gravitational
diff --git a/‎integration/tctl_terraform_env_test.go
+2-2 b/‎integration/tctl_terraform_env_test.go
+2-2
diff --git a/‎tool/tctl/common/access_request_command.go
+21-10 b/‎tool/tctl/common/access_request_command.go
+21-10
diff --git a/‎tool/tctl/common/accessmonitoring/command.go
+12-4 b/‎tool/tctl/common/accessmonitoring/command.go
+12-4
diff --git a/‎tool/tctl/common/acl_command.go
+17-7 b/‎tool/tctl/common/acl_command.go
+17-7
diff --git a/‎tool/tctl/common/admin_action_test.go
+5-2 b/‎tool/tctl/common/admin_action_test.go
+5-2
diff --git a/‎tool/tctl/common/alert_command.go
+15-5 b/‎tool/tctl/common/alert_command.go
+15-5
diff --git a/‎tool/tctl/common/app_command.go
+13-3 b/‎tool/tctl/common/app_command.go
+13-3
@@ -105,7 +105,7 @@ func TestTCTLTerraformCommand_ProxyJoin(t *testing.T) {
 	tctlCommand := common.TerraformCommand{}
 
 	app := kingpin.New("test", "test")
-	tctlCommand.Initialize(app, tctlCfg)
+	tctlCommand.Initialize(app, nil, tctlCfg)
 	_, err = app.Parse([]string{"terraform", "env"})
 	require.NoError(t, err)
 	// Create io buffer writer
@@ -179,7 +179,7 @@ func TestTCTLTerraformCommand_AuthJoin(t *testing.T) {
 	tctlCommand := common.TerraformCommand{}
 
 	app := kingpin.New("test", "test")
-	tctlCommand.Initialize(app, tctlCfg)
+	tctlCommand.Initialize(app, nil, tctlCfg)
 	_, err = app.Parse([]string{"terraform", "env"})
 	require.NoError(t, err)
 	// Create io buffer writer
 
@@ -39,6 +39,8 @@ import (
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/tlsca"
+	commonclient "github.com/gravitational/teleport/tool/tctl/common/client"
+	tctlcfg "github.com/gravitational/teleport/tool/tctl/common/config"
 )
 
 // AccessRequestCommand implements `tctl users` set of commands
@@ -76,7 +78,7 @@ type AccessRequestCommand struct {
 }
 
 // Initialize allows AccessRequestCommand to plug itself into the CLI parser
-func (c *AccessRequestCommand) Initialize(app *kingpin.Application, config *servicecfg.Config) {
+func (c *AccessRequestCommand) Initialize(app *kingpin.Application, _ *tctlcfg.GlobalCLIFlags, config *servicecfg.Config) {
 	c.config = config
 	requests := app.Command("requests", "Manage access requests.").Alias("request")
 
@@ -125,27 +127,36 @@ func (c *AccessRequestCommand) Initialize(app *kingpin.Application, config *serv
 }
 
 // TryRun takes the CLI command as an argument (like "access-request list") and executes it.
-func (c *AccessRequestCommand) TryRun(ctx context.Context, cmd string, client *authclient.Client) (match bool, err error) {
+func (c *AccessRequestCommand) TryRun(ctx context.Context, cmd string, clientFunc commonclient.InitFunc) (match bool, err error) {
+	var commandFunc func(ctx context.Context, client *authclient.Client) error
 	switch cmd {
 	case c.requestList.FullCommand():
-		err = c.List(ctx, client)
+		commandFunc = c.List
 	case c.requestGet.FullCommand():
-		err = c.Get(ctx, client)
+		commandFunc = c.Get
 	case c.requestApprove.FullCommand():
-		err = c.Approve(ctx, client)
+		commandFunc = c.Approve
 	case c.requestDeny.FullCommand():
-		err = c.Deny(ctx, client)
+		commandFunc = c.Deny
 	case c.requestCreate.FullCommand():
-		err = c.Create(ctx, client)
+		commandFunc = c.Create
 	case c.requestDelete.FullCommand():
-		err = c.Delete(ctx, client)
+		commandFunc = c.Delete
 	case c.requestCaps.FullCommand():
-		err = c.Caps(ctx, client)
+		commandFunc = c.Caps
 	case c.requestReview.FullCommand():
-		err = c.Review(ctx, client)
+		commandFunc = c.Review
 	default:
 		return false, nil
 	}
+
+	client, closeFn, err := clientFunc(ctx)
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	err = commandFunc(ctx, client)
+	closeFn(ctx)
+
 	return true, trace.Wrap(err)
 }
 
