gravitational · webvictim · Apr 22, 2022 · Apr 21, 2022 · Apr 22, 2022 · Apr 22, 2022
diff --git a/docs/pages/setup/reference/cli.mdx b/docs/pages/setup/reference/cli.mdx
@@ -187,7 +187,7 @@ $ tsh ssh [<flags>] <[user@]host> [<command>...]
 `<[user@]host> [<command>...]`
 
 - `user` The login identity to use on the remote host. If `[user]` is not specified the user defaults to `$USER` or can be set with `--user`. If the flag `--user` and positional argument `[user]` are specified the arg `[user]` takes precedence.
-- `host` A `nodename` of a cluster node or a
+- `host` The `nodename` of a cluster Node or a label specification like `env=aws` to run on all matching hosts.
 - `command` The command to execute on a remote host.
 
 #### Flags
@@ -219,6 +219,8 @@ $ tsh ssh --proxy proxy.example.com --user teleport -d root@grav-00
 # `tsh ssh` takes the same arguments as OpenSSH client:
 $ tsh ssh -o ForwardAgent=yes root@grav-00
 $ tsh ssh -o AddKeysToAgent=yes root@grav-00
+# Run `hostname` on all nodes with the `env: aws` label
+$ tsh ssh root@env=aws hostname
 ```
 
 ### tsh config
@@ -684,7 +686,7 @@ can be exported with `tctl auth sign` or `tsh login --out=<output-path>`.
 
   Note that when a `tctl` command is run locally on an Auth Service, the audit
   logs will show that it was performed by the Auth Service itself.
-  
+
   To properly audit admin actions at scale, it is important to limit direct SSH
   access to the Auth Service with
   [Access Controls](../../access-controls/introduction.mdx) and ensure that