diff --git a/docs/pages/admin-guides/access-controls/access-monitoring.mdx b/docs/pages/admin-guides/access-controls/access-monitoring.mdx
index 25797cf3e89d3..caee698e66ad5 100644
--- a/docs/pages/admin-guides/access-controls/access-monitoring.mdx
+++ b/docs/pages/admin-guides/access-controls/access-monitoring.mdx
@@ -177,6 +177,8 @@ spec:
- use
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
## Query Editor
The Query Editor in Teleport Access Monitoring provides users with an interface to interactively query audit logs and generate reports.
diff --git a/docs/pages/admin-guides/access-controls/access-request-plugins/datadog-hosted.mdx b/docs/pages/admin-guides/access-controls/access-request-plugins/datadog-hosted.mdx
index 419937a61cc83..75a9e235712a0 100644
--- a/docs/pages/admin-guides/access-controls/access-request-plugins/datadog-hosted.mdx
+++ b/docs/pages/admin-guides/access-controls/access-request-plugins/datadog-hosted.mdx
@@ -59,8 +59,8 @@ For the purpose of this guide, we will define an `editor-requester` role, which
can request the built-in `editor` role, and an `editor-reviewer` role that can
review requests for the `editor` role.
-In the Teleport WebUI navigate to **Management -> Access -> Roles**. Then select
-**Create New Role** and create the desired roles.
+In the Teleport WebUI navigate to **Access -> Roles**. Then select **Create New
+Role** and create the desired roles.
```yaml
@@ -248,6 +248,8 @@ spec:
deny: 1
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
### Trigger an auto-approval
To trigger an auto-approval, login to Teleport as the current on-call user in Datadog,
diff --git a/docs/pages/admin-guides/access-controls/access-request-plugins/opsgenie.mdx b/docs/pages/admin-guides/access-controls/access-request-plugins/opsgenie.mdx
index 01e97b95c59f1..fde992c224485 100644
--- a/docs/pages/admin-guides/access-controls/access-request-plugins/opsgenie.mdx
+++ b/docs/pages/admin-guides/access-controls/access-request-plugins/opsgenie.mdx
@@ -56,9 +56,8 @@ API.
### Create a requester role
-To create a user first navigate to Management -> Access -> Roles
-
-Then select 'Create New Role' and create the requester role.
+To create a user, first navigate to **Access -> Roles**. Then select **Create
+New Role** and create the requester role.
```
kind: role
diff --git a/docs/pages/admin-guides/access-controls/access-request-plugins/servicenow.mdx b/docs/pages/admin-guides/access-controls/access-request-plugins/servicenow.mdx
index 2d5921f0cf289..87dd4a2e3c970 100644
--- a/docs/pages/admin-guides/access-controls/access-request-plugins/servicenow.mdx
+++ b/docs/pages/admin-guides/access-controls/access-request-plugins/servicenow.mdx
@@ -58,6 +58,8 @@ spec:
- YOUR_SERVICENOW_ROTA_ID_HERE
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
To retrieve the ServiceNow rotation ID, navigate to the group record
of the ServiceNow group the rotation belongs to and right click on
header, then click 'Select copy sys_id' to copy the ID.
diff --git a/docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx b/docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx
index 7d0b3538c3915..cce71a316cf7d 100644
--- a/docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx
+++ b/docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx
@@ -135,6 +135,8 @@ role 'editor-reviewer' has been created
role 'editor-requester' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
### `demo-role-requester`
Create a file called `demo-role-requester.yaml` with the following content:
diff --git a/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx
index cd364ddc76544..851cd0d8d913a 100644
--- a/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx
+++ b/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx
@@ -43,6 +43,8 @@ Define this role in the file `contractor-role.yaml` and create it with `tctl`:
$ tctl create contractor-role.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Use `tctl` to assign this role to a user (`alice` in this example):
```code
diff --git a/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx b/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx
index 619731b02ce44..6f7199e86587f 100644
--- a/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx
+++ b/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx
@@ -86,6 +86,8 @@ Update the role:
$ tctl create -f device-enforcement.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
## Cluster-wide trusted device enforcement
Cluster-wide configuration enforces trusted device access at the cluster level.
diff --git a/docs/pages/admin-guides/access-controls/getting-started.mdx b/docs/pages/admin-guides/access-controls/getting-started.mdx
index 0bc74d3710db5..90dc640d84c4c 100644
--- a/docs/pages/admin-guides/access-controls/getting-started.mdx
+++ b/docs/pages/admin-guides/access-controls/getting-started.mdx
@@ -244,6 +244,8 @@ $ tctl create -f /tmp/interns.yaml
$ tctl get roles --format text
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
## Next steps
- [Mapping SSO and local users traits with role templates](./guides/role-templates.mdx)
diff --git a/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx b/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx
index 9968c1b657e29..3270908a2e6fa 100644
--- a/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx
+++ b/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx
@@ -156,6 +156,8 @@ spec:
'type': 'db'
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
The commands below create the local users Bob, Alice, and Ivan.
