diff --git a/docs/pages/access-controls/getting-started.mdx b/docs/pages/access-controls/getting-started.mdx
index 41c19b7bc496a..169df79e66d99 100644
--- a/docs/pages/access-controls/getting-started.mdx
+++ b/docs/pages/access-controls/getting-started.mdx
@@ -122,7 +122,7 @@ Save this role as `interns.yaml`:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: interns
 spec:
diff --git a/docs/pages/access-controls/guides/dual-authz.mdx b/docs/pages/access-controls/guides/dual-authz.mdx
index cdf8cb008d300..39a1a78f364bc 100644
--- a/docs/pages/access-controls/guides/dual-authz.mdx
+++ b/docs/pages/access-controls/guides/dual-authz.mdx
@@ -80,7 +80,7 @@ spec:
 version: v2
 ---
 kind: role
-version: v5
+version: v4
 metadata:
   name: access-plugin
 spec:
@@ -162,7 +162,7 @@ Create `dbadmin`, `reviewer` and `devops` roles:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: reviewer
 spec:
@@ -171,7 +171,7 @@ spec:
       roles: ['dbadmin']
 ---
 kind: role
-version: v5
+version: v4
 metadata:
   name: devops
 spec:
@@ -183,7 +183,7 @@ spec:
           deny: 1
 ---
 kind: role
-version: v5
+version: v4
 metadata:
   name: dbadmin
 spec:
diff --git a/docs/pages/access-controls/guides/impersonation.mdx b/docs/pages/access-controls/guides/impersonation.mdx
index 38c4117fc9703..6fdacfb46e372 100644
--- a/docs/pages/access-controls/guides/impersonation.mdx
+++ b/docs/pages/access-controls/guides/impersonation.mdx
@@ -32,7 +32,7 @@ Save this file as `jenkins.yaml` to create the user and role:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: jenkins
 spec:
@@ -77,7 +77,7 @@ Save this role definition as `impersonator.yaml`:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: impersonator
 spec:
@@ -179,7 +179,7 @@ allowed the impersonation of any users or roles with the label
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: security-impersonator
 spec:
@@ -214,7 +214,7 @@ Create a user and a role `security-scanner` using the following template:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: security-scanner
   labels:
@@ -256,7 +256,7 @@ as the label on the role and/or user to impersonate:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: security-impersonator
 spec:
diff --git a/docs/pages/access-controls/guides/locking.mdx b/docs/pages/access-controls/guides/locking.mdx
index cf998c047d872..2d12b8dbe2bba 100644
--- a/docs/pages/access-controls/guides/locking.mdx
+++ b/docs/pages/access-controls/guides/locking.mdx
@@ -105,7 +105,7 @@ Create a role `locksmith`:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: locksmith
 spec:
@@ -231,7 +231,7 @@ It is also possible to configure the locking mode for a particular role:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
     name: example-role-with-strict-locking
 spec:
diff --git a/docs/pages/access-controls/guides/moderated-sessions.mdx b/docs/pages/access-controls/guides/moderated-sessions.mdx
index fee04919ef893..ef3f9447eb072 100644
--- a/docs/pages/access-controls/guides/moderated-sessions.mdx
+++ b/docs/pages/access-controls/guides/moderated-sessions.mdx
@@ -4,6 +4,10 @@ description: Moderated Sessions
 h1: Moderated Sessions
 ---
 
+<Details title="Version Requirements" min="8.3" opened>
+  Moderated Sessions require `version: v5` roles, which are only available in Teleport 8.3.0 and above.
+</Details>
+
 ## Introduction
 
 Moderated Sessions allows Teleport administrators to
@@ -54,6 +58,7 @@ When a user with this require policy starts a session, it will be pending
 until the policy is fulfilled. 
 
 ```yaml
+version: v5
 kind: role
 metadata:
   name: prod-access
@@ -86,6 +91,7 @@ The following allow policy attaches to the role `auditor` and allows one to join
 SSH and Kubernetes sessions started by a user with the role `prod-access` as a moderator or observer.