 
@@ -35,6 +35,8 @@ import (
 	"github.com/gravitational/teleport/lib/auth/authclient"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/utils"
+	commonclient "github.com/gravitational/teleport/tool/tctl/common/client"
+	tctlcfg "github.com/gravitational/teleport/tool/tctl/common/config"
 )
 
 // Command implements `tctl audit` group of commands.
@@ -44,7 +46,7 @@ type Command struct {
 }
 
 // Initialize allows to implement Command interface.
-func (c *Command) Initialize(app *kingpin.Application, cfg *servicecfg.Config) {
+func (c *Command) Initialize(app *kingpin.Application, _ *tctlcfg.GlobalCLIFlags, cfg *servicecfg.Config) {
 	c.innerCmdMap = map[string]runFunc{}
 
 	auditCmd := app.Command("audit", "Audit command.")
@@ -114,13 +116,19 @@ func (c *Command) initAuditReportsCommands(auditCmd *kingpin.CmdClause, cfg *ser
 
 type runFunc func(context.Context, *authclient.Client) error
 
-func (c *Command) TryRun(ctx context.Context, selectedCommand string, authClient *authclient.Client) (match bool, err error) {
-	handler, ok := c.innerCmdMap[selectedCommand]
+func (c *Command) TryRun(ctx context.Context, cmd string, clientFunc commonclient.InitFunc) (match bool, err error) {
+	handler, ok := c.innerCmdMap[cmd]
 	if !ok {
 		return false, nil
 	}
 
-	switch err := trail.FromGRPC(handler(ctx, authClient)); {
+	client, closeFn, err := clientFunc(ctx)
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	defer closeFn(ctx)
+
+	switch err := trail.FromGRPC(handler(ctx, client)); {
 	case trace.IsNotImplemented(err):
 		return true, trace.AccessDenied("Access Monitoring requires a Teleport Enterprise Auth Server.")
 	default:
 
@@ -35,6 +35,8 @@ import (
 	"github.com/gravitational/teleport/lib/auth/authclient"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/utils"
+	commonclient "github.com/gravitational/teleport/tool/tctl/common/client"
+	tctlcfg "github.com/gravitational/teleport/tool/tctl/common/config"
 )
 
 // ACLCommand implements the `tctl acl` family of commands.
@@ -64,7 +66,7 @@ const (
 )
 
 // Initialize allows ACLCommand to plug itself into the CLI parser
-func (c *ACLCommand) Initialize(app *kingpin.Application, _ *servicecfg.Config) {
+func (c *ACLCommand) Initialize(app *kingpin.Application, _ *tctlcfg.GlobalCLIFlags, _ *servicecfg.Config) {
 	acl := app.Command("acl", "Manage access lists.").Alias("access-lists")
 
 	c.ls = acl.Command("ls", "List cluster access lists.")
@@ -93,21 +95,29 @@ func (c *ACLCommand) Initialize(app *kingpin.Application, _ *servicecfg.Config)
 }
 
 // TryRun takes the CLI command as an argument (like "acl ls") and executes it.
-func (c *ACLCommand) TryRun(ctx context.Context, cmd string, client *authclient.Client) (match bool, err error) {
+func (c *ACLCommand) TryRun(ctx context.Context, cmd string, clientFunc commonclient.InitFunc) (match bool, err error) {
+	var commandFunc func(ctx context.Context, client *authclient.Client) error
 	switch cmd {
 	case c.ls.FullCommand():
-		err = c.List(ctx, client)
+		commandFunc = c.List
 	case c.get.FullCommand():
-		err = c.Get(ctx, client)
+		commandFunc = c.Get
 	case c.usersAdd.FullCommand():
-		err = c.UsersAdd(ctx, client)
+		commandFunc = c.UsersAdd
 	case c.usersRemove.FullCommand():
-		err = c.UsersRemove(ctx, client)
+		commandFunc = c.UsersRemove
 	case c.usersList.FullCommand():
-		err = c.UsersList(ctx, client)
+		commandFunc = c.UsersList
 	default:
 		return false, nil
 	}
+	client, closeFn, err := clientFunc(ctx)
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	err = commandFunc(ctx, client)
+	closeFn(ctx)
+
 	return true, trace.Wrap(err)
 }
 