```code
diff --git a/docs/pages/admin-guides/access-controls/guides/impersonation.mdx b/docs/pages/admin-guides/access-controls/guides/impersonation.mdx
index 8916069032136..84c9bd157c3c5 100644
--- a/docs/pages/admin-guides/access-controls/guides/impersonation.mdx
+++ b/docs/pages/admin-guides/access-controls/guides/impersonation.mdx
@@ -60,6 +60,8 @@ Create the resources:
$ tctl create -f jenkins.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
## Step 2/3: Create an impersonator role
Next, we will create a role called `impersonator`. Users with this role will be permitted to
diff --git a/docs/pages/admin-guides/access-controls/guides/locking.mdx b/docs/pages/admin-guides/access-controls/guides/locking.mdx
index 69567f86022f3..07a809454303c 100644
--- a/docs/pages/admin-guides/access-controls/guides/locking.mdx
+++ b/docs/pages/admin-guides/access-controls/guides/locking.mdx
@@ -118,6 +118,8 @@ $ tctl create -f locksmith.yaml
# role 'locksmith' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/add-role-to-user.mdx role="locksmith"!)
diff --git a/docs/pages/admin-guides/access-controls/guides/role-templates.mdx b/docs/pages/admin-guides/access-controls/guides/role-templates.mdx
index b7b00a0081a24..507e6877289e7 100644
--- a/docs/pages/admin-guides/access-controls/guides/role-templates.mdx
+++ b/docs/pages/admin-guides/access-controls/guides/role-templates.mdx
@@ -78,6 +78,8 @@ $ tctl users add alice --roles=alice
$ tctl users add bob --roles=bob
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Having one role per user is not going to scale well. Because the roles
are so similar, we can assign variables to each user, and use just one role template
for both Alice and Bob.
diff --git a/docs/pages/admin-guides/access-controls/idps/saml-grafana.mdx b/docs/pages/admin-guides/access-controls/idps/saml-grafana.mdx
index e290040c39c26..284b5e7a8a0df 100644
--- a/docs/pages/admin-guides/access-controls/idps/saml-grafana.mdx
+++ b/docs/pages/admin-guides/access-controls/idps/saml-grafana.mdx
@@ -45,6 +45,8 @@ $ tctl create sp-manager.yaml
role 'saml-idp-service-provider-manager' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/add-role-to-user.mdx role="saml_idp_service_provider" !)
## Step 2/3. Configure Grafana to recognize Teleport's identity provider
diff --git a/docs/pages/admin-guides/access-controls/idps/saml-guide.mdx b/docs/pages/admin-guides/access-controls/idps/saml-guide.mdx
index 5d1c924c0912c..3f4a0c0fba149 100644
--- a/docs/pages/admin-guides/access-controls/idps/saml-guide.mdx
+++ b/docs/pages/admin-guides/access-controls/idps/saml-guide.mdx
@@ -220,6 +220,8 @@ $ tctl create sp-manager.yaml
role 'saml-idp-service-provider-manager' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Next, add the role to your user.
(!docs/pages/includes/add-role-to-user.mdx role="sp-manager"!)
diff --git a/docs/pages/admin-guides/access-controls/login-rules/guide.mdx b/docs/pages/admin-guides/access-controls/login-rules/guide.mdx
index 9ddcc3203a72e..8514f99f224e7 100644
--- a/docs/pages/admin-guides/access-controls/login-rules/guide.mdx
+++ b/docs/pages/admin-guides/access-controls/login-rules/guide.mdx
@@ -45,6 +45,8 @@ $ tctl create loginrule-manager.yaml
role 'loginrule-manager' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/add-role-to-user.mdx role="loginrule-manager" !)
