Scaling Privileged Access for Modern Infrastructure: Real-World Insights
Apr 25
Register Today
Teleport logoTry For Free
Fork me on GitHub


Dynamic Database Registration

Dynamic database registration allows Teleport administrators to register new databases (or update/unregister existing ones) without having to update the static configuration and restart Teleport Database Service instances.

Dynamic registration also enables administrators to deploy multiple Database Service instances for high availability by configuring Database Service replicas to watch for the same database resources.

To enable dynamic registration, include a resources section in your Teleport Database Service configuration with a list of resource label selectors you'd like this service to monitor for registering:

  enabled: "yes"
  - labels:
      "*": "*"

You can use a wildcard selector to register all dynamic app resources in the cluster on the Database Service or provide a specific set of labels for a subset:

- labels:
    "env": "prod"
    "engine": "postgres"
- labels:
    "env": "test"
    "engine": "mysql"

Next define a database resource:

kind: db
version: v3
  name: example
  description: "Example database"
    env: prod
    engine: postgres
  protocol: "postgres"
  uri: "localhost:5432"

The user creating the dynamic registration needs to have a role with access to the database labels and the db resource. In this example role the user can only create and maintain databases labeled env: prod and engine: postgres.

kind: role
  name: dynamicregexample
      engine: postgres
      env: prod
    - resources:
      - db
      - list
      - create
      - read
      - update
      - delete
version: v5

See the full database resource spec reference.

To create a database resource, run:

tctl create database.yaml
  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines. For example:
    tsh login --user=[email protected]
    tctl status


    Version 15.2.2

    CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

After the resource has been created, it will appear among the list of available databases (in tsh db ls or UI) as long as at least one Database Service instance picks it up according to its label selectors.

To update an existing database resource, run:

tctl create -f database.yaml

If the updated resource's labels no longer match a particular database, it will unregister and stop proxying it.

To delete a database resource, run:

tctl rm db/example

Aside from tctl, dynamic resources can also be added by:

See Using Dynamic Resources to learn more about managing Teleport's dynamic resources in general.