the exact name of the singleton resource holding cluster audit configuration.

MetaNameClusterAuthPreference is the type of authentication for this cluster.

MetaNameClusterMaintenanceConfig is the only allowed metadata.name value for the maintenance window singleton resource.

MetaNameClusterName is the name of a configuration resource for cluster name.

MetaNameClusterNetworkingConfig is the exact name of the singleton resource holding cluster networking configuration.

MetaNameExternalAuditStorageCluster is the exact name of the singleton resource holding External Audit Storage cluster configuration.

MetaNameExternalAuditStorageDraft is the exact name of the singleton resource holding External Audit Storage draft configuration.

MetaNameNetworkRestrictions is the exact name of the singleton resource for network restrictions.

MetaNameSessionRecordingConfig is the exact name of the singleton resource for session recording configuration.

MetaNameSessionTracker is the prefix of resources used to track live sessions.

MetaNameStaticTokens is the name of a configuration resource for static tokens.

MetaNameUIConfig is the exact name of the singleton resource holding proxy service UI configuration.

MetaNameWatchStatus is the name of a watch status resource.

MFA device is known to be configured using TOTP as the weakest form of MFA.

MFA device is known to be not configured.

Unable to tell whether the MFA device has been configured.

MFA device is known to be configured using WebAuthn as the weakest form of MFA.

NameLabelDiscovery is used to identify virtual machines by GCP VM name found via automatic discovery, to avoid re-running installation commands on the node.

NodeTunnel is a tunnel where the node connects to the proxy (dial back).

NotificationAccessListReviewDue0dSubKind is the subkind for a notification for an access list review due today.

NotificationAccessListReviewDue14dSubKind is the subkind for a notification for an access list review due in less than 14 days.

NotificationAccessListReviewDue3dSubKind is the subkind for a notification for an access list review due in less than 3 days.

NotificationAccessListReviewDue7dSubKind is the subkind for a notification for an access list review due in less than 7 days.

NotificationAccessListReviewOverdue3dSubKind is the subkind for a notification for an access list review overdue by 3 days.

NotificationAccessListReviewOverdue7dSubKind is the subkind for a notification for an access list review overdue by 7 days.

NotificationAccessRequestApprovedSubKind is the subkind for a notification for a user's access request being approved.

NotificationAccessRequestDeniedSubKind is the subkind for a notification for a user's access request being denied.

NotificationAccessRequestPendingSubKind is the subkind for a notification for an access request pending review.

NotificationAccessRequestPromotedSubKind is the subkind for a notification for a user's access request being promoted to an access list.

NotificationClickedLabel is the label which contains whether the notification has been clicked on by the user.

NotificationDefaultInformationalSubKind is the default subkind for an informational notification.

NotificationDefaultWarningSubKind is the default subkind for a warning notification.

NotificationIdentifierPrefixAccessListDueReminder0d is the prefix for unique notification identifiers for 0d (today) access list review reminders.

NotificationIdentifierPrefixAccessListDueReminder14d is the prefix for unique notification identifiers for 14d access list review reminders.

NotificationIdentifierPrefixAccessListDueReminder3d is the prefix for unique notification identifiers for 3d access list review reminders.

NotificationIdentifierPrefixAccessListDueReminder7d is the prefix for unique notification identifiers for 7d access list review reminders.

NotificationIdentifierPrefixAccessListDueReminder30d is the prefix for unique notification identifiers for 3d overdue access list review reminders.

NotificationIdentifierPrefixAccessListDueReminder30d is the prefix for unique notification identifiers for 7d overdue access list review reminders.

NotificationScope is the label which contains the scope of the notification, either "user" or "global".

NotificationTextContentLabel is the label which contains the text content of a user-created notification.

NotificationTitleLabel is the label which contains the title of the notification.

NotificationUserCreatedInformationalSubKind is the subkind for a user-created informational notification.

NotificationUserCreatedWarningSubKind is the subkind for a user-created warning notification.

OIDCIdPCA (OpenID Connect Identity Provider Certificate Authority) identifies the certificate authority that will be used by the OIDC Identity Provider.

OktaAppDescriptionLabel is the individual app description label.

OktaAppIDLabel is the label for the Okta application ID on appserver objects.

OktaAppNameLabel is the individual app name label.

FAILED indicates the action was not applied successfully.

PENDING indicates the action has not yet been applied.

PROCESSSING indicates that the assignment is being applied.

SUCCESSFUL indicates the action was applied successfully.

UNKNOWN indicates the status is not set.

APPLICATION indicates the target is an application.

GROUP indicates the target is a group.

UNKNOWN indicates the target is unknown.

OktaCA identifies the certificate authority that will be used by the integration with Okta.

OktaCredPurposeAuth indicates that the credential is intended for authenticating with the Okta REST API.

OktaCredPurposeLabel is used by Okta-managed PluginStaticCredentials to indicate their purpose.

OktaCredPurposeSCIMToken indicates that theis to be used for authenticating SCIM requests from the upstream organization.

OktaGroupDescriptionLabel is the individual group description label.

OktaGroupNameLabel is the individual group name label.

OktaOrgURLLabel is the label used by Okta-managed resources to indicate the upstream Okta organization that they come from.

OKTA_PLUGIN_SYNC_STATUS_CODE_ERROR indicates that the service is currently in an error state.

OKTA_PLUGIN_SYNC_STATUS_CODE_SUCCESS indicates that the service is running without error.

OKTA_PLUGIN_SYNC_STATUS_CODE_UNSPECIFIED is the status code zero value, indicating that the service has not yet reported a status code.

OktaRoleNameLabel is the human readable name for a role sourced from Okta.

OktaTunnel is a tunnel where the Okta service dials back to the proxy.

OktaUserSyncSourceSamlOrg indicates users are synchronized Okta organization (legacy).

OktaUserSyncSourceSamlApp indicates users are synchronized from Okta SAML app for the connector assignments.

OktaUserSyncSourceUnknown indicates the user sync source is not set.

OnSessionLeaveTerminate is a moderated sessions policy constant that pauses a session once the require policies is no longer fulfilled.

OnSessionLeaveTerminate is a moderated sessions policy constant that terminates a session once the require policy is no longer fulfilled.

OpDelete is returned for Delete events.

OpenSSHCA is a certificate authority used when connecting to agentless nodes.

OpGet is used for tracking, not present in the event stream.

OpInit is returned by the system whenever the system is initialized, init operation is always sent as a first event over the channel, so the client can verify that watch has been established.

OpInvalid is returned for invalid operations.

OpPut is returned for Put events.

OpUnreliable is used to indicate the event stream has become unreliable for maintaining an up-to-date view of the data.

OriginCloud is an origin value indicating that the resource was imported from a cloud provider.

OriginConfigFile is an origin value indicating that the resource is derived from static configuration.

OriginDefaults is an origin value indicating that the resource was constructed as a default value.

OriginDiscoveryKubernetes indicates that the resource was imported from kubernetes cluster by discovery service.

OriginDynamic is an origin value indicating that the resource was committed as dynamic configuration.

OriginEntraID indicates that the resource was imported from the Entra ID directory.

OriginIntegrationAWSOIDC is an origin value indicating that the resource was created from the AWS OIDC Integration.

OriginKubernetes is an origin value indicating that the resource was created from the Kubernetes Operator.

OriginLabel is a resource metadata label name used to identify a source that the resource originates from.

OriginOkta is an origin value indicating that the resource was created from the Okta service.

PackageNameEnt is the teleport package name for the Enterprise version.

PackageNameEntFIPS is the teleport package name for the Enterprise with FIPS enabled version.

PackageNameOSS is the teleport package name for the OSS version.

Password is known to be configured.

Password is known to be not configured.

Unable to tell whether the password has been configured.

PluginGenerationLabel is the label for the current generation of the plugin.

OTHER_ERROR indicates that an otherwise-unspecified error has been encountered.

RUNNING means the plugin reports running successfully.

SLACK_NOT_IN_CHANNEL is a Slack-specific status code that indicates that the bot has not been invited to a channel that it is configured to post in.

UNAUTHORIZED indicates that plugin is not able to authenticate to the 3rd party API.

UNKNOWN is the default value when the plugin has not reported its status yet.

PluginSubkindAccess represents access request plugins collectively.