## Step 2/5. Draft your Login Rule resource
diff --git a/docs/pages/admin-guides/access-controls/sso/azuread.mdx b/docs/pages/admin-guides/access-controls/sso/azuread.mdx
index 52dd8cc7701c5..d69ef9a44c4e5 100644
--- a/docs/pages/admin-guides/access-controls/sso/azuread.mdx
+++ b/docs/pages/admin-guides/access-controls/sso/azuread.mdx
@@ -214,6 +214,8 @@ Create the role:
$ tctl create dev.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/enterprise/samlauthentication.mdx!)
## Token encryption (Optional)
diff --git a/docs/pages/admin-guides/access-controls/sso/gitlab.mdx b/docs/pages/admin-guides/access-controls/sso/gitlab.mdx
index b404383ba2650..8b38b92275904 100644
--- a/docs/pages/admin-guides/access-controls/sso/gitlab.mdx
+++ b/docs/pages/admin-guides/access-controls/sso/gitlab.mdx
@@ -190,6 +190,8 @@ $ tctl create -f admin.yaml
$ tctl create -f dev.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
## Enable default OIDC authentication
(!docs/pages/includes/enterprise/oidcauthentication.mdx!)
diff --git a/docs/pages/admin-guides/access-controls/sso/okta.mdx b/docs/pages/admin-guides/access-controls/sso/okta.mdx
index 969f77e67c21c..1776739a6916f 100644
--- a/docs/pages/admin-guides/access-controls/sso/okta.mdx
+++ b/docs/pages/admin-guides/access-controls/sso/okta.mdx
@@ -307,6 +307,8 @@ $ tctl create dev.yaml
We don't need to repeat this process for the "editor" role because this is a
preset role that is available by default in all Teleport clusters.
+(!docs/pages/includes/create-role-using-web.mdx!)
+
## Testing
The Web UI now contains a new "Okta" button at the login screen. To
diff --git a/docs/pages/admin-guides/access-controls/sso/one-login.mdx b/docs/pages/admin-guides/access-controls/sso/one-login.mdx
index c60eb5a9c969f..0c351ca7fec21 100644
--- a/docs/pages/admin-guides/access-controls/sso/one-login.mdx
+++ b/docs/pages/admin-guides/access-controls/sso/one-login.mdx
@@ -157,6 +157,8 @@ Create the role:
$ tctl create -f dev.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
## Troubleshooting
(!docs/pages/includes/sso/loginerrortroubleshooting.mdx!)
diff --git a/docs/pages/admin-guides/api/automatically-register-agents.mdx b/docs/pages/admin-guides/api/automatically-register-agents.mdx
index 5cad251d7a1d6..affd1b57306bb 100644
--- a/docs/pages/admin-guides/api/automatically-register-agents.mdx
+++ b/docs/pages/admin-guides/api/automatically-register-agents.mdx
@@ -121,6 +121,8 @@ role 'register-apps' has been created
user "register-apps" has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
### Enable impersonation of the client application
As with all Teleport users, the Teleport Auth Service authenticates the
diff --git a/docs/pages/admin-guides/api/rbac.mdx b/docs/pages/admin-guides/api/rbac.mdx
index f292d19a1b63e..aa9ecc217749a 100644
--- a/docs/pages/admin-guides/api/rbac.mdx
+++ b/docs/pages/admin-guides/api/rbac.mdx
@@ -142,6 +142,8 @@ role.rbac.authorization.k8s.io/pod-reader created
rolebinding.rbac.authorization.k8s.io/read-pods created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Next, define a cluster role and cluster role binding that allow users in the
`ops` group to read, create, and execute commands on pods in all namespaces. Add
the following to a file called `pod-ops.yaml`:
diff --git a/docs/pages/admin-guides/management/admin/trustedclusters.mdx b/docs/pages/admin-guides/management/admin/trustedclusters.mdx
index ae6bbe6428094..4a7246d427649 100644
--- a/docs/pages/admin-guides/management/admin/trustedclusters.mdx
+++ b/docs/pages/admin-guides/management/admin/trustedclusters.mdx
@@ -231,6 +231,8 @@ your Teleport username:
$ tctl create visitor.yaml
```
+ (!docs/pages/includes/create-role-using-web.mdx!)
+
You now have a `visitor` role on your leaf cluster. The `visitor` role allows
users with the `visitor` login to access nodes in the leaf cluster. In the next step,
you must add the `visitor` login to your user so you can satisfy the conditions of
diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx
index 33403e6980227..59faf4fc1ec60 100644
--- a/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx
+++ b/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx
@@ -361,6 +361,8 @@ In this step, you will define a Teleport role that confers access to the
$ tctl create aws-ro-access.yaml
```
+ (!docs/pages/includes/create-role-using-web.mdx!)
