Teleport

Database Access with Self-Hosted MySQL/MariaDB

OpenSource
Enterprise
Cloud

Improve

This guide will help you to:

Install Teleport 13.0.3.
Set up Teleport to access your MySQL or MariaDB database.
Connect to your databases through Teleport.

Teleport Database Access MySQL Self-Hosted

Prerequisites

A running Teleport cluster. For details on how to set this up, see one of our Getting Started guides.
The tctl admin tool and tsh client tool version >= 13.0.3.
```
tctl version
Teleport v13.0.3 go1.20
tsh version
Teleport v13.0.3 go1.20
```
See Installation for details.

A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise Getting Started guide.
The Enterprise tctl admin tool and tsh client tool version >= 13.0.3, which you can download by visiting your Teleport account.
```
tctl version
Teleport Enterprise v13.0.3 go1.20
tsh version
Teleport v13.0.3 go1.20
```

Cloud is not available for Teleport v.
Please use the latest version of Teleport Enterprise documentation.

A self-hosted MySQL or MariaDB instance.
A host, e.g., an Amazon EC2 instance, where you will run the Teleport Database Service.
Make sure you can connect to Teleport. Log in to your cluster using tsh, then use tctl remotely:
```
tsh login --proxy=teleport.example.com [email protected]
tctl status
Cluster  teleport.example.com
Version  13.0.3
CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
```
You can run subsequent tctl commands in this guide on your local machine.
For full privileges, you can also run tctl commands on your Auth Service host.

Step 1/4. Create the Teleport Database Token

The Database Service requires a valid auth token to connect to the cluster. Generate one by running the following command against your Teleport Auth Service and save it in /tmp/token on the node that will run the Database Service:

tctl tokens add --type=db

Step 2/4. Create a certificate/key pair

Teleport uses mutual TLS authentication with self-hosted databases. These databases must be configured with Teleport's certificate authority to be able to verify client certificates. They also need a certificate/key pair that Teleport can verify.

From your local workstation, create the secrets:

Export Teleport's certificate authority and generate certificate/key pair
for host db.example.com with a 3-month validity period.
tctl auth sign --format=db --host=db.example.com --out=server --ttl=2190h

TTL

We recommend using a shorter TTL, but keep mind that you'll need to update the database server certificate before it expires to not lose the ability to connect. Pick the TTL value that best fits your use-case.

The command will create 3 files: server.cas, server.crt and server.key which you'll need to enable mutual TLS on your MySQL server. Copy these files to the environment running MySQL

Step 3/4. Configure MySQL/MariaDB

To configure MySQL to accept TLS connections, add the following to your MySQL configuration file, mysql.cnf:

[mysqld]
require_secure_transport=ON
ssl-ca=/path/to/server.cas
ssl-cert=/path/to/server.crt
ssl-key=/path/to/server.key

To configure MariaDB to accept TLS connections, add the following to your MariaDB configuration file, mysql.cnf:

[mariadb]
require_secure_transport=ON
ssl-ca=/path/to/server.cas
ssl-cert=/path/to/server.crt
ssl-key=/path/to/server.key

Additionally, your MySQL/MariaDB database user accounts must be configured to require a valid client certificate.

Create a new user:

CREATE USER 'alice'@'%' REQUIRE SUBJECT '/CN=alice';

By default, the created user may not have access to anything and won't be able to connect, so let's grant it some permissions:

GRANT ALL ON `%`.* TO 'alice'@'%';

Warning

This is an example command that grants database-wide permissions to a user. In a production environment you should follow the principle of least privilege

Because Teleport uses certificates to authenticate database users, the user must not have a password set. Note that removing an existing user's password may break existing integrations. Consider using a new Database user specifically for Teleport access.

Update the existing user to require a valid certificate:

ALTER USER 'alice'@'%' REQUIRE SUBJECT '/CN=alice';

Remove the password from the user:

SET PASSWORD FOR 'alice'@'%' = PASSWORD("");

See Configuring MySQL to Use Encrypted Connections in the MySQL documentation or Enabling TLS on MariaDB Server in the MariaDB documentation for more details.

