Fork me on GitHub

Database Access with Self-Hosted CockroachDB


CockroachDB support is available starting from Teleport 8.0.

This guide will help you to:

  1. Install Teleport and connect it to a CockroachDB cluster.
  2. Configure mutual TLS authentication between Teleport and your CockroachDB cluster.
  3. Connect to your CockroachDB cluster via Teleport.


  • Teleport version 8.0.7 or higher.
  • CockroachDB cluster. Start a single or a multi-node local cluster in Docker if you don't have one.

Step 1/3. Install and configure Teleport

Setup Teleport Auth and Proxy services

Download the latest version of Teleport for your platform from our downloads page and follow the installation instructions.

Teleport requires a valid TLS certificate to operate and can fetch one automatically using Let's Encrypt ACME protocol. We will assume that you have configured DNS records for and * to point to the Teleport node.

Generate Teleport config with ACME enabled:

$ teleport configure --acme [email protected] -o file
Web Proxy Port

Teleport uses TLS-ALPN-01 ACME challenge to validate certificate requests which only works on port 443. As such, in order to use ACME for certificate management, web proxy needs to be accessible on port 443.

Start Teleport Auth and Proxy services:

$ sudo teleport start

Setup Teleport Database service

Database agent requires a valid auth token to connect to the cluster. Generate one by running the following command against your Teleport auth server and save it in /tmp/token on the node which will be running the database agent:

$ tctl tokens add --type=db

Start Teleport Database service:

teleport db start \ --token=/tmp/token \ \ --name=roach \ --protocol=cockroachdb \ \ --labels=env=dev

The --auth-server flag must point to the Teleport cluster's proxy endpoint because database service always connects back to the cluster over a reverse tunnel.


You can start Database service using configuration file instead of CLI flags. See YAML reference.

Create Teleport user

Create a local Teleport user with the built-in access role:

$ tctl users add --roles=access alice

The access role allows users to see all connected database servers, but database names and accounts are restricted to the user's db_names and db_users traits. Normally, these traits come from the identity provider. For the local user you've just created you can update them manually to allow it to connect to any database as any database user.

First, export the user resource:

$ tctl get users/alice > alice.yaml

Update the resource to include the following traits:

  - "*"
  - "*"

The db_names property only has effect on PostgreSQL and MongoDB database engines.

Update the user:

$ tctl create alice.yaml -f

For more detailed information about database access controls and how to restricted access see RBAC documentation.

Step 2/3. Configure CockroachDB

Create CockroachDB user

Teleport uses mutual TLS authentication with CockroachDB.

Client certificate authentication is available to all CockroachDB users. If you don't have one, connect to your Cockroach cluster and create it:


The WITH PASSWORD NULL clause prevents the user from using password auth and mandates client certificate auth.

Make sure to assign the user proper permissions within the database cluster. Refer to Create User in Cockroach docs for more information.

Setup mutual TLS

To setup mutual TLS authentication, you need to make sure that:

  • Teleport trusts certificates presented by CockroachDB nodes.
  • CockroachDB trusts client certificates signed by Teleport.

Generate the secrets by running the following tctl command against your Teleport cluster:

tctl auth sign \ --format=cockroachdb \ \ --out=/path/to/cockroach/certs/dir/ \ --ttl=2190h

The command will produce 3 files: ca.crt with Teleport's certificate authority and node.crt / node.key with the node's certificate and key. Do not rename them as this is how CockroachDB expects them to be named. See Node key and certificates for details.

Generate the secrets for each cluster node and make sure to use the hostname Teleport will be using to connect to the nodes in the --host flag.


You can specify multiple comma-separated addresses e.g. --host=roach,node-1,

Restart your CockroachDB nodes passing them the directory with generated secrets via --certs-dir flag:

cockroach start \ --certs-dir=/path/to/cockroachdb/certs/dir/ \ # other flags...

Step 3/3. Connect

Log into your Teleport cluster, your CockroachDB cluster should appear in the list of available databases:

tsh login --user=alice
tsh db ls

Name Description Labels

----- ------------------- -------

roach Example CockroachDB env=dev

Fetch short-lived client certificate for it using tsh db login command:

tsh db login roach

You can be logged into multiple databases simultaneously.

You can optionally specify the database name and the user to use by default when connecting to the database server:

tsh db login --db-user=alice roach

Now connect to the database:

tsh db connect roach

Either cockroach or psql command-line client should be available in PATH in order to be able to connect.

To log out of the database and remove credentials:

tsh db logout roach

Next steps

Have a suggestion or can’t find something?