+
1. (!docs/pages/includes/add-role-to-user.mdx role="aws-ro-access"!)
## Step 3/4. Set up the Teleport Application Service
diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx
index a48c6d1a8ac04..a714f5eae5cc3 100644
--- a/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx
+++ b/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx
@@ -347,6 +347,8 @@ Create the role:
$ tctl create -f google-cloud-cli-access.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
@@ -392,6 +394,8 @@ Create the role:
$ tctl create -f google-cloud-cli-access
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
diff --git a/docs/pages/enroll-resources/application-access/guides/connecting-apps.mdx b/docs/pages/enroll-resources/application-access/guides/connecting-apps.mdx
index 816ae2484d96c..b2e3c36542073 100644
--- a/docs/pages/enroll-resources/application-access/guides/connecting-apps.mdx
+++ b/docs/pages/enroll-resources/application-access/guides/connecting-apps.mdx
@@ -164,6 +164,8 @@ Teleport, you must configure these yourself:
$ tctl users add --roles=demo-app-access appuser
```
+ (!docs/pages/includes/create-role-using-web.mdx!)
+
When `appuser` attempts to access the application you enrolled earlier
through the Teleport Web UI, the the Teleport Proxy Service forwards the
request with a Teleport-signed JSON web token to the Teleport Application
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-dynamodb.mdx b/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-dynamodb.mdx
index 47ad31d16b284..834dc81c6cabc 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-dynamodb.mdx
+++ b/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-dynamodb.mdx
@@ -134,6 +134,8 @@ Create the new role:
$ tctl create -f aws-dynamodb-access.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/add-role-to-user.mdx role="aws-dynamodb-access"!)
## Step 3/4. Install the Teleport Database Service
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx b/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx
index bc4a2f57b5bce..8d3318185d4b9 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx
+++ b/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-opensearch.mdx
@@ -155,6 +155,8 @@ Create the new role:
$ tctl create -f aws-opensearch-access.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/add-role-to-user.mdx role="aws-opensearch-access"!)
## Step 3/4. Install the Teleport Database Service
diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/redshift-serverless.mdx b/docs/pages/enroll-resources/database-access/enroll-aws-databases/redshift-serverless.mdx
index 7b01cb3a2a959..dedbc16930a82 100644
--- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/redshift-serverless.mdx
+++ b/docs/pages/enroll-resources/database-access/enroll-aws-databases/redshift-serverless.mdx
@@ -206,6 +206,8 @@ $ tctl create -f redshift-role.yaml
role 'redshift-serverless-access' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/add-role-to-user.mdx role="redshift-serverless-access"!)
## Step 5/5. Connect
diff --git a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx b/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx
index e18afa60ca7e9..391ec95c7118d 100644
--- a/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx
+++ b/docs/pages/enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx
@@ -363,6 +363,8 @@ $ tctl create -f azure-database-role.yaml
role 'azure-database-role.yaml' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(\!docs/pages/includes/add-role-to-user.mdx role="azure-database-access" \!)
### Start Teleport Database Service
diff --git a/docs/pages/enroll-resources/database-access/getting-started.mdx b/docs/pages/enroll-resources/database-access/getting-started.mdx
index 29f96ad18ab2f..5ae67f17ac3b6 100644
--- a/docs/pages/enroll-resources/database-access/getting-started.mdx
+++ b/docs/pages/enroll-resources/database-access/getting-started.mdx
@@ -173,6 +173,8 @@ spec:
EOF
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Create the Teleport user assigned the `db` role we've just created:
diff --git a/docs/pages/enroll-resources/desktop-access/directory-sharing.mdx b/docs/pages/enroll-resources/desktop-access/directory-sharing.mdx
index c64fa889b4e90..39a422d1e7f29 100644
--- a/docs/pages/enroll-resources/desktop-access/directory-sharing.mdx
+++ b/docs/pages/enroll-resources/desktop-access/directory-sharing.mdx
@@ -170,6 +170,8 @@ Create the role:
$ tctl create -f role.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/add-role-to-user.mdx role="no-sharing"!)
## Next steps
diff --git a/docs/pages/enroll-resources/desktop-access/getting-started.mdx b/docs/pages/enroll-resources/desktop-access/getting-started.mdx
index ce4eb8e951a52..bfb85d92eab05 100644
--- a/docs/pages/enroll-resources/desktop-access/getting-started.mdx
+++ b/docs/pages/enroll-resources/desktop-access/getting-started.mdx
@@ -243,6 +243,8 @@ To configure a role for desktop access:
$ tctl create -f windows-desktop-admins.yaml
```
+ (!docs/pages/includes/create-role-using-web.mdx!)