Create a Teleport user

Tip

To modify an existing user to provide access to the Database Service, see Database Access Access Controls

Create a local Teleport user with the built-in access role:

tctl users add \  --roles=access \  --db-users=\* \  --db-names=\* \  alice

Flag	Description
`--roles`	List of roles to assign to the user. The builtin `access` role allows them to connect to any database server registered with Teleport.
`--db-users`	List of database usernames the user will be allowed to use when connecting to the databases. A wildcard allows any user.
`--db-names`	List of logical databases (aka schemas) the user will be allowed to connect to within a database server. A wildcard allows any database.

Warning

Database names are only enforced for PostgreSQL and MongoDB databases.

For more detailed information about database access controls and how to restrict access see RBAC documentation.

Configure and Start the Database Service

Install and configure Teleport where you will run the Teleport Database Service:

Use the appropriate commands for your environment to install your package.

Teleport Edition

Download Teleport's PGP public key
sudo curl https://apt.releases.teleport.dev/gpg \-o /usr/share/keyrings/teleport-archive-keyring.asc
Source variables about OS version
source /etc/os-release
Add the Teleport APT repository for v13. You'll need to update this
file for each major release of Teleport.
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v13" \| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
sudo apt-get update
sudo apt-get install teleport

Source variables about OS version
source /etc/os-release
Add the Teleport YUM repository for v13. You'll need to update this
file for each major release of Teleport.
sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v13/teleport.repo")"
sudo yum install teleport
Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path

Source variables about OS version
source /etc/os-release
Add the Teleport YUM repository for v13. You'll need to update this
file for each major release of Teleport.
Use the dnf config manager plugin to add the teleport RPM repo
sudo dnf config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v13/teleport.repo")"
Install teleport
sudo dnf install teleport
Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path

In the example commands below, update $SYSTEM_ARCH with the appropriate value (amd64, arm64, or arm). All example commands using this variable will update after one is filled out.

curl https://get.gravitational.com/teleport-v13.0.3-linux-$SYSTEM_ARCH-bin.tar.gz.sha256
<checksum> <filename>
curl -O https://cdn.teleport.dev/teleport-v13.0.3-linux-$SYSTEM_ARCH-bin.tar.gz
shasum -a 256 teleport-v13.0.3-linux-$SYSTEM_ARCH-bin.tar.gz
Verify that the checksums match
tar -xvf teleport-v13.0.3-linux-$SYSTEM_ARCH-bin.tar.gz
cd teleport
sudo ./install

Download Teleport's PGP public key
sudo curl https://apt.releases.teleport.dev/gpg \-o /usr/share/keyrings/teleport-archive-keyring.asc
Source variables about OS version
source /etc/os-release
Add the Teleport APT repository for v13. You'll need to update this
file for each major release of Teleport.
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v13" \| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
sudo apt-get update
sudo apt-get install teleport-ent

For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips package instead:

sudo apt-get install teleport-ent-fips

Source variables about OS version
source /etc/os-release
Add the Teleport YUM repository for v13. You'll need to update this
file for each major release of Teleport.
sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v13/teleport.repo")"
sudo yum install teleport-ent
Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path

For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips package instead:

sudo yum install teleport-ent-fips

Source variables about OS version
source /etc/os-release
Add the Teleport YUM repository for v13. You'll need to update this
file for each major release of Teleport.
Use the dnf config manager plugin to add the teleport RPM repo
sudo dnf config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v13/teleport.repo")"
Install teleport
sudo dnf install teleport-ent
Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
echo "Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path

For FedRAMP/FIPS-compliant installations, install the teleport-ent-fips package instead:

sudo dnf install teleport-ent-fips

In the example commands below, update $SYSTEM_ARCH with the appropriate value (amd64, arm64, or arm). All example commands using this variable will update after one is filled out.

curl https://get.gravitational.com/teleport-ent-v13.0.3-linux-$SYSTEM_ARCH-bin.tar.gz.sha256
<checksum> <filename>
curl -O https://cdn.teleport.dev/teleport-ent-v13.0.3-linux-$SYSTEM_ARCH-bin.tar.gz
shasum -a 256 teleport-ent-v13.0.3-linux-$SYSTEM_ARCH-bin.tar.gz
Verify that the checksums match
tar -xvf teleport-ent-v13.0.3-linux-$SYSTEM_ARCH-bin.tar.gz
cd teleport-ent
sudo ./install