 
 ```yaml
+version: v5
 kind: role
 metadata:
   name: auditor
diff --git a/docs/pages/access-controls/guides/per-session-mfa.mdx b/docs/pages/access-controls/guides/per-session-mfa.mdx
index ba345130986ed..e8be4d5063547 100644
--- a/docs/pages/access-controls/guides/per-session-mfa.mdx
+++ b/docs/pages/access-controls/guides/per-session-mfa.mdx
@@ -87,7 +87,7 @@ Olga defines two Teleport roles: `access-dev` and `access-prod`:
 ```yaml
 # access-dev.yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: access-dev
 spec:
@@ -100,7 +100,7 @@ spec:
 ---
 # access-prod.yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: access-prod
 spec:
diff --git a/docs/pages/access-controls/guides/role-templates.mdx b/docs/pages/access-controls/guides/role-templates.mdx
index 855808ef949e6..90c63b98b9492 100644
--- a/docs/pages/access-controls/guides/role-templates.mdx
+++ b/docs/pages/access-controls/guides/role-templates.mdx
@@ -36,7 +36,7 @@ We can create two roles, one for each user in file `roles.yaml`:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: alice
 spec:
@@ -49,7 +49,7 @@ spec:
       '*': '*'
 ---
 kind: role
-version: v5
+version: v4
 metadata:
   name: bob
 spec:
@@ -78,7 +78,7 @@ Let's create a role template `devs.yaml`:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: devs
 spec:
@@ -173,7 +173,7 @@ to be set by identity provider. Save this role as `sso-users.yaml`:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: sso-users
 spec:
@@ -255,7 +255,7 @@ Let's see how these variables are used with role template `interpolation`:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: interpolation
 spec:
@@ -288,7 +288,7 @@ behave as the following role:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: interpolation
 spec:
diff --git a/docs/pages/access-controls/reference.mdx b/docs/pages/access-controls/reference.mdx
index 3411ea7370aba..5baa3c5fa8528 100644
--- a/docs/pages/access-controls/reference.mdx
+++ b/docs/pages/access-controls/reference.mdx
@@ -41,9 +41,15 @@ $ tctl get roles
 
 A role definition looks like this:
 
+<Details title="Role Versioning" min="8.3" opened>
+  The role example below uses `version: v4` for compatability reasons. Note that
+  the `join_sessions` and `require_session_join` fields are only supported on `version: v5` roles,
+  which are otherwise identical to `version: v4`.
+</Details>
+
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: example
 spec:
@@ -230,12 +236,18 @@ that are more appropriately scoped.
 
 ### Role versions
 
-There are currently two supported role versions: `v3` and `v5`. `v5` roles are
-completely backwards-compatible with `v3`, the only difference lies in the
-default allow labels which will be applied to the role if they are not
+There are currently three supported role versions: `v3`, `v4` and `v5`. `v4` roles are
+completely backwards-compatible with `v3`. The only difference lies in the
+default allow labels, which will be applied to the role if they are not
 explicitly set.
 
-Label              | `v3` Default   | `v5` Default
+`v5` roles are also backwards compatible with `v4`. They add
+the `join_sessions` and `require_session_join` fields related to [Moderated Sessions](./guides/moderated-sessions.mdx).
+
+Upon upgrading to Telport 8.3.0 or later, new roles will be created with `version: v5` and old roles
+will be migrated as they are edited but not automatically.
+
+Label              | `v3` Default   | `v4` Default
 ------------------ | -------------- | ---------------
 `node_labels`       | `[{"*": "*"}]` if the role has any logins, else `[]` | `[]`
 `app_labels`        | `[{"*": "*"}]` | `[]`
@@ -263,7 +275,7 @@ Access to any other nodes will be denied:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: example-role
 spec:
@@ -293,7 +305,7 @@ Below are a few examples for more complex filtering using various regexes.
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: example-role
 spec:
@@ -370,7 +382,7 @@ downgrade they will become invalid.