+
1. (\!docs/pages/includes/add-role-to-user.mdx role="windows-desktop-admins" \!)
## Step 4/4. Connect
diff --git a/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx b/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx
index e7ced2de49bd4..978a3de3030ae 100644
--- a/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx
@@ -70,13 +70,15 @@ impersonates the `viewers` group when proxying requests from the user.
- viewers
deny: {}
```
-
+
1. Apply your changes:
```code
$ tctl create -f kube-access.yaml
```
+ (!docs/pages/includes/create-role-using-web.mdx!)
+
1. (!docs/pages/includes/add-role-to-user.mdx role="kube-access"!)
While you have authorized the `kube-access` role to access Kubernetes clusters
diff --git a/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx b/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx
index b2a6dd54ff496..66ea146672798 100644
--- a/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx
@@ -357,6 +357,8 @@ following command:
$ tctl create kube-access.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/add-role-to-user.mdx role="kube-access"!)
## Step 3/3. Access resources
diff --git a/docs/pages/enroll-resources/kubernetes-access/register-clusters/dynamic-registration.mdx b/docs/pages/enroll-resources/kubernetes-access/register-clusters/dynamic-registration.mdx
index 20389f079716c..d59a1a0d0a8ab 100644
--- a/docs/pages/enroll-resources/kubernetes-access/register-clusters/dynamic-registration.mdx
+++ b/docs/pages/enroll-resources/kubernetes-access/register-clusters/dynamic-registration.mdx
@@ -202,6 +202,8 @@ Create the role:
$ tctl create -f kube-manager.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/add-role-to-user.mdx role="kube-manager"!)
## Step 3/3. Manage dynamic Kubernetes cluster resources
diff --git a/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx b/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx
index ef4010154def9..bd7fbdaecce80 100644
--- a/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx
+++ b/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx
@@ -74,6 +74,8 @@ least privilege and reduces damage that exfiltrated credentials can do.
Use `tctl create -f ./role.yaml` to create the role.
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Now, use `tctl bots update` to add the role to the Bot. Replace `example`
with the name of the Bot you created in the deployment guide and `example-role`
with the name of the role you just created:
diff --git a/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx b/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx
index 736038a990814..c6099283f51de 100644
--- a/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx
+++ b/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx
@@ -48,6 +48,8 @@ will need access to.
Use `tctl create -f ./role.yaml` to create the role.
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Now, use `tctl bots update` to add the role to the Bot. Replace `example`
with the name of the Bot you created in the deployment guide and `example-role`
with the name of the role you just created:
diff --git a/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx b/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx
index 60f8d463c1ee5..5926d3a8a70b6 100644
--- a/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx
+++ b/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx
@@ -66,6 +66,8 @@ Replace:
Use `tctl create -f ./role.yaml` to create the role.
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Now, use `tctl bots update` to add the role to the Bot. Replace `example`
with the name of the Bot you created in the deployment guide and `example-role`
with the name of the role you just created:
diff --git a/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx b/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx
index 3283fc5cf03e3..6c8f8eb08b7d7 100644
--- a/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx
+++ b/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx
@@ -101,6 +101,8 @@ Adjust the `allow` field for your environment:
Use `tctl create -f ./role.yaml` to create the role.
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Now, use `tctl bots update` to add the role to the Bot. Replace `example`
with the name of the Bot you created in the deployment guide and `example-role`
with the name of the role you just created:
diff --git a/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx b/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx
index 39a0aaaa043c0..482920ca5bd51 100644
--- a/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx
+++ b/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx
@@ -57,6 +57,8 @@ of least privilege and limits the damage that exfiltrated credentials can do.
Use `tctl create -f ./role.yaml` to create the role.
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Now, use `tctl bots update` to add the role to the Bot. Replace `example`
with the name of the Bot you created in the deployment guide and `example-role`
with the name of the role you just created:
diff --git a/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx b/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx
index 8e7dcde67668b..bc1e55c29aa36 100644
--- a/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx
+++ b/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx
@@ -56,6 +56,8 @@ Replace `example-role` with a descriptive name related to your use case.
Use `tctl create -f ./role.yaml` to create the role.
