Teleport
AWS Redshift Automatic User Provisioning
- Version 15.x
- Version 14.x
- Version 13.x
- Version 12.x
- Older Versions
- Available for:
- OpenSource
- Team
- Cloud
- Enterprise
Teleport can automatically create users in your database, removing the need for creating individual user accounts in advance or using the same set of shared database accounts for all users.
Prerequisites
- Teleport cluster v14.1.3 or higher with a configured AWS Redshift database.
- Ability to connect to and create user accounts in the target database.
Automatic user provisioning is not compatible with Redshift Serverless.
Step 1/3. Configure database admin
Teleport uses the same authentication mechanism (IAM authentication) when connecting as an admin user as for regular user connections.
The admin user must have privileges within the database to create users and grant them privileges. The admin user must also have privileges to monitor user processes and role assignments:
CREATE USER "teleport-admin" WITH PASSWORD DISABLE;
GRANT ROLE "sys:superuser" TO "teleport-admin";
Users created by Teleport will be assigned the teleport-auto-user role in the
database, which will be created automatically if it doesn't exist.
Next, enable the database admin on the Teleport database configuration:
db_service:
enabled: "yes"
databases:
- name: "example"
protocol: "postgres"
uri: "redshift-cluster-1.abcdefghijklm.us-east-1.redshift.amazonaws.com:5439"
admin_user:
name: "teleport-admin"
kind: db
version: v3
metadata:
name: example
spec:
protocol: "postgres"
uri: "redshift-cluster-1.abcdefghijklm.us-east-1.redshift.amazonaws.com:5439"
admin_user:
name: "teleport-admin"
For auto-discovered cloud databases, the name of the admin user is taken from
the teleport.dev/db-admin label.
Step 2/3. Configure Teleport role
To specify the database roles a user should be assigned within the database,
use the db_roles role option:
kind: role
version: v7
metadata:
name: auto-db-users
spec:
options:
# create_db_user_mode enables automatic user provisioning for matching databases
create_db_user_mode: keep
allow:
db_labels:
"*": "*"
db_names:
- "*"
# db_roles is a list of roles the database user will be assigned
db_roles:
- reader
- "{{internal.db_roles}}"
- "{{external.db_roles}}"
With automatic user provisioning, users always connect to the database with
their Teleport username so the db_users role field is ignored for roles
that have database user provisioning enabled.
The available provisioning modes are:
-
off: Disables user provisioning. -
keep: Enables user provisioning and disables users at session end. The user will be stripped of all roles and the user account will be locked. -
best_effort_drop: Enables user provisioning and tries to drop user at session end. If the drop fails, fallback to disabling them (same askeepmode).
Users created within the database will:
- Have the same name as Teleport username.
- Be assigned the
teleport-auto-userrole. - Be assigned all roles from the Teleport user's role set that match the database. The role names must be valid and exist in the database.
Note that in case of a name conflict where a user with the same name already
exists in the database and is not managed by Teleport (i.e. not assigned the
teleport-auto-user role), the connection will be aborted.
Step 3/3. Connect to the database
Now, log into your Teleport cluster and connect to the database:
tsh login --proxy=teleport.example.comtsh db connect --db-name <database> example
When connecting to a database with user provisioning enabled, the Database Service expects your Teleport username will be used as the database username .
If using a GUI database client like pgAdmin, make sure to use your Teleport
username as the database username. tsh db connect will default to your
Teleport username automatically when connecting to a database with user
provisioning enabled.
Next steps
- Connect using your GUI database client.
- Learn about role templating.
- Read automatic user provisioning RFD.