Merge branch 'branch/v15' into bot/backport-41866-branch/v15

docs/pages/access-controls/idps/saml-gcp-workforce-identity-federation.mdx

@@ -27,6 +27,8 @@ SAML IdP, so users can sign in into GCP web console by authenticating with Telep
 Reference](./saml-reference.mdx) before proceeding.
 - User with permission to create service provider resource. The preset `editor` role has this permission.
 - Access to GCP IAM API, with permission to create workforce identity pool, pool provider and an IAM policy.
+At a minimum, both the "IAM Workforce Pool Admin" and "Organization Viewer" [GCP roles](https://cloud.google.com/iam/docs/configuring-workforce-identity-federation#required-roles)
+are required (assigned at the GCP organization level) to configure GCP Workforce Identity Federation.
 
 
 Teleport Web UI offers both the guided and manual configuration flow for GCP Workforce Identity
@@ -47,15 +49,15 @@ Now follow the steps listed below.
 ## Step 1/3. Configure workforce pool
 As a first step, provide the following information to the script generator.
 
-![Test the IdP](../../../img/access-controls/saml-idp/gcp-workforce/generate-script.png)
+![Test the IdP](../../../img/access-controls/saml-idp/gcp-workforce/generate-command.png)
 - **Organization ID:** Organization ID of GCP account. The ID is required to create a workforce pool.
-- **Pool Name:** Name of the workforce pool to be created. Name should follow [GCP resource naming
+- **Workforce pool name:** Name of the workforce pool to be created. Name should follow [GCP resource naming
 convention](https://cloud.google.com/compute/docs/naming-resources#resource-name-format).
-- **Pool Provider Name:** Name of the workforce pool provider to be created. Pool provider name
-will also be used as SAML service provider name in the next step. Name should follow
+- **App name - Workforce pool provider name:** SAML app name. The name
+will also be used as a workforce pool provider name in the GCP. Name should follow
 [GCP resource naming convention](https://cloud.google.com/compute/docs/naming-resources#resource-name-format).
 
-Click on **Generate Script** button. Teleport Web UI will now show you a copyable bash script.
+Click on the **Generate Command** button. The Teleport Web UI will now show you a copyable bash script.
 
 Open GCP [Cloud Shell](https://shell.cloud.google.com/?show=terminal) and inside the Cloud Shell terminal,
 paste the bash script you copied above.

docs/pages/auto-discovery/databases.mdx

@@ -26,15 +26,7 @@ discover AWS-hosted databases automatically.
 
 ## Step 1/4. Generate a join token
 
-The Discovery Service requires a valid join token to connect to the cluster.
-
-Generate a join token by running the following command against your Teleport
-Auth Service and save it in `/tmp/token` on the host that will run the
-Discovery Service.
-
-```code
-$ tctl tokens add --type=discovery
-```
+(!docs/pages/includes/tctl-token.mdx serviceName="Discovery" tokenType="discovery" tokenFile="/tmp/token" !)
 
 (!docs/pages/includes/database-access/alternative-methods-join.mdx!)
 

docs/pages/database-access/enroll-aws-databases/aws-cassandra-keyspaces.mdx

@@ -30,7 +30,7 @@ description: How to configure Teleport database access with Amazon Keyspaces (Ap
 
 ## Step 1/5. Set up the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 (!docs/pages/includes/database-access/alternative-methods-join.mdx!)
 

docs/pages/database-access/enroll-aws-databases/aws-dynamodb.mdx

@@ -155,7 +155,7 @@ the correct STS endpoint.
 
 (!docs/pages/includes/database-access/alternative-methods-join.mdx!)
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 ### Install and start Teleport
 

docs/pages/database-access/enroll-aws-databases/aws-opensearch.mdx

@@ -190,7 +190,7 @@ Teleport:
 
 </Details>
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 Use the token provided by the output of this command in the next step.
 

docs/pages/database-access/enroll-aws-databases/postgres-redshift.mdx

@@ -42,7 +42,7 @@ automatically enroll all AWS databases in your infrastructure.
 
 ## Step 2/6. Create a Database Service configuration
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 (!docs/pages/includes/database-access/alternative-methods-join.mdx!)
 

docs/pages/database-access/enroll-aws-databases/redis-aws.mdx

@@ -58,7 +58,7 @@ databases in your infrastructure.
 