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Now, use `tctl bots update` to add the role to the Bot. Replace `example`
with the name of the Bot you created in the deployment guide and `example-role`
with the name of the role you just created:
diff --git a/docs/pages/enroll-resources/machine-id/troubleshooting.mdx b/docs/pages/enroll-resources/machine-id/troubleshooting.mdx
index 8a38be2f3e2ad..1ed68ea946133 100644
--- a/docs/pages/enroll-resources/machine-id/troubleshooting.mdx
+++ b/docs/pages/enroll-resources/machine-id/troubleshooting.mdx
@@ -283,6 +283,8 @@ $ tctl edit role/machine-id-db
Edit the role, then save and close the file to apply your changes.
+(!docs/pages/includes/create-role-using-web.mdx!)
+
By default, outputs (like `/opt/machine-id`) are granted all roles provided
to the bot via `tctl bots add --roles=...`, but it's possible to grant only a
diff --git a/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx b/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx
index a5016534d6937..ef6a00aecce44 100644
--- a/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx
+++ b/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx
@@ -169,6 +169,8 @@ $ tctl create -f auto-users.yaml
# role 'auto-users' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
#### Create a Teleport user
1. Run the following command to create a Teleport user with the `auto-users`
diff --git a/docs/pages/enroll-resources/server-access/openssh/openssh-manual-install.mdx b/docs/pages/enroll-resources/server-access/openssh/openssh-manual-install.mdx
index 0f91c395dcd32..b14d557283e14 100644
--- a/docs/pages/enroll-resources/server-access/openssh/openssh-manual-install.mdx
+++ b/docs/pages/enroll-resources/server-access/openssh/openssh-manual-install.mdx
@@ -186,6 +186,8 @@ $ tctl create host-certifier.yaml
# role 'host-certifier' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/add-role-to-user.mdx role="host-certifier"!)
You will now have the required permissions to export a host key for your `sshd`
diff --git a/docs/pages/enroll-resources/workload-identity/aws-oidc-federation.mdx b/docs/pages/enroll-resources/workload-identity/aws-oidc-federation.mdx
index d02f0f3c4274a..1de4e1ac9669c 100644
--- a/docs/pages/enroll-resources/workload-identity/aws-oidc-federation.mdx
+++ b/docs/pages/enroll-resources/workload-identity/aws-oidc-federation.mdx
@@ -341,6 +341,8 @@ Apply this role to your Teleport cluster using `tctl`:
$ tctl create -f role.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
You now need to assign this role to the bot:
```code
diff --git a/docs/pages/enroll-resources/workload-identity/aws-roles-anywhere.mdx b/docs/pages/enroll-resources/workload-identity/aws-roles-anywhere.mdx
index c2d21eff2db1a..73098a1f0a197 100644
--- a/docs/pages/enroll-resources/workload-identity/aws-roles-anywhere.mdx
+++ b/docs/pages/enroll-resources/workload-identity/aws-roles-anywhere.mdx
@@ -207,6 +207,8 @@ Apply this role to your Teleport cluster using `tctl`:
$ tctl create -f role.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
If you intend this SPIFFE ID to be issued by a human, you now need to assign
this role to their user:
diff --git a/docs/pages/enroll-resources/workload-identity/azure-federated-credentials.mdx b/docs/pages/enroll-resources/workload-identity/azure-federated-credentials.mdx
index 93fbb0d39c25d..7a6f886b61db7 100644
--- a/docs/pages/enroll-resources/workload-identity/azure-federated-credentials.mdx
+++ b/docs/pages/enroll-resources/workload-identity/azure-federated-credentials.mdx
@@ -198,6 +198,8 @@ Apply this role to your Teleport cluster using `tctl`:
$ tctl create -f role.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
You now need to assign this role to the bot:
```code
diff --git a/docs/pages/enroll-resources/workload-identity/gcp-workload-identity-federation-jwt.mdx b/docs/pages/enroll-resources/workload-identity/gcp-workload-identity-federation-jwt.mdx
index 60531fffdcd15..bc653f4aa5e4d 100644
--- a/docs/pages/enroll-resources/workload-identity/gcp-workload-identity-federation-jwt.mdx
+++ b/docs/pages/enroll-resources/workload-identity/gcp-workload-identity-federation-jwt.mdx
@@ -261,6 +261,8 @@ Apply this role to your Teleport cluster using `tctl`:
$ tctl create -f role.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
You now need to assign this role to the bot:
```code
diff --git a/docs/pages/enroll-resources/workload-identity/getting-started.mdx b/docs/pages/enroll-resources/workload-identity/getting-started.mdx
index 0879468fd1bf2..6acdfc9bf1bc2 100644
--- a/docs/pages/enroll-resources/workload-identity/getting-started.mdx
+++ b/docs/pages/enroll-resources/workload-identity/getting-started.mdx
@@ -54,6 +54,8 @@ Replace:
Use `tctl create -f ./spiffe-issuer-role.yaml` to create the role.
