Fork me on GitHub


AWS Redshift Automatic User Provisioning

  • Available for:
  • OpenSource
  • Team
  • Cloud
  • Enterprise

Teleport can automatically create users in your database, removing the need for creating individual user accounts in advance or using the same set of shared database accounts for all users.


  • Teleport cluster v14.1.3 or higher with a configured AWS Redshift database.
  • Ability to connect to and create user accounts in the target database.
Supported services

Automatic user provisioning is not compatible with Redshift Serverless.

Step 1/3. Configure database admin

Teleport uses the same authentication mechanism (IAM authentication) when connecting as an admin user as for regular user connections.

The admin user must have privileges within the database to create users and grant them privileges. The admin user must also have privileges to monitor user processes and role assignments:

GRANT ROLE "sys:superuser" TO "teleport-admin";

Users created by Teleport will be assigned the teleport-auto-user role in the database, which will be created automatically if it doesn't exist.

Next, enable the database admin on the Teleport database configuration:

  enabled: "yes"
  - name: "example"
    protocol: "postgres"
    uri: ""
      name: "teleport-admin"
kind: db
version: v3
  name: example
  protocol: "postgres"
  uri: ""
    name: "teleport-admin"
Auto-discovered databases

For auto-discovered cloud databases, the name of the admin user is taken from the label.

Step 2/3. Configure Teleport role

To specify the database roles a user should be assigned within the database, use the db_roles role option:

kind: role
version: v7
  name: auto-db-users
    # create_db_user_mode enables automatic user provisioning for matching databases
    create_db_user_mode: keep
      "*": "*"
    - "*"
    # db_roles is a list of roles the database user will be assigned
    - reader
    - "{{internal.db_roles}}"
    - "{{external.db_roles}}"

With automatic user provisioning, users always connect to the database with their Teleport username so the db_users role field is ignored for roles that have database user provisioning enabled.

The available provisioning modes are:

  • off: Disables user provisioning.

  • keep: Enables user provisioning and disables users at session end. The user will be stripped of all roles and the user account will be locked.

  • best_effort_drop: Enables user provisioning and tries to drop user at session end. If the drop fails, fallback to disabling them (same as keep mode).

Users created within the database will:

  • Have the same name as Teleport username.
  • Be assigned the teleport-auto-user role.
  • Be assigned all roles from the Teleport user's role set that match the database. The role names must be valid and exist in the database.

Note that in case of a name conflict where a user with the same name already exists in the database and is not managed by Teleport (i.e. not assigned the teleport-auto-user role), the connection will be aborted.

Step 3/3. Connect to the database

Now, log into your Teleport cluster and connect to the database:

tsh login
tsh db connect --db-name <database> example
Database Username

When connecting to a database with user provisioning enabled, the Database Service expects your Teleport username will be used as the database username .

If using a GUI database client like pgAdmin, make sure to use your Teleport username as the database username. tsh db connect will default to your Teleport username automatically when connecting to a database with user provisioning enabled.

Next steps