PluginSubkindAccessGraph represents access graph plugins collectively.

PluginSubkindMDM represents MDM plugins collectively.

PluginSubkindProvisioning represents plugins that create and manage Teleport users and/or other resources from an external source.

PluginSubkindUnknown is returned when no plugin subkind matches.

PluginTypeAWSIdentityCenter indicates AWS Identity Center plugin.

PluginTypeDatadog indicates the Datadog Incident Management plugin.

PluginTypeDiscord indicates the Discord access plugin.

PluginTypeEmail indicates an Email Access Request plugin.

PluginTypeEntraID indicates the Entra ID sync plugin.

PluginTypeGitlab indicates the Gitlab access plugin.

PluginTypeJamf is the Jamf MDM plugin.

PluginTypeJira is the Jira access plugin.

PluginTypeMattermost is the Mattermost access plugin.

PluginTypeMSTeams indicates a Microsoft Teams integration.

PluginTypeNetIQ indicates a NetIQ integration.

PluginTypeOkta is the Okta plugin.

PluginTypeOpenAI is the OpenAI plugin.

PluginTypeOpsgenie is the Opsgenie access request plugin.

PluginTypePagerDuty is the PagerDuty access plugin.

PluginTypeSCIM indicates a generic SCIM integration.

PluginTypeServiceNow is the Servicenow access request plugin.

PluginTypeSlack is the Slack access request plugin.

PluginTypeUnknown is returned when no plugin type matches.

PresetResource are resources resources will be created if they don't exist.

AWS_KMS is a private key backed by AWS KMS.

GCP_KMS is a private key backed by GCP KMS.

PKCS11 is a private key backed by a PKCS11 device such as HSM.

RAW is a plaintext private key.

ProjectIDLabel is used to identify the project ID for a virtual machine in GCP.

ProjectIDLabelDiscovery is used to identify virtual machines by GCP project id found via automatic discovery, to avoid re-running installation commands on the node.

ProxyGroupGenerationLabel is the internal-use label for proxy heartbeats that's used by reverse tunnel agents to know which proxies in each proxy group they should attempt to be connected to.

ProxyGroupIDLabel is the internal-use label for proxy heartbeats that's used by reverse tunnel agents to keep track of multiple independent sets of proxies in proxy peering mode.

Multiplex is the proxy listener mode indicating the proxy should use multiplex mode where all proxy services are multiplexed on a single proxy port.

Separate is the proxy listener mode indicating that proxies are running in separate listener mode where Teleport Proxy services use different listeners.

ProxyPeering requires agents to create a reverse tunnel to a configured number of proxy servers and enables proxy to proxy communication.

ProxyTunnel is a tunnel where a proxy connects to the proxy (trusted cluster).

RecordAtNode is the default.

RecordAtNodeSync enables the nodes to stream sessions in sync mode to the auth server.

RecordAtProxy enables the recording proxy which intercepts and records all sessions.

RecordAtProxySync enables the recording proxy which intercepts and records all sessions, streams the records synchronously.

RecordOff is used to disable session recording completely.

RegionLabel is used to identify virtual machines by region found via automatic discovery, to avoid re-running installation commands on the node.

ReleaseServerEnvVar is the environment variable used to overwrite the default release server address.

ReqAnnotationApproveSchedulesLabel is the request annotation key at which schedules are stored for access plugins.

ReqAnnotationNotifySchedulesLabel is the request annotation key at which notify schedules are stored for access plugins.

ReqAnnotationTeamsLabel is the request annotation key at which teams are stored for access plugins.

RequestReasonModeRequired indicates optional mode.

RequestReasonModeRequired indicates required mode.

APPROVED variant indicates that a request has been accepted by an administrating party.

DENIED variant indicates that a request has been rejected by an administrating party.

NONE variant exists to allow RequestState to be explicitly omitted in certain circumstances (e.g.

PENDING variant is the default for newly created requests.

PROMOTED variant indicates that a request has been promoted to an access list.

RequestStrategyAlways indicates that client implementations should automatically generate wildcard requests on login, but that reasons are not required.

RequestStrategyOptional is the default request strategy, indicating that no special actions/requirements exist.

RequestStrategyReason indicates that client implementations should automatically generate wildcard requests on login, and users should be prompted for a reason.

HARDWARE_KEY_PIN means login sessions must use a hardware private key that requires pin to be used.

HARDWARE_KEY_TOUCH means login sessions must use a hardware private key that requires touch to be used.

HARDWARE_KEY_TOUCH_AND_PIN means login sessions must use a hardware private key that requires touch and pin to be used.

OFF means additional MFA enforcement is not enabled.

SESSION means MFA is required to begin server sessions.

SESSION_AND_HARDWARE_KEY means MFA is required to begin server sessions, and login sessions must use a private key backed by a hardware key.

RequireMFATypeHardwareKeyPINString is the string representation of RequireMFATypeHardwareKeyPIN.

RequireMFATypeHardwareKeyString is the string representation of RequireMFATypeHardwareKey.

RequireMFATypeHardwareKeyTouchAndPINString is the string representation of RequireMFATypeHardwareKeyTouchAndPIN.

RequireMFATypeHardwareKeyTouchString is the string representation of RequireMFATypeHardwareKeyTouch.

ResourceGroupLabel is used to identify virtual machines by resource-group found via automatic discovery, to avoid re-running installation commands on the node.

ResourceKind refers to a resource field named "kind".

ResourceMetadataName refers to a resource metadata field named "name".

ResourceSpecAddr refers to a resource spec field named "address".

ResourceSpecDescription refers to a resource spec field named "description".

ResourceSpecHostname refers to a resource spec field named "hostname".

ResourceSpecPublicAddr refers to a resource field named "address".

ResourceSpecType refers to a resource field named "type".

RoleAccessGraphPlugin is a role for Access Graph plugins to access Teleport's internal API and access graph.

RoleAdmin is admin role.

RoleApp is a role for a app proxy in the cluster.

RoleAuth is for teleport auth server (authority, authentication and authorization).

RoleBot is a role for a bot.

RoleDatabase is a role for a database proxy in the cluster.

RoleDiscovery is a role for discovery nodes in the cluster.

RoleInstance is a role implicitly held by teleport servers (i.e.

RoleKube is a role for a kubernetes service.

RoleMDM is the role for MDM services in the cluster.

RoleNode is a role for SSH node in the cluster.

RoleNop is used for actions that are already using external authz mechanisms e.g.

RoleOkta is a role for Okta nodes in the cluster.

RoleProvisionToken is a role for nodes authenticated using provisioning tokens.

RoleProxy is a role for SSH proxy in the cluster.

RoleRemoteProxy is a role for remote SSH proxy in the cluster.

RoleSignup is for first time signing up users.

RoleTrustedCluster is a role needed for tokens used to add trusted clusters.

RoleWindowsDesktop is a role for a Windows desktop service.

RotationModeAuto is set to go through all phases by the schedule.

RotationModeManual is a manual rotation mode when all phases are set by the operator.

RotationPhaseInit = is a phase of the rotation when new certificate authority is issued, but not used It is necessary for remote trusted clusters to fetch the new certificate authority, otherwise the new clients will reject it.

RotationPhaseRollback means that rotation is rolling back to the old certificate authority.

RotationPhaseStandby is the initial phase of the rotation it means no operations have started.

RotationPhaseUpdateClients is a phase of the rotation when client credentials will have to be updated and reloaded but servers will use and respond with old credentials because clients have no idea about new credentials at first.

RotationPhaseUpdateServers is a phase of the rotation when servers will have to reload and should start serving TLS and SSH certificates signed by new CA.

RotationStateInProgress - that rotation is in progress.

RotationStateStandby is initial status of the rotation - nothing is being rotated.

MostRecent routes to the most recently heartbeated node if duplicates are present.

UnambiguousMatch only routes to distinct nodes.

SAMLAuthnContextPublicKeyX509ClassRef is a Public Key X.509 reference authentication standard.

SAMLBasicNameFormat is an attribute name format that specifies a simple string value.

SAMLBearerMethod is a subject confirmation method, which tells the service provider that the user in the context of authentication (the bearer of SAML assertion) lay claim to the SAML assertion value.