 Role for restricted access to session recordings:
 
 ```yaml
-version: v5
+version: v4
 kind: role
 metadata:
   name: only-own-sessions
@@ -387,7 +399,7 @@ spec:
 Role for restricted access to active sessions:
 
 ```yaml
-version: v5
+version: v4
 kind: role
 metadata:
   name: only-own-ssh-sessions
diff --git a/docs/pages/api/architecture.mdx b/docs/pages/api/architecture.mdx
index 2363531aac0d1..11a3bb3306d95 100644
--- a/docs/pages/api/architecture.mdx
+++ b/docs/pages/api/architecture.mdx
@@ -36,7 +36,7 @@ spec:
   deny:
     node_labels:
       '*': '*'
-version: v5
+version: v4
 EOF
 # Create role
 tctl create -f api-role.yaml
diff --git a/docs/pages/application-access/controls.mdx b/docs/pages/application-access/controls.mdx
index b94f9ab26ff2c..c4956e432ddcf 100644
--- a/docs/pages/application-access/controls.mdx
+++ b/docs/pages/application-access/controls.mdx
@@ -41,7 +41,7 @@ For example, this role will grant access to all applications from the group
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: dev
 spec:
diff --git a/docs/pages/application-access/guides/aws-console.mdx b/docs/pages/application-access/guides/aws-console.mdx
index f6efd76959ecf..0f991c29dd6f9 100644
--- a/docs/pages/application-access/guides/aws-console.mdx
+++ b/docs/pages/application-access/guides/aws-console.mdx
@@ -142,7 +142,7 @@ role ARNs this particular role permits its users to assume:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: aws-console-access
 spec:
diff --git a/docs/pages/database-access/guides/mysql-self-hosted.mdx b/docs/pages/database-access/guides/mysql-self-hosted.mdx
index 9646c7bab41e5..046ea01b2580e 100644
--- a/docs/pages/database-access/guides/mysql-self-hosted.mdx
+++ b/docs/pages/database-access/guides/mysql-self-hosted.mdx
@@ -74,7 +74,7 @@ database account:
 ```bash
 tctl --config=/path/to/teleport-db-role.yaml create <<EOF
 kind: role
-version: v5
+version: v4
 metadata:
   name: db
 spec:
diff --git a/docs/pages/database-access/guides/postgres-self-hosted.mdx b/docs/pages/database-access/guides/postgres-self-hosted.mdx
index 162873d4190aa..fbebbc5d5a069 100644
--- a/docs/pages/database-access/guides/postgres-self-hosted.mdx
+++ b/docs/pages/database-access/guides/postgres-self-hosted.mdx
@@ -70,7 +70,7 @@ database account:
 ```bash
 tctl --config=/path/to/teleport.yaml create <<EOF
 kind: role
-version: v5
+version: v4
 metadata:
   name: db
 spec:
diff --git a/docs/pages/database-access/rbac.mdx b/docs/pages/database-access/rbac.mdx
index ab9f96be220bd..f342a6183af56 100644
--- a/docs/pages/database-access/rbac.mdx
+++ b/docs/pages/database-access/rbac.mdx
@@ -23,7 +23,7 @@ database access:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: developer
 spec:
@@ -55,7 +55,7 @@ production database except for the internal "postgres" database/user:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: developer
 spec:
diff --git a/docs/pages/desktop-access/getting-started.mdx b/docs/pages/desktop-access/getting-started.mdx
index d17b50d4f3054..5c150de399cf3 100644
--- a/docs/pages/desktop-access/getting-started.mdx
+++ b/docs/pages/desktop-access/getting-started.mdx
@@ -313,7 +313,7 @@ For example, you can create a role that gives its users access to all Windows de
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: windows-desktop-admins
 spec:
diff --git a/docs/pages/desktop-access/reference.mdx b/docs/pages/desktop-access/reference.mdx
index 0895d773881de..90729d4fabae5 100644
--- a/docs/pages/desktop-access/reference.mdx
+++ b/docs/pages/desktop-access/reference.mdx
@@ -60,7 +60,7 @@ desktop access:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: developer
 spec:
diff --git a/docs/pages/enterprise/sso.mdx b/docs/pages/enterprise/sso.mdx
index d8f377e82f489..f7aa73e0dbb29 100644
--- a/docs/pages/enterprise/sso.mdx
+++ b/docs/pages/enterprise/sso.mdx
@@ -126,7 +126,7 @@ connect to Teleport nodes. To support this:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: sso_user
 spec:
@@ -166,7 +166,7 @@ Here's how this looks in a Teleport role:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: sso_user
 spec:
diff --git a/docs/pages/enterprise/sso/azuread.mdx b/docs/pages/enterprise/sso/azuread.mdx
index f1cf22b60985f..e19ee756b8383 100644
--- a/docs/pages/enterprise/sso/azuread.mdx
+++ b/docs/pages/enterprise/sso/azuread.mdx
@@ -146,7 +146,7 @@ obtain admin access to Teleport.
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: dev
 spec:
diff --git a/docs/pages/enterprise/sso/gitlab.mdx b/docs/pages/enterprise/sso/gitlab.mdx
index 9ffd4523b7463..4eb3b77dc3d8b 100644
--- a/docs/pages/enterprise/sso/gitlab.mdx
+++ b/docs/pages/enterprise/sso/gitlab.mdx
@@ -110,7 +110,7 @@ root and is capable of administrating the cluster and non-privileged dev.