 ## Step 2/6. Create a Database Service configuration
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 (!docs/pages/includes/database-access/alternative-methods-join.mdx!)
 

docs/pages/database-access/enroll-aws-databases/redshift-serverless.mdx

@@ -134,7 +134,7 @@ role 'redshift-serverless-access' has been created
 
 ## Step 3/4. Install and start the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 (!docs/pages/includes/database-access/alternative-methods-join.mdx!)
 

docs/pages/database-access/enroll-aws-databases/sql-server-ad.mdx

@@ -205,7 +205,7 @@ KVNO Principal
 
 ## Step 4/7. Set up the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 (!docs/pages/includes/install-linux.mdx!)
 

docs/pages/database-access/enroll-azure-databases/azure-postgres-mysql.mdx

@@ -37,7 +37,7 @@ database.
 
 ## Step 1/5. Install the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 Install Teleport on the host where you will run the Teleport Database Service:
 

docs/pages/database-access/enroll-google-cloud-databases/mysql-cloudsql.mdx

@@ -122,7 +122,7 @@ Cloud documentation for more info.
 
 ### Create a join token
 
-(!docs/pages/includes/database-access/token.mdx tokenFile="/tmp/token" !)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token" !)
 
 ### (Optional) Download the Cloud SQL CA certificate
 

docs/pages/database-access/enroll-google-cloud-databases/postgres-cloudsql.mdx

@@ -78,7 +78,7 @@ in Google Cloud documentation for more info.
 
 ### Create a join token
 
-(!docs/pages/includes/database-access/token.mdx tokenFile="/tmp/token"!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 ### (Optional) Download the Cloud SQL CA certificate
 

docs/pages/database-access/enroll-google-cloud-databases/spanner.mdx

@@ -110,7 +110,7 @@ Select the "Service Account Token Creator" role and save the change:
 
 ## Step 4/8. Configure the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx tokenFile="/tmp/token" !)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token" !)
 
 Provide the following information and then generate a configuration file for the
 Teleport Database Service:

docs/pages/database-access/enroll-managed-databases/mongodb-atlas.mdx

@@ -36,7 +36,7 @@ forwards user traffic to MongoDB Atlas.
 
 ## Step 1/4. Set up the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 Install Teleport on the host where you will run the Teleport Database Service:
 

docs/pages/database-access/enroll-managed-databases/snowflake.mdx

@@ -39,7 +39,7 @@ forwards the user's requests to Snowflake as Teleport-authenticated messages.
 
 ## Step 1/5. Set up the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 Install and configure Teleport where you will run the Teleport Database Service:
 

docs/pages/database-access/enroll-self-hosted-databases/cassandra-self-hosted.mdx

@@ -31,7 +31,7 @@ description: How to configure Teleport database access with Cassandra and Scylla
 
 ## Step 1/5. Set up the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 Install and configure Teleport where you will run the Teleport Database Service:
 

docs/pages/database-access/enroll-self-hosted-databases/clickhouse-self-hosted.mdx

@@ -58,7 +58,7 @@ choose:
 
 ## Step 1/5. Create a Teleport token and user
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 (!docs/pages/includes/database-access/create-user.mdx!)
 

docs/pages/database-access/enroll-self-hosted-databases/cockroachdb-self-hosted.mdx

@@ -37,7 +37,7 @@ description: How to configure Teleport database access with self-hosted Cockroac
 
 ## Step 1/4. Set up the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 Install and configure Teleport where you will run the Teleport Database Service:
 

docs/pages/database-access/enroll-self-hosted-databases/elastic.mdx

@@ -26,7 +26,7 @@ description: How to configure Teleport database access with Elasticsearch.
 
 ## Step 1/5. Set up the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 Install and configure Teleport where you will run the Teleport Database Service:
 

docs/pages/database-access/enroll-self-hosted-databases/mongodb-self-hosted.mdx

@@ -44,7 +44,7 @@ videoBanner: 6lgVObxoLkc
 
 ### Set up the Teleport Database service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 Install and configure Teleport where you will run the Teleport Database Service:
 

docs/pages/database-access/enroll-self-hosted-databases/mysql-self-hosted.mdx

@@ -32,7 +32,7 @@ description: How to configure Teleport database access with self-hosted MySQL/Ma
 
 ## Step 1/4. Create the Teleport Database Token
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 ## Step 2/4. Create a certificate/key pair
 

docs/pages/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx

@@ -30,7 +30,7 @@ description: How to configure Teleport database access with Oracle.
 
 ## Step 1/6. Create a Teleport token and user
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 <Admonition type="tip">
 

docs/pages/database-access/enroll-self-hosted-databases/postgres-self-hosted.mdx

@@ -33,7 +33,7 @@ description: How to configure Teleport database access with self-hosted PostgreS
 
 ## Step 1/5. Create a Teleport token and user
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 ### Create a Teleport user
 

docs/pages/database-access/enroll-self-hosted-databases/redis-cluster.mdx

@@ -44,7 +44,7 @@ If you want to configure Redis Standalone, please read [Database Access with Red
 
 ## Step 1/6. Set up the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 Install and configure Teleport where you will run the Teleport Database Service:
 

docs/pages/database-access/enroll-self-hosted-databases/redis.mdx

@@ -44,7 +44,7 @@ If you want to configure Redis Cluster, please read [Database Access with Redis
 
 ## Step 1/5. Set up the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 Install and configure Teleport where you will run the Teleport Database Service:
 

docs/pages/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx

@@ -208,7 +208,7 @@ from there, you can copy and use it on your database configuration.
 
