Fork me on GitHub

Database Access FAQ


Database Access FAQ

Which database protocols does Teleport Database Access support?

Teleport Database Access currently supports PostgreSQL, MySQL, and MongoDB protocols.

For PostgreSQL and MySQL, both self-hosted and cloud-hosted versions such as AWS RDS, Aurora (except for Serverless version which doesn't support IAM auth), Redshift, and GCP Cloud SQL are supported. See available guides for all supported configurations.

Which PostgreSQL protocol features are not supported?

The following PostgreSQL protocol features aren't currently supported:

  • Canceling requests in progress. Cancel requests issued by the PostgreSQL clients connected to Teleport proxy won't be passed to the database server.
  • Any of the authentication methods except for client certificate authentication and IAM authentication for cloud databases.

Can database clients use public address different from web public address?

Teleport administrators can set postgres_public_addr and mysql_public_addr proxy configuration fields to public addresses over which respective database clients should connect. See Proxy Configuration for more details.

This is useful when Teleport web proxy UI is running behind an L7 load balancer (e.g. ALB in AWS) in which case PostgreSQL/MySQL proxy need to be exposed on a plain TCP load balancer (e.g. NLB in AWS).

Do you support X database client?

Teleport relies on client certificates for authentication so any database client that supports this method of authentication and uses modern TLS (1.2+) should work.

Standard command-line clients such as psql, mysql, or mongo are supported, there are also instructions for configuring select graphical clients.

When will you support X database?

We plan to support more databases in the future based on customer demand.

See if the database you're interested in has already been requested among Github issues or open a new issue to register your interest.

Can I provide a custom CA certificate?

Yes, you can pass custom CA certificate by using configuration file (look at ca_cert_file).

Can I provide a custom DNS name for Teleport generated CA?

Yes, use server_name under tls section in configuration file. Please look on our reference configuration file for more details.

Can I disable CA verification when connecting to database?

Yes, although is not recommended. Certificate verification prevents from man in the middle attack and makes sure that you are connected to the database that you intended to. Teleport also allows to provide a custom CA certificate or custom DNS name which is more secure. If none of the above options don't work for you and you still want to disable the CA check you can use mode under tls option in the Teleport configuration file. For more details please refer to the reference configuration file.

Have a suggestion or can’t find something?