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Now, use `tctl bots update` to add the role to the Bot. Replace `example-bot`
with the name of the Bot you created in the deployment guide and `spiffe-issuer`
with the name of the role you just created:
diff --git a/docs/pages/includes/application-access/aws-database-role-mapping.mdx b/docs/pages/includes/application-access/aws-database-role-mapping.mdx
index ca068baf866af..9a76801efd262 100644
--- a/docs/pages/includes/application-access/aws-database-role-mapping.mdx
+++ b/docs/pages/includes/application-access/aws-database-role-mapping.mdx
@@ -92,5 +92,7 @@ Create the new role:
$ tctl create -f {{ role }}.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
(!docs/pages/includes/add-role-to-user.mdx role="{{ role }}"!)
diff --git a/docs/pages/includes/application-access/azure-teleport-role.mdx b/docs/pages/includes/application-access/azure-teleport-role.mdx
index dd57dfd0c8cf8..a81c475924d71 100644
--- a/docs/pages/includes/application-access/azure-teleport-role.mdx
+++ b/docs/pages/includes/application-access/azure-teleport-role.mdx
@@ -67,6 +67,8 @@ Create the role:
$ tctl create -f azure-cli-access.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
@@ -104,6 +106,8 @@ Create the role:
$ tctl create -f azure-cli-access.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
@@ -139,6 +143,8 @@ Create the role:
$ tctl create -f azure-cli-access.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
diff --git a/docs/pages/includes/create-role-using-web.mdx b/docs/pages/includes/create-role-using-web.mdx
new file mode 100644
index 0000000000000..8550ff3397d2a
--- /dev/null
+++ b/docs/pages/includes/create-role-using-web.mdx
@@ -0,0 +1,4 @@
+
+ You can also create and edit roles using the Web UI. Go to **Access ->
+ Roles** and click **Create New Role** or pick an existing role to edit.
+
\ No newline at end of file
diff --git a/docs/pages/includes/kubernetes-access/rbac.mdx b/docs/pages/includes/kubernetes-access/rbac.mdx
index c06eb92583a44..f60f541996982 100644
--- a/docs/pages/includes/kubernetes-access/rbac.mdx
+++ b/docs/pages/includes/kubernetes-access/rbac.mdx
@@ -57,6 +57,8 @@ must allow access as at least one Kubernetes user or group.
$ tctl create -f kube-access.yaml
```
+ (!docs/pages/includes/create-role-using-web.mdx!)
+
1. (!docs/pages/includes/add-role-to-user.mdx role="kube-access"!)
1. Configure the `viewers` group in your Kubernetes cluster to have the built-in
diff --git a/docs/pages/includes/plugins/editor-request-rbac.mdx b/docs/pages/includes/plugins/editor-request-rbac.mdx
index e89ea5fab2451..9833d3c219be2 100644
--- a/docs/pages/includes/plugins/editor-request-rbac.mdx
+++ b/docs/pages/includes/plugins/editor-request-rbac.mdx
@@ -35,6 +35,8 @@ role 'editor-reviewer' has been created
role 'editor-requester' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Allow yourself to review requests by users with the `editor-requester` role by
assigning yourself the `editor-reviewer` role.