SAMLEduPersonAffiliationFriendlyName is used to reference groups associated with a user as defiend in OID-info db - http://www.oid-info.com/cgi-bin/display?oid=urn%3Aoid%3A1.3.6.1.4.1.5923.1.1.1.1&a=display.

SAMLEduPersonAffiliationName is a URN value of EduPersonAffiliationFriendlyName.

SAMLEmailAddressNameIDFormat is a Name ID format of email address type as specified in IETF RFC 2822 [RFC 2822] Section 3.4.1.

SAMLEntityNameIDFormat is a Name ID format for SAML IdP Entity ID value.

NO re-authentication should not be forced for existing SAML sessions.

UNSPECIFIED is treated as the default value for the context; NO for login, YES for MFA checks.

YES re-authentication should be forced for existing SAML sessions..

SAMLIDPCA identifies the certificate authority that will be used by the SAML identity provider.

SAMLKerberosPrincipalNameNameNameIDFormat is a Name ID format of Kerberos Principal Name whose syntax is "name[/instance]@REALM".

SAMLPersistentNameIDFormat is a Name ID format whose value is to be treated as a persistent user identitifer by the service provider.

SAMLStringType is a string value type.

SAMLSubjectIDName is a general purpose subject identifier as defined in SAML Subject Indentifier Attribuets - http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/csprd03/saml-subject-id-attr-v1.0-csprd03.pdf.

SAMLTransientNameIDFormat is a Name ID format whose value is to be treated as a temporary value by the service provider.

SAMLUIDFriendlyName is a user friendly name with a userid format as defiend in OID-info db - http://www.oid-info.com/cgi-bin/display?oid=urn%3Aoid%3A0.9.2342.19200300.100.1.1&a=display.

SAMLUIDName is a URN value of UIDFriendlyName.

SAMLUnspecifiedNameFormat is an attribute name format for names that does not fall into Basic or URI category.

SAMLUnspecifiedNameIDFormat is a Name ID format of unknown type and it is upto the service provider to interpret the format of the value.

SAMLURINameFormat is an attribute name format that follows the convention for URI references [RFC 2396].

SAMLWindowsDomainQualifiedNameNameIDFormat is a Name ID format of Windows Domain Qualified Name whose syntax "DomainName\UserName".

SAMLX509SubjectNameNameIDFormat is a Name ID format of the X.509 certificate subject name which is used in XML Signature Recommendation (XMLSig).

SCIMBaseURLLabel defines a label indicating the base URL for interacting with a plugin via SCIM.

SECOND_FACTOR_TYPE_OTP is OTP second factor.

SECOND_FACTOR_TYPE_SSO is SSO second factor.

SECOND_FACTOR_TYPE_WEBAUTHN is WebAuthn second factor.

SemaphoreKindAccessListReminderLimiter is the semaphore kind used by the periodic check which creates access list reminder notifications.

SemaphoreKindAccessMonitoringLimiter is the semaphore kind used by the Access Monitoring feature during handling user queries.

SemaphoreKindConnection is the semaphore kind used by the Concurrent Session Control feature to limit concurrent connections (corresponds to the `max_connections` role option).

SemaphoreKindHostUserModification is the semaphore kind used to limit the number of operations that can occur on a unix user to one at a time.

SemaphoreKindKubernetesConnection is the semaphore kind used by the Concurrent Session Control feature to limit concurrent connections for Kubernetes (corresponds to the `max_kubernetes_connections` role option).

SemaphoreKindUploadCompleter is the semaphore kind used by the auth server's upload completer to protect access to the shared session recordings backend.

Pending variant represents a session that is waiting on participants to fulfill the criteria to start the session.

Running variant represents a session that has had it's criteria for starting fulfilled at least once and has transitioned to a RUNNING state.

Terminated variant represents a session that is no longer running and due for removal.

SIGNATURE_ALGORITHM_SUITE_BALANCED_V1 aims to strikes a balance between security, compatibility, and performance.

SIGNATURE_ALGORITHM_SUITE_FIPS_V1 is tailored for FIPS compliance.

SIGNATURE_ALGORITHM_SUITE_HSM_V1 is tailored for clusters using an HSM or KMS service to back CA private material.

SIGNATURE_ALGORITHM_SUITE_LEGACY is the original algorithm suite used in Teleport, it almost exclusively uses 2048-bit RSA.

SIGNATURE_ALGORITHM_SUITE_UNSPECIFIED represents an unspecified signature algorithm suite.

SPIFFECA identifies the certificate authority that will be used by the SPIFFE Workload Identity provider functionality.

SSHDConfigPath is the path to the sshd config file to modify when using the agentless installer.

SSHSessionKind is the kind used for session tracking with the session_tracker resource used in Teleport 9+.

SubKindCloudInfo is a ServerInfo that was created by the Discovery service to match with a single discovered instance.

SubKindGitHub specifies the GitHub subkind of a Git server.

SubKindOpenSSHEICENode is a registered OpenSSH (agentless) node that doesn't require trust in Teleport CA.

SubKindOpenSSHNode is a registered OpenSSH (agentless) node.

SubKindTeleportNode is a Teleport node.

SubscriptionIDLabel is used to identify virtual machines by Azure subscription ID found via automatic discovery, to avoid re-running installation commands on the node.

SystemResource are resources that will be automatically created and overwritten on startup.

TeleportAzureMSIEndpoint is a special URL intercepted by TSH local proxy, serving Azure credentials.

TeleportDowngradedLabel identifies resources that have been automatically downgraded before being returned to clients on older versions that do not support one or more features enabled in that resource.

TeleportDropGroup is a default group that users of the teleport automated user provisioning system get added to when provisioned in INSECURE_DROP mode.

TeleportDynamicLabelPrefix is the prefix used by labels that can change over time and should not be used as part of a role's deny rules.

TeleportHiddenLabelPrefix is the prefix used by all user specified hidden labels.

TeleportInternalDiscoveryConfigName is the label used to store the name of the discovery config whose matchers originated the resource.

TeleportInternalDiscoveryGroupName is the label used to store the name of the discovery group that the discovered resource is owned by.

TeleportInternalDiscoveryIntegrationName is the label used to store the name of the integration whose credentials were used to discover the resource.

TeleportInternalLabelPrefix is the prefix used by all Teleport internal labels.

TeleportInternalResourceType indicates the type of internal Teleport resource a resource is.

TeleportKeepGroup is a default group that users of the teleport automated user provisioning system get added to when provisioned in KEEP mode.

TeleportNamespace is used as the namespace prefix for labels defined by Teleport which can carry metadata such as cloud AWS account or instance.

TeleportResourceRevision marks a teleport-managed resource with a reversion number to aid future migrations.

TeleportStaticGroup is a default group that static host users get added to.

True holds "true" string value.

Trusted device not required.

Trusted device required by either cluster mode or user roles.

Device requirement not determined.

These represent the possible values for the kind field in session trackers.

UnstableProxyPeerQUICLabel is the internal-use label for proxy heartbeats that's used to signal that the proxy supports receiving proxy peering connections over QUIC.

UpgraderKindKubeController is a short name used to identify the kube-controller-based external upgrader variant.

UpgraderKindSystemdUnit is a short name used to identify the systemd-unit-based external upgrader variant.

UpgraderKindTeleportUpdate is a short name used to identify the teleport-update external upgrader variant.

UserCA identifies the key as a user certificate authority.

USER_TOKEN_RECOVER_MFA is a request to recover a MFA.

USER_TOKEN_RECOVER_PASSWORD is a request to recover password.

USER_TOKEN_RENEWAL_BOT is a request to generate certificates for a bot user.

Default value that implies token usage was not set.

UserTypeLocal identifies a user that was created in Teleport itself and has no connection to an external identity.

UserTypeSSO identifies a user that was created from an SSO provider.

V1 is the first version of resources.

V2 is the second version of resources.

V3 is the third version of resources.

V4 is the fourth version of resources.

V5 is the fifth version of resources.

V6 is the sixth version of resources.

V7 is the seventh version of resources.

VerbCreate is used to create an object.

VerbCreateEnrollToken allows the creation of device enrollment tokens.

VerbDelete is used to remove an object.

VerbEnroll allows enrollment of trusted devices.

VerbList is used to list all objects.

VerbRead is used to read a single object.

VerbReadNoSecrets is used to read a single object without secrets.