 
@@ -58,6 +58,7 @@ import (
 	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/teleport/lib/utils/hostid"
 	tctl "github.com/gravitational/teleport/tool/tctl/common"
+	tctlcfg "github.com/gravitational/teleport/tool/tctl/common/config"
 	testserver "github.com/gravitational/teleport/tool/teleport/testenv"
 	tsh "github.com/gravitational/teleport/tool/tsh/common"
 )
@@ -1156,13 +1157,15 @@ func runTestCase(t *testing.T, ctx context.Context, client *authclient.Client, t
 
 	app := utils.InitCLIParser("tctl", tctl.GlobalHelpString)
 	cfg := servicecfg.MakeDefaultConfig()
-	tc.cliCommand.Initialize(app, cfg)
+	tc.cliCommand.Initialize(app, &tctlcfg.GlobalCLIFlags{}, cfg)
 
 	args := strings.Split(tc.command, " ")
 	commandName, err := app.Parse(args)
 	require.NoError(t, err)
 
-	match, err := tc.cliCommand.TryRun(ctx, commandName, client)
+	match, err := tc.cliCommand.TryRun(ctx, commandName, func(context.Context) (*authclient.Client, func(context.Context), error) {
+		return client, func(context.Context) {}, nil
+	})
 	require.True(t, match)
 	return err
 }
 
@@ -37,6 +37,8 @@ import (
 	"github.com/gravitational/teleport/lib/auth/authclient"
 	libclient "github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
+	commonclient "github.com/gravitational/teleport/tool/tctl/common/client"
+	tctlcfg "github.com/gravitational/teleport/tool/tctl/common/config"
 )
 
 // AlertCommand implements the `tctl alerts` family of commands.
@@ -62,7 +64,7 @@ type AlertCommand struct {
 }
 
 // Initialize allows AlertCommand to plug itself into the CLI parser
-func (c *AlertCommand) Initialize(app *kingpin.Application, config *servicecfg.Config) {
+func (c *AlertCommand) Initialize(app *kingpin.Application, _ *tctlcfg.GlobalCLIFlags, config *servicecfg.Config) {
 	c.config = config
 	alert := app.Command("alerts", "Manage cluster alerts.").Alias("alert")
 
@@ -93,17 +95,25 @@ func (c *AlertCommand) Initialize(app *kingpin.Application, config *servicecfg.C
 }
 
 // TryRun takes the CLI command as an argument (like "alerts ls") and executes it.
-func (c *AlertCommand) TryRun(ctx context.Context, cmd string, client *authclient.Client) (match bool, err error) {
+func (c *AlertCommand) TryRun(ctx context.Context, cmd string, clientFunc commonclient.InitFunc) (match bool, err error) {
+	var commandFunc func(ctx context.Context, client *authclient.Client) error
 	switch cmd {
 	case c.alertList.FullCommand():
-		err = c.List(ctx, client)
+		commandFunc = c.List
 	case c.alertCreate.FullCommand():
-		err = c.Create(ctx, client)
+		commandFunc = c.Create
 	case c.alertAck.FullCommand():
-		err = c.Ack(ctx, client)
+		commandFunc = c.Ack
 	default:
 		return false, nil
 	}
+	client, closeFn, err := clientFunc(ctx)
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	err = commandFunc(ctx, client)
+	closeFn(ctx)
+
 	return true, trace.Wrap(err)
 }
 
 
@@ -34,6 +34,8 @@ import (
 	libclient "github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/utils"
+	commonclient "github.com/gravitational/teleport/tool/tctl/common/client"
+	tctlcfg "github.com/gravitational/teleport/tool/tctl/common/config"
 )
 
 // AppsCommand implements "tctl apps" group of commands.
@@ -55,7 +57,7 @@ type AppsCommand struct {
 }
 
 // Initialize allows AppsCommand to plug itself into the CLI parser
-func (c *AppsCommand) Initialize(app *kingpin.Application, config *servicecfg.Config) {
+func (c *AppsCommand) Initialize(app *kingpin.Application, _ *tctlcfg.GlobalCLIFlags, config *servicecfg.Config) {
 	c.config = config
 
 	apps := app.Command("apps", "Operate on applications registered with the cluster.")
@@ -68,13 +70,21 @@ func (c *AppsCommand) Initialize(app *kingpin.Application, config *servicecfg.Co
 }
 
 // TryRun attempts to run subcommands like "apps ls".
-func (c *AppsCommand) TryRun(ctx context.Context, cmd string, client *authclient.Client) (match bool, err error) {
+func (c *AppsCommand) TryRun(ctx context.Context, cmd string, clientFunc commonclient.InitFunc) (match bool, err error) {
+	var commandFunc func(ctx context.Context, client *authclient.Client) error
 	switch cmd {
 	case c.appsList.FullCommand():
-		err = c.ListApps(ctx, client)
+		commandFunc = c.ListApps
 	default:
 		return false, nil
 	}
+	client, closeFn, err := clientFunc(ctx)
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	err = commandFunc(ctx, client)
+	closeFn(ctx)
+
 	return true, trace.Wrap(err)
 }