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: admin
 spec:
@@ -129,7 +129,7 @@ The developer role:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: dev
 spec:
diff --git a/docs/pages/enterprise/sso/okta.mdx b/docs/pages/enterprise/sso/okta.mdx
index f5d374e9ea70a..5d7e46979a73f 100644
--- a/docs/pages/enterprise/sso/okta.mdx
+++ b/docs/pages/enterprise/sso/okta.mdx
@@ -124,7 +124,7 @@ and just have the username prefix.
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: dev
 spec:
diff --git a/docs/pages/enterprise/sso/one-login.mdx b/docs/pages/enterprise/sso/one-login.mdx
index a0222e3709c3a..9a0228ad71445 100644
--- a/docs/pages/enterprise/sso/one-login.mdx
+++ b/docs/pages/enterprise/sso/one-login.mdx
@@ -133,7 +133,7 @@ obtain admin access to Teleport.
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: dev
 spec:
diff --git a/docs/pages/enterprise/workflow/index.mdx b/docs/pages/enterprise/workflow/index.mdx
index a36d3bf73c42b..921641b56a42d 100644
--- a/docs/pages/enterprise/workflow/index.mdx
+++ b/docs/pages/enterprise/workflow/index.mdx
@@ -24,7 +24,7 @@ This role allows the contractor to request the role DBA.
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: contractor
 spec:
@@ -43,7 +43,7 @@ This role allows the contractor to request the role DBA.
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: dba
 spec:
@@ -62,7 +62,7 @@ This role allows the admin to approve the contractor's request.
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: admin
 spec:
@@ -131,7 +131,7 @@ the permission of the `dba`.
 # Example role that explicitly denies a contractor from requesting the admin
 # role.
 kind: role
-version: v5
+version: v4
 metadata:
 name: contractor
 spec:
diff --git a/docs/pages/enterprise/workflow/ssh-approval-jira-cloud.mdx b/docs/pages/enterprise/workflow/ssh-approval-jira-cloud.mdx
index fe5ce015141c2..5746e57f9aaf8 100644
--- a/docs/pages/enterprise/workflow/ssh-approval-jira-cloud.mdx
+++ b/docs/pages/enterprise/workflow/ssh-approval-jira-cloud.mdx
@@ -46,7 +46,7 @@ spec:
     # teleport currently refuses to issue certs for a user with 0 logins,
     # this restriction may be lifted in future versions.
     logins: ['access-plugin-jira']
-version: v5
+version: v4
 EOF
 
 # ...
diff --git a/docs/pages/enterprise/workflow/ssh-approval-jira-server.mdx b/docs/pages/enterprise/workflow/ssh-approval-jira-server.mdx
index 1357bd2971e90..0dc557bf5fbd7 100644
--- a/docs/pages/enterprise/workflow/ssh-approval-jira-server.mdx
+++ b/docs/pages/enterprise/workflow/ssh-approval-jira-server.mdx
@@ -64,7 +64,7 @@ spec:
     # teleport currently refuses to issue certs for a user with 0 logins,
     # this restriction may be lifted in future versions.
     logins: ['access-plugin-jira']
-version: v5
+version: v4
 EOF
 
 # ...
diff --git a/docs/pages/enterprise/workflow/ssh-approval-mattermost.mdx b/docs/pages/enterprise/workflow/ssh-approval-mattermost.mdx
index cc2ceff979154..90e52ca5d9fa8 100644
--- a/docs/pages/enterprise/workflow/ssh-approval-mattermost.mdx
+++ b/docs/pages/enterprise/workflow/ssh-approval-mattermost.mdx
@@ -88,7 +88,7 @@ spec:
     # teleport currently refuses to issue certs for a user with 0 logins,
     # this restriction may be lifted in future versions.
     logins: ['access-plugin-mattermost']
-version: v5
+version: v4
 EOF
 