VerbRotate is used to rotate certificate authorities used only internally.

VerbUpdate is used to update an object.

VerbUse allows the usage of an Integration.

VMIDLabel is used to identify virtual machines by ID found via automatic discovery, to avoid re-running installation commands on the node.

Wildcard is a special wildcard character matching everything.

These represent the possible values for the kind field in session trackers.

WindowsDesktopTunnel is a tunnel where the Windows desktop service dials back to the proxy.

ZoneLabelDiscovery is used to identify virtual machines by GCP zone found via automatic discovery, to avoid re-running installation commands on the node.

AllPluginTypes is a list of all plugins known to Teleport.

AWSDatabaseNameOverrideLabels are the label keys that Teleport supports to override the database name of discovered AWS databases.

AWSKubeClusterNameOverrideLabels are the label keys that Teleport supports to override the kubernetes cluster name of discovered AWS kube clusters.

BackSortedLabelPrefixes are label names that we want to always be at the end of the sorted labels list to reduce visual clutter.

CertAuthTypes lists all certificate authority types.

ErrDuplicateAttributeName is returned when attribute mapping declares two or more attributes with the same name.

ErrMissingEntityDescriptorAndACSURL is returned when both entity descriptor and ACS URL is empty.

ErrMissingEntityDescriptorAndEntityID is returned when both entity descriptor and entity ID is empty.

ErrPassswordlessLoginBySSOUser is issued if an SSO user tries to login using passwordless.

ErrPasswordlessDisabledBySettings is issued if a passwordless challenge is requested but passwordless is disabled by cluster settings.

ErrPasswordlessRequiresWebauthn is issued if a passwordless challenge is requested but WebAuthn isn't enabled.

JamfOnMissingActions is a slice of all textual on_missing representations, excluding the empty string.

KubernetesClusterWideResourceKinds is the list of supported Kubernetes cluster resource kinds that are not namespaced.

KubernetesResourcesKinds lists the supported Kubernetes resource kinds.

KubernetesVerbs lists the supported Kubernetes verbs.

LabelMatcherKinds is the complete list of resource kinds that support label matchers.

OriginValues lists all possible origin values.

PackageNameKinds is the list of valid teleport package names.

RequestableResourceKinds lists all Teleport resource kinds users can request access to.

RequireAWSIAMRolesAsUsersMatchers is a list of the AWS databases that require AWS IAM roles as database users.

RotatePhases lists all supported rotation phases.

SessionRecordingModes lists all possible session recording modes.

SupportedAWSDatabaseMatchers is a list of the AWS databases currently supported by the Teleport discovery service.

SupportedAWSMatchers is list of AWS services currently supported by the Teleport discovery service.

SupportedAzureMatchers is list of Azure services currently supported by the Teleport discovery service.

SupportedGCPMatchers is list of GCP services currently supported by the Teleport discovery service.

SupportedKubernetesMatchers is a list of Kubernetes matchers supported by Teleport discovery service.

WebSessionSubKinds lists subkinds of web session resources.

AccessCapabilities is a summary of capabilities that a user is granted via their dynamic access privileges which may not be calculable by directly examining the user's own static roles.

AccessCapabilitiesRequest encodes parameters for the GetAccessCapabilities method.

AccessGraphAWSSync is a configuration for AWS Access Graph service poll service.

AccessGraphAzureSync is a configuration for Azure Access Graph service poll service.

AccessGraphSync is a configuration for Access Graph service.

AccessRequestAllowedPromotion describes an allowed promotion to an Access List.

AccessRequestAllowedPromotions describes an valid promotion from an access request to an access list.

AccessRequestConditions is a matcher for allow/deny restrictions on access-requests.

AccessRequestConditionsReason defines settings for the reason for the access provided by the user.

AccessRequestFilter encodes filter params for Access Requests.

AccessRequestSpec is the specification for AccessRequest.

AccessRequestUpdate encompasses the parameters of a SetAccessRequestState call.

AccessRequest represents an Access Request resource specification.

AccessReview is a review to be applied to an Access Request.

AccessReviewConditions is a matcher for allow/deny restrictions on access reviews.

AccessReviewSubmission encodes the necessary parameters for submitting a new access review.

AccessReviewThreshold describes a filter used to match access reviews, as well as approval/denial counts which trigger state-transitions.

AcquireSemaphoreRequest holds semaphore lease acquisition parameters.

AD contains Active Directory specific database configuration.

AddressCondition represents a set of addresses.

AgentMeshTunnelStrategy requires reverse tunnels to dial every proxy.

AgentUpgradeSchedule is the canonical representation of upcoming agent upgrade windows as generated by the AgentUpgradeWindow config object.

AgentUpgradeWindow is the config object used to determine upcoming agent upgrade windows.

AlertAcknowledgement marks a cluster alert as having been "acknowledged".

AppAWS contains additional options for AWS applications.

AppIdentityCenter encapsulates information about an AWS Identity Center account application.

AppServerOrSAMLIdPServiceProviderV1 holds either an AppServerV3 or a SAMLIdPServiceProviderV1 resource (never both).

AppServerSpecV3 is the app access server spec.

AppServerV3 represents a single proxied web app.

AppSpecV3 is the AppV3 resource spec.

AppV3 represents an app resource.

AppV3List represents a list of app resources.

Asset represents a release asset.

AssumeRole provides a role ARN and ExternalID to assume an AWS role when interacting with AWS resources.

AsymmetricKeyPair is a combination of a public certificate and private key that can be used for encryption and signing.

AttributeMapping maps a SAML attribute statement to teleport roles.

AuthPreferenceSpecV2 is the actual data we care about for AuthPreference.

AuthPreferenceV2 implements the AuthPreference interface.

AWS contains AWS metadata about the database.

AWSICGroupImportStatus defines Identity Center group and group members import status.

AWSICProvisioningSpec holds provisioning-specific Identity Center settings.

AWSICResourceFilter is an entry in the AWS IC plugin settings' allow-list of resources to import.

UserSyncFilter is a map of key-value pairs used to filter users based on their metadata labels.

AWSInfo contains attributes to match to an EC2 instance.

AWSMatcher matches AWS EC2 instances and AWS Databases.

AWSOIDCIntegrationSpecV1 contains the spec properties for the AWS OIDC SubKind Integration.

AWSSSM provides options to use when executing SSM documents.

Azure contains Azure specific database metadata.

AzureInstallerParams is the set of Azure-specific installation parameters.

AzureMatcher matches Azure resources.

AzureOIDCIntegrationSpecV1 contains the spec properties for the Azure OIDC SubKind Integration.

AzureRedis contains Azure Cache for Redis specific database metadata.

BoolOption is a wrapper around bool that can take multiple values: * true, false and non-set (when pointer is nil) and can marshal itself to protobuf equivalent BoolValue.

BoolValue is a wrapper around bool, used in cases whenever bool value can have different default value when missing.

CAKeySet is the set of CA keys.

CertAuthID - id of certificate authority (it's type and domain name).

CertAuthoritySpecV2 is a host or user certificate authority that can check and if it has private key stored as well, sign it too.

CertAuthorityV2 is version 2 resource spec for Cert Authority.

CertExtension represents a key/value for a certificate extension.

ClaimMapping maps a claim to teleport roles.

CloudMetadata contains info about the cloud instance a server is running on, if any.

ClusterAlert is a cluster-level alert message.

ClusterAlertSpec is a cluster alert specification.

ClusterAuditConfigSpecV2 is the actual data we care about for ClusterAuditConfig.

ClusterAuditConfigV2 represents audit log settings in the cluster.

ClusterMaintenanceConfigSpecV1 encodes the parameters of the upgrade window config object.

ClusterMaintenanceConfigV1 is a config singleton used to configure infrequent cluster maintenance operations.

ClusterNameSpecV2 is the actual data we care about for ClusterName.

ClusterNameV2 implements the ClusterName interface.

ClusterNetworkingConfigSpecV2 is the actual data we care about for ClusterNetworkingConfig.

ClusterNetworkingConfigV2 contains cluster-wide networking configuration.

CommandLabelV2 is a label that has a value as a result of the output generated by running command, e.g.

ConnectionDiagnosticSpecV1 is the ConnectionDiagnostic Spec.