diff --git a/docs/pages/includes/plugins/event-handler-role-user.mdx b/docs/pages/includes/plugins/event-handler-role-user.mdx
index f295af8560b79..8552015c3fecc 100644
--- a/docs/pages/includes/plugins/event-handler-role-user.mdx
+++ b/docs/pages/includes/plugins/event-handler-role-user.mdx
@@ -30,3 +30,4 @@ $ tctl create -f teleport-event-handler-role.yaml
# role 'teleport-event-handler' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
\ No newline at end of file
diff --git a/docs/pages/includes/plugins/rbac-impersonate-event-handler.mdx b/docs/pages/includes/plugins/rbac-impersonate-event-handler.mdx
index 20b96f678fb17..1418258c66633 100644
--- a/docs/pages/includes/plugins/rbac-impersonate-event-handler.mdx
+++ b/docs/pages/includes/plugins/rbac-impersonate-event-handler.mdx
@@ -32,6 +32,8 @@ Next, create the role:
$ tctl create teleport-event-handler-impersonator.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Add this role to the user that generates signed credentials for the Event
Handler:
diff --git a/docs/pages/includes/plugins/rbac-impersonate.mdx b/docs/pages/includes/plugins/rbac-impersonate.mdx
index 1456837350be7..c1cf00bcca4d9 100644
--- a/docs/pages/includes/plugins/rbac-impersonate.mdx
+++ b/docs/pages/includes/plugins/rbac-impersonate.mdx
@@ -31,6 +31,8 @@ Create the `access-plugin-impersonator` role:
$ tctl create -f access-plugin-impersonator.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
If you are providing identity files to the plugin with Machine ID, assign the
`access-plugin` role to the Machine ID bot user. Otherwise, assign this role to
the user you plan to use to generate credentials for the `access-plugin` role
diff --git a/docs/pages/includes/plugins/rbac-update.mdx b/docs/pages/includes/plugins/rbac-update.mdx
index 4cfac0379ee92..eb4eac6c0a0d7 100644
--- a/docs/pages/includes/plugins/rbac-update.mdx
+++ b/docs/pages/includes/plugins/rbac-update.mdx
@@ -33,6 +33,8 @@ Create the user and role:
$ tctl create -f access-plugin.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
As with all Teleport users, the Teleport Auth Service authenticates the
`access-plugin` user by issuing short-lived TLS credentials. In this case, we
will need to request the credentials manually by *impersonating* the
diff --git a/docs/pages/includes/plugins/rbac-with-friendly-name.mdx b/docs/pages/includes/plugins/rbac-with-friendly-name.mdx
index f7fc43c266427..301e9b87fc36e 100644
--- a/docs/pages/includes/plugins/rbac-with-friendly-name.mdx
+++ b/docs/pages/includes/plugins/rbac-with-friendly-name.mdx
@@ -73,3 +73,5 @@ Create the user and role:
```code
$ tctl create -f access-plugin.yaml
```
+
+(!docs/pages/includes/create-role-using-web.mdx!)
\ No newline at end of file
diff --git a/docs/pages/includes/plugins/rbac.mdx b/docs/pages/includes/plugins/rbac.mdx
index 1a8e5a2236fbb..d1a5a4dad5f6c 100644
--- a/docs/pages/includes/plugins/rbac.mdx
+++ b/docs/pages/includes/plugins/rbac.mdx
@@ -32,3 +32,5 @@ Create the user and role:
```code
$ tctl create -f access-plugin.yaml
```
+
+(!docs/pages/includes/create-role-using-web.mdx!)
\ No newline at end of file
diff --git a/docs/pages/includes/server-access/custom-installer.mdx b/docs/pages/includes/server-access/custom-installer.mdx
index 4d046e5c5bc12..174a12de3942e 100644
--- a/docs/pages/includes/server-access/custom-installer.mdx
+++ b/docs/pages/includes/server-access/custom-installer.mdx
@@ -21,6 +21,8 @@ $ tctl create -f installer-manager.yaml
# role 'installer-manager' has been created
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
The preset `editor` role has the required permissions by default.
To customize the default installer script, execute the following command on
diff --git a/docs/pages/reference/agent-services/database-access-reference/cli.mdx b/docs/pages/reference/agent-services/database-access-reference/cli.mdx
index 9a3b50c81fd06..89e379a3c8690 100644
--- a/docs/pages/reference/agent-services/database-access-reference/cli.mdx
+++ b/docs/pages/reference/agent-services/database-access-reference/cli.mdx
@@ -228,6 +228,8 @@ Create the role:
$ tctl create -f db-impersonator.yaml
```
+(!docs/pages/includes/create-role-using-web.mdx!)
+
Open your Teleport user's dynamic configuration resource in your editor so you
can add the `db-impersonator` role:
diff --git a/docs/pages/upgrading/automatic-agent-updates.mdx b/docs/pages/upgrading/automatic-agent-updates.mdx
index f6c8a27c6f78a..e219243c1e1e6 100644
--- a/docs/pages/upgrading/automatic-agent-updates.mdx
+++ b/docs/pages/upgrading/automatic-agent-updates.mdx
@@ -81,6 +81,8 @@ Teleport cluster that agents use to determine when to check for upgrades.
$ tctl create cmc-editor.yaml
```
+ (!docs/pages/includes/create-role-using-web.mdx!)
+
1. Add the role to your Teleport user:
(!docs/pages/includes/add-role-to-user.mdx role="cmc-editor"!)