 # Run this to create the user and role in Teleport.
diff --git a/docs/pages/enterprise/workflow/ssh-approval-pagerduty.mdx b/docs/pages/enterprise/workflow/ssh-approval-pagerduty.mdx
index 824a7ca7913c6..b57a13713229d 100644
--- a/docs/pages/enterprise/workflow/ssh-approval-pagerduty.mdx
+++ b/docs/pages/enterprise/workflow/ssh-approval-pagerduty.mdx
@@ -51,7 +51,7 @@ spec:
     # teleport currently refuses to issue certs for a user with 0 logins,
     # this restriction may be lifted in future versions.
     logins: ['access-plugin-pagerduty']
-version: v5
+version: v4
 EOF
 
 # Run this to create the user and role in Teleport.
diff --git a/docs/pages/enterprise/workflow/ssh-approval-slack.mdx b/docs/pages/enterprise/workflow/ssh-approval-slack.mdx
index 14e3e90e21fb3..9953f6d2bb1de 100644
--- a/docs/pages/enterprise/workflow/ssh-approval-slack.mdx
+++ b/docs/pages/enterprise/workflow/ssh-approval-slack.mdx
@@ -50,7 +50,7 @@ The Teleport Cloud requires authenticating with a role that has [`impersonation`
 Login in with `tsh` with a user that has this role or has a role with these allows.
 ```
 kind: role
-version: v5
+version: v4
 metadata:
   name: plugin-admin
 spec:
@@ -83,7 +83,7 @@ spec:
 version: v2
 ---
 kind: role
-version: v5
+version: v4
 metadata:
   name: access-plugin
 spec:
diff --git a/docs/pages/getting-started/docker-compose.mdx b/docs/pages/getting-started/docker-compose.mdx
index 029de21319b56..0451cdec5fd9c 100644
--- a/docs/pages/getting-started/docker-compose.mdx
+++ b/docs/pages/getting-started/docker-compose.mdx
@@ -172,7 +172,7 @@ Teleport's user and role for used for bot access:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: bot
 spec:
diff --git a/docs/pages/kubernetes-access/controls.mdx b/docs/pages/kubernetes-access/controls.mdx
index e54f38de256d3..7a882f78f9960 100644
--- a/docs/pages/kubernetes-access/controls.mdx
+++ b/docs/pages/kubernetes-access/controls.mdx
@@ -105,7 +105,7 @@ be substituted to the users' group list in the role definition.
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: group-member
 spec:
@@ -229,7 +229,7 @@ Limit access to cluster based on the label:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: group-member
 spec:
diff --git a/docs/pages/kubernetes-access/getting-started/cluster.mdx b/docs/pages/kubernetes-access/getting-started/cluster.mdx
index 2f81a5786db39..5ec9a8a527f53 100644
--- a/docs/pages/kubernetes-access/getting-started/cluster.mdx
+++ b/docs/pages/kubernetes-access/getting-started/cluster.mdx
@@ -166,7 +166,7 @@ Save this role as `member.yaml`:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: member
 spec:
diff --git a/docs/pages/kubernetes-access/guides/cicd.mdx b/docs/pages/kubernetes-access/guides/cicd.mdx
index 9c3e70e41a2a7..ed538d375c138 100644
--- a/docs/pages/kubernetes-access/guides/cicd.mdx
+++ b/docs/pages/kubernetes-access/guides/cicd.mdx
@@ -14,7 +14,7 @@ to create credentials.