 ## Step 4/7. Set up the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 Install Teleport on the host where you will run the Teleport Database Service:
 

docs/pages/database-access/enroll-self-hosted-databases/vitess.mdx

@@ -37,7 +37,7 @@ description: How to configure Teleport database access for Vitess (MySQL protoco
 
 ## Step 1/4. Create the Teleport Database Token
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 ## Step 2/4. Create a certificate/key pair
 

docs/pages/database-access/getting-started.mdx

@@ -87,7 +87,7 @@ See the [Automatic User Provisioning](./rbac.mdx) guide for how to configure Tel
 
 ## Step 2/5. Configure the Teleport Database Service
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 (!docs/pages/includes/database-access/alternative-methods-join.mdx!)
 

docs/pages/includes/database-access/rds-proxy.mdx

@@ -40,7 +40,7 @@ automatically enroll all AWS databases in your infrastructure.
 
 ## Step 2/7. Create a Teleport Database Service configuration
 
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
 
 (!docs/pages/includes/database-access/alternative-methods-join.mdx!)
 

docs/pages/includes/tctl-token.mdx

@@ -0,0 +1,8 @@
+The {{ serviceName }} Service requires a valid join token to join your Teleport cluster.
+Run the following `tctl` command and save the token output in `{{ tokenFile }}`
+on the server that will run the {{ serviceName }} Service:
+
+```code
+$ tctl tokens add --type={{ tokenType }} --format=text
+(=presets.tokens.first=)
+```

docs/pages/machine-id/troubleshooting.mdx

@@ -38,7 +38,7 @@ backend, and embeds a copy of the counter in the certificate.
 
 If the counter embedded in your bot certificate doesn't match the counter
 stored in Teleport's Auth Server, the renewal will fail and the bot user will
-be automatically [locked](../access-controls/guides/locking.mdx). 
+be automatically [locked](../access-controls/guides/locking.mdx).
 
 Renewable certificates are exclusively stored in the bot's internal data
 directory, by default `/var/lib/teleport/bot`. It's possible to trigger this by
@@ -52,7 +52,7 @@ with old certificates and trigger a lock.
 ### Resolution
 
 Before unlocking the bot, try to determine if either of the two scenarios
-described above apply. If the certificates were stolen, there may be 
+described above apply. If the certificates were stolen, there may be
 underlying security concerns that need to be addressed.
 
 Otherwise, first ensure only one bot instance is using the internal data
@@ -218,8 +218,8 @@ However, the database exists and can be seen by regular users via `tsh`:
 
 ```code
 $ tsh db ls
-Name       Description Allowed Users Labels  Connect 
----------- ----------- ------------- ------- ------- 
+Name       Description Allowed Users Labels  Connect
+---------- ----------- ------------- ------- -------
 example                [alice]       env=dev
 ```
 
@@ -292,3 +292,31 @@ flag:
 $ tctl bots rm example
 $ tctl bots add example --roles=foo,bar,machine-id-db
 ```
+
+## Destination kubernetes_secret: `identity-output` must be a directory in exec plugin mode
+
+By default, when outputting a Kubernetes identity, `tbot` outputs make use of a Kubernetes exec
+plugin to always provide the latest version of the credentials.
+
+When outputting a Kubernetes identity to a Kubernetes secret, however, it is important to disable
+the use of the `exec` plugin by adding `disable_exec_plugin: true` to the output. This means that
+a static `kubeconfig` file with embedded short-lived credentials is written instead:
+
+```yaml
+outputs:
+  - type: kubernetes
+    # Specify the name of the Kubernetes cluster you wish the credentials to
+    # grant access to.
+    kubernetes_cluster: example-k8s-cluster
+    # Required when outputting a Kubernetes identity to a Kubernetes secret.
+    disable_exec_plugin: true
+    destination:
+      type: kubernetes_secret
+      # For this guide, identity-output is used as the secret name.
+      # You may wish to customize this. Multiple outputs cannot share the same
+      # destination.
+      name: identity-output
+```
+
+Failure to add the `disable_exec_plugin` flag will result in a warning being displayed:
+`Destination kubernetes_secret: identity-output must be a directory in exec plugin mode`.