ConnectionDiagnosticTrace describes a trace of a connection diagnostic.

ConnectionDiagnosticV1 is the result of testing a connection.

ConnectorRef holds information about OIDC connector.

CORSPolicy defines the CORS policy for AppSpecV3.

CreatedBy holds information about the person or agent who created the user.

CreateSAMLIdPSessionRequest contains the parameters needed to request creating a SAML IdP session.

CreateSnowflakeSessionRequest contains the parameters needed to request creating a Snowflake web session.

CreateUserParams represents the user creation parameters as called during SSO login flow.

DatabaseAdminUser contains information about privileged database user used for automatic user provisioning.

DatabasePermission specifies the database object permission for the user.

DatabaseResourceMatcher is a set of properties that is used to match on resources.

DatabaseServerSpecV3 is the database server spec.

DatabaseServerV3 represents a database access server.

DatabaseServiceSpecV1 is the DatabaseService Spec.

DatabaseServiceV1 is the representation of a DatabaseService (agent) process.

DatabaseSpecV3 is the database spec.

DatabaseStatusV3 contains runtime information about the database.

DatabaseTLS contains TLS configuration options.

DatabaseV3 represents a single proxied database.

DatabaseV3List represents a list of databases.

DeleteAppSessionRequest are the parameters used to request removal of an application web session.

DeleteSAMLIdPSessionRequest are the parameters used to request removal of a SAML IdP session.

DeleteSnowflakeSessionRequest are the parameters used to request removal of a Snowflake web session.

DeleteWebSessionRequest describes a request to delete a web session.

DeleteWebTokenRequest describes a request to delete a web token.

DeviceCollectedData is the resource representation of teleport.devicetrust.v1.DeviceCollectedData.

DeviceCredential is the resource representation of teleport.devicetrust.v1.DeviceCredential.

DeviceProfile is the resource representation of teleport.devicetrust.v1.DeviceProfile.

DeviceSource is the resource representation of teleport.devicetrust.v1.DeviceSource..

DeviceSpec is a device specification.

DeviceTrust holds settings related to trusted device verification.

DeviceV1 is the resource representation of teleport.devicetrust.v1.Device.

Web-focused view of teleport.devicetrust.v1.DeviceWebToken.

Defines a set of discord channel IDs.

DocumentDB contains AWS DocumentDB specific metadata.

DynamicWindowsDesktopSpecV1 is the dynamic windows host spec.

DynamicWindowsDesktopV1 represents a dynamic windows host for desktop access.

ElastiCache contains AWS ElastiCache Redis specific metadata.

EnrichedResource is a [ResourceWithLabels] wrapped with additional user-specific information.

EntitlementInfo is the state and limits of a particular entitlement; Example for feature X: { Enabled: true, Limit: 0 } => unlimited access to feature X { Enabled: true, Limit: >0 } => limited access to feature X { Enabled: false, Limit: >=0 } => no access to feature X.

Event represents an event that happened in the backend.

ExternalIdentity is OpenID Connect/SAML or Github identity that is linked to particular user and connector and lets user to log in using external credentials, e.g.

GCPCloudSQL contains parameters specific to GCP Cloud SQL databases.

GCPMatcher matches GCP resources.

GenerateAppTokenRequest are the parameters used to generate an application token.

GenerateSnowflakeJWT are the parameters used to generate a Snowflake JWT.

GetAppSessionRequest contains the parameters to request an application web session.

GetClusterAlertsRequest matches cluster alerts.

GetSAMLIdPSessionRequest contains the parameters to request a SAML IdP session.

GetSnowflakeSessionRequest contains the parameters to request a Snowflake web session.

GetWebSessionRequest describes a request to query a web session.

GetWebTokenRequest describes a request to query a web token.

GithubAuthRequest is the request to start Github OAuth2 flow.

GithubClaims represents Github user information obtained during OAuth2 flow.

GithubConnectorSpecV3 is a Github connector specification.

GithubConnectorV3 represents a Github connector.

GithubConnectorV3List is a list of Github connectors.

GitHubIntegrationSpecV1 contains the specific fields to handle the GitHub integration subkind.

GitHubPermission defines GitHub integration related permissions.

GitHubServerMetadata contains info about GitHub proxies where each server represents a GitHub organization.

GithubTokenInfo stores diagnostic info about Github OAuth2 token obtained during SSO flow.

HardwareKey holds settings related to hardware key support.

Header represents a single http header passed over to the proxied application.

HeadlessAuthentication holds data for an ongoing headless authentication attempt.

HeadlessAuthenticationFilter encodes filter params for headless authentications.

IdentityCenterAccountAssignment captures an AWS Identity Center account assignment (acccount + permission set) pair.

IdentityCenterPermissionSet defines a permission set that is available on an IdentityCenter account app.

IdPOptions specify options related to access Teleport IdPs.

IdPSAMLOptions specifies options related to accessing the Teleport SAML IdP.

ImpersonateConditions specifies whether users are allowed to issue certificates for other users or groups.

InstallParams sets join method to use on discovered nodes.

InstallerSpecV1 is the specification for an Installer.

InstallerV1 represents an installer script resource.

InstallerV1List represents a list of installer resources.

InstanceControlLogEntry represents an entry in a given instance's control log.

InstanceFilter matches instance resources.

InstanceV1 represents the state of a running teleport instance independent of the specific services that instance exposes.

IntegrationSpecV1 contains properties of all the supported integrations.

IntegrationV1 represents a connection between Teleport and some other 3rd party system.

JamfInventoryEntry is an inventory sync entry for [JamfSpecV1].

JamfSpecV1 is the base configuration for the Jamf MDM service.

JWTKeyPair is a PEM encoded keypair used for signing JWT tokens.

KubeAWS contains the AWS information about the cluster.

KubeAzure contains the Azure information about the cluster.

KubeGCP contains the GCP information about the cluster.

KubernetesCluster is a named kubernetes API endpoint handled by a Server.

KubernetesClusterSpecV3 is a specification for a Kubernetes cluster.

KubernetesClusterV3 represents a named kubernetes API endpoint.

KubernetesClusterV3List represents a list of kubernetes clusters.

KubernetesMatcher matches Kubernetes services.

KubernetesResource is the Kubernetes resource identifier.

KubernetesResourceSpecV1 is the Kubernetes resource spec.

KubernetesResourceV1 represents a Kubernetes resource.

KubernetesServerSpecV3 is the Kubernetes server spec.

KubernetesServerV3 represents a Kubernetes server.

LabelMatchers holds the role label matchers and label expression that are used to match resource labels of a specific resource kind and condition (allow/deny).

LicenseSpecV3 is the actual data we care about for LicenseV3.

LicenseV3 represents License resource version V3.

ListDynamicWindowsDesktopsResponse is a response type to ListDynamicWindowsDesktops.

ListResourcesResponse describes a non proto response to ListResources.

ListWindowsDesktopServicesRequest is a request type to ListWindowsDesktopServices.

ListWindowsDesktopServicesResponse is a response type to ListWindowsDesktopServices.

ListWindowsDesktopsRequest is a request type to ListWindowsDesktops.

ListWindowsDesktopsResponse is a response type to ListWindowsDesktops.

LocalAuthSecrets holds sensitive data used to authenticate a local user.

LockSpecV2 is a Lock specification.

LockTarget lists the attributes of interactions to be disabled.

LockV2 represents a lock.

LoginStatus is a login status of the user.

MailgunSpec holds Mailgun-specific settings.

MaxAge allows the max_age parameter to be nullable to preserve backwards compatibility.

MemoryDB contains AWS MemoryDB specific metadata.

MessageWithHeader is a message with a resource header.

Metadata is resource metadata.

MFADevice is a multi-factor authentication device, such as a security key or an OTP app.

MongoAtlas contains Atlas metadata about the database.

MySQLOptions are additional MySQL database options.

Namespace represents namespace resource specification.

NamespaceSpec is a namespace specification.

NetworkRestrictions specifies a list of addresses to restrict (block).

OIDCAuthRequest is a request to authenticate with OIDC provider, the state about request is managed by Auth Service.

OIDCConnectorMFASettings contains OIDC MFA settings.

OIDCConnectorSpecV3 is an OIDC connector specification.

OIDCConnectorV3 represents an OIDC connector.