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: robot
 spec:
diff --git a/docs/pages/kubernetes-access/guides/migration.mdx b/docs/pages/kubernetes-access/guides/migration.mdx
index a0d41459e167f..09e2ce77fb6c7 100644
--- a/docs/pages/kubernetes-access/guides/migration.mdx
+++ b/docs/pages/kubernetes-access/guides/migration.mdx
@@ -343,7 +343,7 @@ First, set the set of Kubernetes labels a user can access on their roles:
 ```yaml
 # role-admin.yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: admin
 spec:
diff --git a/docs/pages/server-access/guides/restricted-session.mdx b/docs/pages/server-access/guides/restricted-session.mdx
index 54d3764499889..7cc616d682f6a 100644
--- a/docs/pages/server-access/guides/restricted-session.mdx
+++ b/docs/pages/server-access/guides/restricted-session.mdx
@@ -88,7 +88,7 @@ Create a file `netpolicy.yaml`:
 
 ```yaml
 kind: network_restrictions
-version: v5
+version: v4
 metadata:
   name: network-restrictions
 spec:
diff --git a/docs/pages/setup/admin/trustedclusters.mdx b/docs/pages/setup/admin/trustedclusters.mdx
index 7b9efe7868dc9..3f4434dddc6ec 100644
--- a/docs/pages/setup/admin/trustedclusters.mdx
+++ b/docs/pages/setup/admin/trustedclusters.mdx
@@ -238,7 +238,7 @@ First, we need to create a special role for root users on "leaf":
 # Save this into root-user-role.yaml on the leaf cluster and execute:
 # tctl create root-user-role.yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: local-admin
 spec:
diff --git a/docs/pages/setup/guides/ec2-tags.mdx b/docs/pages/setup/guides/ec2-tags.mdx
index f3228ceb2ac0e..6d2272139c86e 100644
--- a/docs/pages/setup/guides/ec2-tags.mdx
+++ b/docs/pages/setup/guides/ec2-tags.mdx
@@ -107,7 +107,7 @@ Now you have a label on the instance which you can use inside a Teleport role. H
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: test-tag-role
 spec:
diff --git a/docs/pages/setup/guides/fluentd.mdx b/docs/pages/setup/guides/fluentd.mdx
index 83e6847a7f59d..0a4e8e04f101c 100644
--- a/docs/pages/setup/guides/fluentd.mdx
+++ b/docs/pages/setup/guides/fluentd.mdx
@@ -116,7 +116,7 @@ spec:
     rules:
       - resources: ['event']
         verbs: ['list','read']
-version: v5
+version: v4
 ```
 
 Use `tctl` to create the role and the user:
@@ -150,7 +150,7 @@ Create the following file with role: `teleport-event-handler-impersonator.yaml`:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: teleport-event-handler-impersonator
 spec:
diff --git a/docs/pages/setup/guides/terraform-provider.mdx b/docs/pages/setup/guides/terraform-provider.mdx
index 33a5dd4441784..b8017cb2a65eb 100644
--- a/docs/pages/setup/guides/terraform-provider.mdx
+++ b/docs/pages/setup/guides/terraform-provider.mdx
@@ -64,7 +64,7 @@ spec:
     rules:
       - resources: ['user', 'role', 'token', 'trusted_cluster', 'github', 'oidc', 'saml']
         verbs: ['list','create','read','update','delete']
-version: v5
+version: v4
 ---
 kind: user
 metadata:
@@ -93,7 +93,7 @@ Create the following file with role: `terraform-impersonator.yaml`:
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: terraform-impersonator
 spec:
diff --git a/docs/pages/setup/reference/resources.mdx b/docs/pages/setup/reference/resources.mdx
index bdda5c4b2aa16..ede3d8a6bdd3a 100644
--- a/docs/pages/setup/reference/resources.mdx
+++ b/docs/pages/setup/reference/resources.mdx
@@ -166,7 +166,7 @@ Roles govern access to databases, SSH servers, kubernetes clusters, and web apps
 ```yaml
 ---
 kind: role
-version: v5
+version: v4
 metadata:
   name: example
 spec:
diff --git a/docs/pages/setup/security/reduce-blast-radius.mdx b/docs/pages/setup/security/reduce-blast-radius.mdx
index 5e95a598488f6..7cfc5ec21717e 100644
--- a/docs/pages/setup/security/reduce-blast-radius.mdx
+++ b/docs/pages/setup/security/reduce-blast-radius.mdx
@@ -112,7 +112,7 @@ You can enable some users to review other users' role escalation requests by app
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: reviewer
 spec:
@@ -128,7 +128,7 @@ You can require a user to request access from reviewers by applying a dynamic re
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: reviewee
 spec:
@@ -152,7 +152,7 @@ As an illustration, we have assigned user `myuser` to the `user` role, which we
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: user
 spec:
@@ -201,7 +201,7 @@ Analysts sometimes need write access to your organization's database in order to
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: analyst
 spec:
@@ -229,7 +229,7 @@ First, define a role with privileged but limited access. In the following exampl
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: editor
 spec:
@@ -243,7 +243,7 @@ Next, we define the general `user` role. Users with this role can review other u
 
 ```yaml
 kind: role
-version: v5
+version: v4
 metadata:
   name: user
 spec:
@@ -273,4 +273,4 @@ Two `user`s can grant elevated privileges to another `user` temporarily without
 ### Background reading
 - [Authentication connectors](../reference/authentication.mdx)
 - [Proxy Service](../../architecture/proxy.mdx)
-- [Auth Service](../../architecture/authentication.mdx)
\ No newline at end of file
+- [Auth Service](../../architecture/authentication.mdx)