For FedRAMP/FIPS-compliant installations of Teleport Enterprise, package URLs will be slightly different:

curl https://get.gravitational.com/teleport-ent-v13.0.3-linux-$SYSTEM_ARCH-fips-bin.tar.gz.sha256
<checksum> <filename>
curl -O https://cdn.teleport.dev/teleport-ent-v13.0.3-linux-$SYSTEM_ARCH-fips-bin.tar.gz
shasum -a 256 teleport-ent-v13.0.3-linux-$SYSTEM_ARCH-fips-bin.tar.gz
Verify that the checksums match
tar -xvf teleport-ent-v13.0.3-linux-$SYSTEM_ARCH-fips-bin.tar.gz
cd teleport-ent
sudo ./install

Cloud is not available for Teleport v.
Please use the latest version of Teleport Enterprise documentation.

On the host where you will run the Teleport Database Service, start Teleport with the appropriate configuration.

Note that a single Teleport process can run multiple different services, for example multiple Database Service agents as well as the SSH Service or Application Service. The step below will overwrite an existing configuration file, so if you're running multiple services add --output=stdout to print the config in your terminal, and manually adjust /etc/teleport.yaml.

Generate a configuration file at /etc/teleport.yaml for the Database Service:

teleport db configure create \   -o file \   --token=/tmp/token \   --proxy=teleport.example.com:443 \   --name=example-mysql \   --protocol=mysql \   --uri=mysql.example.com:3306 \   --labels=env=dev

Configure the Database Service to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed the Database Service.

On the host where you will run , start Teleport:

sudo systemctl enable teleport
sudo systemctl start teleport

On the host where you will run , create a systemd service configuration for Teleport, enable the Teleport service, and start Teleport:

sudo teleport install systemd -o /etc/systemd/system/teleport.service
sudo systemctl enable teleport
sudo systemctl start teleport

You can start the Teleport Database Service without configuration file using a CLI command:

teleport db start \   --token=/tmp/token \   --auth-server=teleport.example.com:443 \   --name=example-mysql  \   --protocol=mysql \   --uri=mysql.example.com:3306 \   --labels=env=dev

Note that the --auth-server flag must point to the Teleport cluster's Proxy Service endpoint because the Database Service always connects back to the cluster over a reverse tunnel.

Note

The --auth-server flag must point to the Teleport cluster's Proxy Service endpoint because the Database Service always connects back to the cluster over a reverse tunnel.

Teleport provides Helm charts for installing the Teleport Database Service in Kubernetes Clusters.

To allow Helm to install charts that are hosted in the Teleport Helm repository, use helm repo add:

helm repo add teleport https://charts.releases.teleport.dev

To update the cache of charts from the remote repository, run helm repo update:

helm repo update

Install the Teleport Kube Agent into your Kubernetes Cluster with the Teleport Database Service configuration.

JOIN_TOKEN=$(cat /tmp/token)
helm install teleport-kube-agent teleport/teleport-kube-agent \  --create-namespace \  --namespace teleport-agent \  --set roles=db \  --set proxyAddr=teleport.example.com:443 \  --set authToken=${JOIN_TOKEN?} \  --set "databases[0].name=example-mysql" \  --set "databases[0].uri=mysql.example.com:3306" \  --set "databases[0].protocol=mysql" \  --set "labels.env=dev" \  --version 13.0.3

Tip

A single Teleport process can run multiple services, for example multiple Database Service instances as well as other services such the SSH Service or Application Service.

Step 4/4. Connect

Once the Database Service has joined the cluster, log in to see the available databases:

tsh login --proxy=teleport.example.com --user=testuser
tsh db ls
Name          Description   Labels
------------- ------------- --------
example-mysql Example MySQL env=dev

Note that you will only be able to see databases your role has access to. See the RBAC guide for more details.

To retrieve credentials for a database and connect to it:

tsh db connect example-mysql

You can optionally specify the database name and the user to use by default when connecting to the database instance:

tsh db connect --db-user=root --db-name=mysql example-mysql

Note

The mysql or mariadb command-line client should be available in PATH in order to be able to connect. mariadb is a default command-line client for MySQL and MariaDB.

To log out of the database and remove credentials:

Remove credentials for a particular database instance.
tsh db logout example-mysql
Remove credentials for all database instances.
tsh db logout

Have a suggestion or can’t find something?

IMPROVE THE DOCS