OIDCConnectorV3List is a list of OIDC connectors.

OIDCIdentity is a redefinition of oidc.Identity with additional methods, required for serialization to/from protobuf.

OktaAssignmentSpecV1 is a Okta assignment specification.

OktaAssignmentTargetV1 is a target of an Okta assignment.

OktaAssignmentV1 is a representation of an action or set of actions taken by Teleport to assign Okta users to applications or groups.

OktaImportRuleMappingV1 is a list of matches that map match rules to labels.

OktaImportRuleMatchV1 is a match rule for a mapping.

OktaImportRuleSpecV1 is a Okta import rule specification.

OktaImportRuleV1 is a representation of labeling rules for importing of Okta objects.

OktaOptions specify options related to the Okta service.

OpenSearch contains AWS OpenSearch specific metadata.

OracleOptions contains information about privileged database user used for database audit.

Participant stores information about a participant in the session.

PluginAWSICSettings holds the settings for an AWS Identity Center integration.

PluginAWSICStatusV1 defines AWS Identity Center plugin sub-process status.

PluginCredentialsV1 represents "live" credentials that are used by the plugin to authenticate to the 3rd party API.

PluginDatadogAccessSettings defines the settings for a Datadog Incident Management plugin.

PluginDataEntry wraps a mapping of arbitrary string values used by plugins to store per-resource information.

PluginDataFilter encodes filter params for plugin data.

PluginData stores a collection of values associated with a specific resource.

PluginDataUpdateParams encodes parameters for updating a PluginData field.

PluginData stores a collection of values associated with a specific resource.

Defines settings for the discord plugin.

PluginEmailSettings holds the settings for an Email Access Request plugin.

AccessGraphSettings controls settings for syncing access graph specific data.

PluginEntraIDAppSSOSettings is a container for a single Entra ID enterprise application's cached SSO settings.

PluginEntraIDSettings defines settings for the Entra ID sync plugin.

PluginEntraIDStatusV1 is the status details for the Entra ID plugin.

Defines settings for syncing users and access lists from Entra ID.

PluginGitlabStatusV1 is the status details for the Gitlab plugin.

PluginIdSecretCredential can be OAuth2-like client_id and client_secret or username and password.

Defines settings for Jamf plugin.

PluginList represents a list of plugin resources.

Defines settings for the Mattermost plugin.

PluginMSTeamsSettings defines the settings for a Microsoft Teams integration plugin.

PluginNetIQSettings defines the settings for a NetIQ integration plugin.

PluginNetIQStatusV1 is the status details for the NetIQ plugin.

PluginOktaCredentialsInfo contains information about the Okta credentials.

Defines settings for the Okta plugin.

PluginOktaStatusDetailsAccessListsSync are details related to the current status of the Okta integration w/r/t access list sync.

PluginOktaStatusDetailsAppGroupSync are details related to the current status of the Okta integration w/r/t application and group sync.

PluginOktaStatusDetailsSCIM are details related to the current status of the Okta integration w/r/t SCIM.

PluginOktaStatusDetailsSSO are details related to the current status of the Okta integration w/r/t SSO.

PluginOktaStatusDetailsUsersSync are details related to the current status of the Okta integration w/r/t users sync.

PluginOktaStatusV1 contains the details for the running Okta plugin.

Defines settings for syncing users and access lists from Okta.

Defines settings for the OpenAI plugin.

PluginSCIMSettings defines the settings for a SCIM integration plugin.

PluginServiceNowSettings are the settings for the serviceNow plugin.

PluginStaticCredentialsBasicAuth represents username and password credentials for a plugin.

PluginStaticCredentialsOAuthClientSecret represents an oauth client id and secret.

PluginStaticCredentialsRef is a reference to plugin static credentials by labels.

PluginStaticCredentialsSpecV1 is the specification for the static credentials object.

PluginStaticCredentialsSSHCertAuthorities contains the active SSH CAs used for the integration or plugin.

PluginStaticCredentialsV1 is a representation of static credentials for plugins.

PluginStatus is the user-facing status for the plugin instance.

Plugin describes a single instance of a Teleport Plugin.

PortRange describes a port range for TCP apps.

PromotedAccessList is a minimal access list representation used for promoting Access Requests to access lists.

ProvisionTokenSpecV2 is a specification for V2 token.

ProvisionTokenSpecV2Azure contains the Azure-specific part of the ProvisionTokenSpecV2.

Rule is a set of properties the Azure-issued token might have to be allowed to use this ProvisionToken.

Rule is a set of properties the Bitbucket-issued token might have to be allowed to use this ProvisionToken.

ProvisionTokenSpecV2CircleCI contains the CircleCI-specific part of the ProvisionTokenSpecV2.

ProvisionTokenSpecV2GCP contains the GCP-specific part of the ProvisionTokenSpecV2.

Rule is a set of properties the GCP-ussued token might have to be allowed to use this ProvisionToken.

ProvisionTokenSpecV2Github contains the GitHub-specific part of the ProvisionTokenSpecV2.

Rule includes fields mapped from `lib/githubactions.IDToken` Not all fields should be included, only ones that we expect to be useful when trying to create rules around which workflows should be allowed to authenticate against a cluster.

ProvisionTokenSpecV2GitLab contains the GitLab-specific part of the ProvisionTokenSpecV2.

ProvisionTokenSpecV2Kubernetes contains the Kubernetes-specific part of the ProvisionTokenSpecV2.

Rule is a set of properties the Kubernetes-issued token might have to be allowed to use this ProvisionToken.

ProvisionTokenSpecV2Oracle contains Oracle-specific parts of the ProvisionTokenSpecV2.

Rule is a set of properties the Oracle instance might have to be allowed to use this ProvisionToken.

ProvisionTokenSpecV2Spacelift contains the Spacelift-specific part of the ProvisionTokenSpecV2.

ProvisionTokenSpecV2Terraform contains Terraform-specific parts of the ProvisionTokenSpecV2.

Rule is a set of properties the Terraform-issued token might have to be allowed to use this ProvisionToken.

ProvisionTokenSpecV2TPM contains the TPM-specific part of the ProvisionTokenSpecV2.

ProvisionTokenV1 is a provisioning token V1.

ProvisionTokenV2 specifies provisioning token.

ProvisionTokenV2List is a list of provisioning tokens.

ProxyPeeringTunnelStrategy requires reverse tunnels to dial a fixed number of proxies.

RDPLicenseKey is struct for retrieving licenses from backend cache, used only internally.

RDS contains AWS RDS specific database metadata.

RDSProxy contains AWS RDS Proxy specific database metadata.

RecoveryAttempt represents an unsuccessful attempt at recovering a user's account.

RecoveryCode describes a recovery code.

RecoveryCodesSpecV1 is the recovery codes spec.

RecoveryCodes holds a user's recovery code information.

Redshift contains AWS Redshift specific database metadata.

RedshiftServerless contains AWS Redshift Serverless specific metadata.

RegisterUsingTokenRequest is a request to register with the Auth Service using an authentication token.

Release correspond to a Teleport Enterprise releases.

RemoteClusterStatusV3 represents status of the remote cluster.

RemoteClusterV3 represents remote cluster resource specification.

RequestKubernetesResource is the Kubernetes resource identifier used in access request settings.

ResourceDetails includes details about the resource.

ResourceHeader is a shared resource header used in cases when only type and name is known.

ResourceID is a unique identifier for a teleport resource.

ResourcesInNamespaceRequest is a request relating to a named resource in the given namespace.

ResourceMatcherAWS contains AWS specific settings for resource matcher.

ResourceRequest is a request relating to a named resource.

ResourcesInNamespaceRequest is a request relating to resources in the given namespace.

ResourcesWithSecretsRequest is a request relating to resources with secrets.

ResourceWithSecretsRequest is a request relating to a named resource with secrets.

ReverseTunnelSpecV2 is a specification for V2 reverse tunnel.

ReverseTunnelV2 is version 2 of the resource spec of the reverse tunnel.

Rewrite is a list of rewriting rules to apply to requests and responses.

RoleConditions is a set of conditions that must all match to be allowed or denied access.

RoleFilter matches role resources.

RoleMapping provides mapping of remote roles to local roles for trusted clusters.

RoleOptions is a set of role options.

RoleSpecV6 is role specification for RoleV6.

RoleV6 represents role resource specification.

Rotation is a status of the rotation of the certificate authority.

RotationSchedule is a rotation schedule setting time switches for different phases.

Rule represents allow or deny rule that is executed to check if user or service have access to resource.

SAMLAttribute contains an attribute name and associated values.

SAMLAttributeMapping represents SAML service provider requested attribute name, format and its values.

SAMLAttributeValues contains a type, value, and an associated name ID block.

SAMLAuthRequest is a request to authenticate with SAML provider, the state about request is managed by the Auth Service.

SAMLConnectorMFASettings contains SAML MFA settings.

SAMLConnectorSpecV2 is a SAML connector specification.

SAMLConnectorV2 represents a SAML connector.

SAMLConnectorV2List is a list of SAML connectors.

SAMLIdPServiceProviderSpecV1 is the SAMLIdPServiceProviderV1 resource spec.

SAMLIdPServiceProviderV1 is the representation of a SAML IdP service provider.

SAMLNameID is a more restrictive identifier for an object in SAML.

SAMLSessionData contains data for a SAML session.

ScheduledAgentUpgradeWindow is a derived value representing a single upgrade window.

SecretStore contains secret store configurations.

SemaphoreFilter encodes semaphore filtering params.

SemaphoreLease represents lease acquired for semaphore.

SemaphoreLeaseRef identifies an existent lease.

SemaphoreSpecV3 contains the data about lease.

SemaphoreV3 implements Semaphore interface.

ServerInfoSpecV1 contains fields used to match Nodes to this ServerInfo.

ServerInfoV1 contains info that should be applied to joining Nodes.

ServerSpecV2 is a specification for V2 Server.

ServerV2 represents a Node, App, Database, Proxy or Auth Service instance in a Teleport cluster.

SessionJoinPolicy defines a policy that allows a user to join sessions.

SessionRecordingConfigSpecV2 is the actual data we care about for SessionRecordingConfig.

SessionRecordingConfigV2 contains session recording configuration.

SessionRequirePolicy a requirement policy that needs to be fulfilled to grant access.

SessionTrackerFilter are filters to apply when searching for session trackers.

SessionTrackerPolicySet is a set of RBAC policies held by the session tracker that contain additional metadata from the originating role.

SessionTrackerSpecV1 is the specification for a live session.

SessionTrackerV1 represents a live session resource.

SignatureAlgorithmSuiteParams is a set of parameters used to determine if a configured signature algorithm suite is valid, or to set a default signature algorithm suite.

Site represents a cluster of teleport nodes who collectively trust the same certificate authority (CA) and have a common name.

SMTPSpec holds a generic SMTP service specific settings.

SortBy defines a sort criteria.

SPIFFERoleCondition sets out which SPIFFE identities this role is allowed or denied to generate.

SSHKeyPair is an SSH CA key pair.

SSHLocalPortForwarding configures access controls for local SSH port forwarding.

SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.

SSHRemotePortForwarding configures access controls for remote SSH port forwarding.

SSOClientRedirectSettings contains settings to define which additional client redirect URLs should be allowed for non-browser SSO logins.

SSODiagnosticInfo is a single SSO diagnostic info entry.

SSOMFADevice contains details of an SSO MFA method.

SSOWarnings conveys a user-facing main message along with auxiliary warnings.

StableUNIXUserConfig contains the cluster-wide configuration for stable UNIX users.

StaticTokensSpecV2 is the actual data we care about for StaticTokensSpecV2.

StaticTokensV2 implements the StaticTokens interface.

SystemClockMeasurement represents the measurement state of the systems clock difference.

TeamMapping represents a single team membership mapping.

TeamRolesMapping represents a single team membership mapping.

ThresholdIndexSet encodes a list of threshold indexes.

ThresholdIndexSets is a list of threshold index sets.

TLSKeyPair is a TLS key pair.

TokenRule is a rule that a joining node must match in order to use the associated token.

TOTPDevice holds the TOTP-specific fields of MFADevice.

TPMPCR is the resource representation of teleport.devicetrust.v1.TPMPCR.

TPMPlatformAttestation is the resource representation of teleport.devicetrust.v1.TPMPlatformAttestation.

TPMPlatformParameters is the resource representation of teleport.devicetrust.v1.TPMPlatformParameters.

TPMQuote is the resource representation of teleport.devicetrust.v1.TPMQuote.

TraitMapping maps a trait to teleport roles.

TrustedClusterSpecV2 is a Trusted Cluster specification.

TrustedClusterV2 represents a Trusted Cluster.

TrustedClusterV2List is a list of trusted cluster.

TunnelConnectionSpecV2 is a specification for V2 tunnel connection.

TunnelConnectionV2 is version 2 of the resource spec of the tunnel connection.

TunnelStrategyV1 defines possible tunnel strategy types.

U2F defines settings for U2F device.

U2FDevice holds the U2F-specific fields of MFADevice.

UIConfigSpecV1 is the specification for a UIConfig.

UIConfigV1 represents the configuration for the web UI served by the proxy service.

UserFilter matches user resources.

UserGroupSpecV1 is the specification of a user group.

UserGroupV1 is a representation of an externally sourced user group.

UserRef holds references to user.

UserSpecV2 is a specification for V2 user.

UserStatusV2 is a dynamic state of UserV2.

UserV2 is version 2 resource spec of the user.

Watch sets up watch on the event.

WatchKind specifies resource kind to watch When adding fields to this struct, make sure to review/update WatchKind.Contains method.

WatchStatusSpecV1 contains resource kinds confirmed by WatchEvents to be included in the event stream.

WatchStatusV1 is intended to be attached to OpInit events and contain information about a successful WatchEvents call.

Webauthn defines user-visible settings for server-side Web Authentication support.

WebauthnDevice holds Webauthn-specific fields of MFADevice.

WebauthnLocalAuth holds settings necessary for local webauthn use.

WebSessionFilter encodes cache watch parameters for filtering web sessions.

WebSessionSpecV2 is a specification for web session.

WebSessionV2 represents an application or UI web session.

WebTokenSpecV3 is a unique time-limited token bound to a user's web session.

WebTokenV3 describes a web token.

WhereExpr is a tree like structure representing a `where` (sub-)expression.

WhereExpr2 is a pair of `where` (sub-)expressions.

WindowsDesktopFilter are filters to apply when searching for windows desktops.

WindowsDesktopServiceSpecV3 is the windows desktop service spec.

WindowsDesktopServiceV3 represents a windows desktop access service.

WindowsDesktopSpecV3 is the Windows host spec.

WindowsDesktopV3 represents a Windows host for desktop access.

AccessRequest is a request for temporarily granted roles.

Application represents a web, TCP or cloud console application.

AppServer represents a single proxied web app.

AppServerOrSAMLIdPServiceProvider describes methods shared between an AppServer and a SAMLIdpServiceProvider resource.

AuthPreference defines the authentication preferences for a specific cluster.

CertAuthority is a host or user certificate authority that can check and if it has private key stored as well, sign it too.

ClonableResource153 adds a restriction on [Resource153] such that implementors must have a CloneResource() method.

ClusterAuditConfig defines cluster-wide audit log configuration.

ClusterMaintenanceConfig represents a singleton config object used to schedule maintenance windows.

ClusterName defines the name of the cluster.

ClusterNetworkingConfig defines cluster networking configuration.

CommandLabel is a label that has a value as a result of the output generated by running command, e.g.

ConnectionDiagnostic represents a Connection Diagnostic.

Database represents a single database proxied by a database server.

DatabaseServer represents a database access server.

DatabaseService represents a DatabaseService (agent).

DiscoveredEKSCluster represents a server discovered by EKS discovery fetchers.

DynamicWindowsDesktop represents a Windows desktop host that is automatically discovered by Windows Desktop Service.

Events returns new events interface.

GithubConnector defines an interface for a Github OAuth2 connector.

Installer is an installer script resource.

Instance describes the configuration/status of a unique teleport server identity.

Integration specifies is a connection configuration between Teleport and a 3rd party system.

KeepAliver keeps object alive.

KubeCluster represents a kubernetes cluster.

KubeServer represents a single Kubernetes server.

License defines teleport License Information.

Lock configures locking out of a particular access vector.

Matcher is an interface for cloud resource matchers.

NetworkRestrictions defines network restrictions applied to SSH session.

OIDCConnector specifies configuration for Open ID Connect compatible external identity provider, e.g.

OktaAssignment is a representation of an action or set of actions taken by Teleport to assign Okta users to applications or groups.

OktaAssignmentTarget is an target for an Okta assignment.

OktaImportRule specifies a rule for importing and labeling Okta applications and groups.

OktaImportRuleMapping is a list of matches that map match rules to labels.

OktaImportRuleMatch creates a new Okta import rule match.

Plugin represents a plugin instance.

PluginCredentials are the credentials embedded in Plugin.

PluginData is used by plugins to store per-resource state.

PluginStaticCredentials are static credentials for plugins.

PluginStatus is the plugin status.

ProtoResource153 is a Resource153 implemented by a protobuf-generated struct.

ProvisionToken is a provisioning token.

ProxiedService is a service that is connected to a proxy.

RemoteCluster represents a remote cluster that has connected via reverse tunnel to this cluster.

Resource represents common properties for all resources.

Resource153 is a resource that follows RFD 153.

Resource153Unwrapper returns a legacy [Resource] type from a wrapped RFD 153 style resource.

ResourceMetadata is the smallest interface that defines a Teleport resource.

ResourceWithLabels is a common interface for resources that have labels.

ResourceWithOrigin provides information on the origin of the resource (defaults, config-file, dynamic).

ResourceWithSecrets includes additional properties which must be provided by resources which *may* contain secrets.

ReverseTunnel is SSH reverse tunnel established between a local Proxy and a remote Proxy.

Role contains a set of permissions or settings.

SAMLConnector specifies configuration for SAML 2.0 identity providers.

SAMLIdPServiceProvider specifies configuration for service providers for Teleport's built in SAML IdP.

Semaphore represents distributed semaphore concept.

Semaphores provides ability to control how many shared resources of some kind are acquired at the same time, used to implement concurrent sessions control in a distributed environment.

Server represents a Node, Proxy or Auth server in a Teleport cluster.

ServerInfo represents info that should be applied to joining Nodes.

SessionRecordingConfig defines session recording configuration.

SessionTracker is a resource which tracks an active session.

StaticTokens define a list of static []ProvisionToken used to provision a node.

TrustedCluster holds information needed for a cluster that can not be directly accessed (maybe be behind firewall without any open ports) to join a parent cluster.

TunnelConnection is SSH reverse tunnel connection established to reverse tunnel proxy.

TunnelStrategy defines methods to be implemented by any TunnelStrategy.

UIConfig defines configuration for the web UI served by the proxy service.

UnifiedResource represents the combined set of interfaces that a resource must implement to be used with the Teleport Unified Resource Cache.

User represents teleport embedded user or external user.

UserGroup specifies an externally sourced group.

UserToken represents a temporary token used for various user related actions ie: change password.

UserTokenSecrets contains user token secrets.

Watcher returns watcher.

WatchStatus contains information about a successful Watch request.

WebSession stores key and value used to authenticate with SSH notes on behalf of user.

WebSessionInterface defines interface to regular web sessions.

WebSessionsGetter provides access to web sessions.

WebToken is a time-limited unique token bound to a user's session.

WebTokenInterface defines interface for managing web tokens.

WebTokensGetter provides access to web tokens.

WindowsDesktop represents a Windows desktop host.

WindowsDesktopService represents a Windows desktop service instance.

AccessRequests is a list of AccessRequest resources.

AlertOption is a functional option for alert construction.

AlertSeverity represents how problematic/urgent an alert is, and is used to assist in sorting alerts for display.

Apps is a list of app resources.

AppServers represents a list of app servers.

AppServersOrSAMLIdPServiceProviders is a list of AppServers and SAMLIdPServiceProviders.

AssertionInfo is an alias for saml2.AssertionInfo with additional methods, required for serialization to/from protobuf.

AWSICCredentialsSource indicates where the AWS Identity Center plugin will draw its AWS credentials from.

AWSICGroupImportStatus defines Identity Center group and group members import status codes.

Bool is a wrapper around boolean values.

SigningAlgType is unused.

CertAuthType specifies certificate authority type.

CertExtensionMode specifies the type of extension to use in the cert.

CertExtensionType represents the certificate type the extension is for.

FIPSEndpointState represents an AWS FIPS endpoint state.

StatusType describes whether this was a success or a failure.

TraceType is an identification of the checkpoint.

CreateDatabaseUserMode determines whether database user creation should be disabled or if users should be cleaned up or kept after sessions end.

CreateHostUserMode determines whether host user creation should be disabled or if host users should be cleaned up or kept after sessions end.

DatabasePermissions is a list of DatabasePermission objects.

Databases is a list of database resources.

DatabaseServers represents a list of database servers.

DatabaseTLSMode represents the level of TLS verification performed by DB agent when connecting to a database.

Duration is a wrapper around duration to set up custom marshal/unmarshal.

DynamicWindowsDesktops represents a list of Windows desktops.

EnrichedResources is a wrapper of []*EnrichedResource.

EntraIDCredentialsSource defines the credentials source for Entra ID.

EventOrder is an ordering of events, either ascending or descending.

FeatureSource defines where the list of features enabled by the license is.

HeadlessAuthenticationState is a headless authentication state.

IAMPolicyStatus represents states that describe if an AWS database has its IAM policy properly configured or not.

InstallParamEnrollMode is the mode used to enroll the node into the cluster.

InstanceMetadataType is the type of cloud instance metadata client.

Integrations is a list of Integration resources.

JoinMethod is the method used for new nodes to join the cluster.

The type of a KeepAlive.

KubeClusters represents a list of kube clusters.

KubeResources represents a list of Kubernetes resources.

KubeServers represents a list of kube servers.

Labels is a wrapper around map that can marshal and unmarshal itself from scalar and list values.

MFADeviceKind indicates what is known about existence of user's MFA device.

OIDCClaims is a redefinition of jose.Claims with additional methods, required for serialization to/from protobuf.

OktaAssignments is a list of OktaAssignment resources.

OktaAssignmentStatus represents the status of an Okta assignment.

OktaAssignmentTargetType is the type of Okta object that an assignment is targeting.

OktaPluginSyncStatusCode indicates the possible states of an Okta synchronization service.

OpType specifies operation type.

PasswordState indicates what is known about existence of user's password.

PluginSubkind represents the type of the plugin, e.g., access request, MDM etc.

PluginType represents the type of the plugin.

PortRanges is a list of port ranges.

PrivateKeyType is the storage type of a private key.

ProxyListenerMode represents the cluster proxy listener mode.

RequestReasonMode can be either "required" or "optional".

RequestState represents the state of a request for escalated privilege.

RequestStrategy is an indicator of how access requests should be handled for holders of a given role.

RequireMFAType is a type of MFA requirement enforced outside of login, such as per-session MFA or per-request PIV touch.

ResourcesWithLabels is a list of labeled resources.

ResourcesWithLabelsMap is like ResourcesWithLabels, but a map from resource name to its value.

RoleConditionType specifies if it's an allow rule (true) or deny rule (false).

RoleMap is a list of mappings.

RoutingStrategy determines the strategy used to route to nodes.

SAMLForceAuthn specified whether existing SAML sessions should be accepted or re-authentication should be forced.

SAMLIdPServiceProviders is a list of SAML IdP service provider resources.

SecondFactorType is a type of second factor.

Servers represents a list of servers.

SessionKind is a type of session.

SessionParticipantMode is the mode that determines what you can do when you join a session.

SessionState represents the state of a session.

SignatureAlgorithmSuite represents the suite of cryptographic signature algorithms used in the cluster.

SortedNamespaces sorts namespaces.

SortedTrustedCluster sorts clusters by name.

SystemRole identifies the role of an SSH connection.

SystemRoles is a TeleportRole list.

TraitMappingSet is a set of trait mappings.

TrustedDeviceRequirement indicates whether access may be hindered by the lack of a trusted device.

TunnelType is the type of tunnel.

UserGroups is a list of UserGroup resources.

UserTokenUsage contains additional information about the intended usage of a user token.

UserType is the user's types that indicates where it was created.

WindowsDesktops represents a list of Windows desktops.