Fork me on GitHub

Teleport

Database Access AWS IAM Reference

Improve

Auto-discovery

With the appropriate IAM permissions, Teleport automatically discovers and configures IAM policies for Amazon RDS and Redshift. Teleport also requires permission to update database configurations, for example, to enable IAM authentication on RDS databases.

For Amazon ElastiCache and MemoryDB, Teleport requires permission to automatically discover the Redis clusters. Teleport also requires permission to automatically discover and modify any Teleport-managed ElastiCache or MemoryDB users and permission to manage the passwords in AWS Secrets Manager.

You can generate and manage the permissions with the teleport db configure bootstrap command. For example, the following command would generate and print the IAM policies:

teleport db configure bootstrap --manual

Or if you prefer, you can manage the IAM permissions yourself. Examples of policies for each discovery type are shown below.

Aurora/RDS

Use this policy if you're connecting to RDS instances and your Teleport database agent runs as an IAM user (for example, uses an AWS credentials file).

Replace {account-id} with your AWS Account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:ModifyDBInstance"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:PutUserPolicy",
                "iam:DeleteUserPolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:user/sample-user"
        }
    ]
}

Use this policy if you're connecting to RDS instances and your Teleport Database Service runs as an IAM role (for example, on an EC2 instance with an attached IAM role).

Replace {account-id} with your AWS Account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:ModifyDBInstance"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRolePolicy",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:role/sample-role"
        }
    ]
}

Use this policy if you're connecting to Aurora clusters and your Teleport Database Service runs as an IAM user (for example, uses an AWS credentials file).

Replace {account-id} with your AWS Account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBClusters",
                "rds:ModifyDBCluster"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:PutUserPolicy",
                "iam:DeleteUserPolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:user/sample-user"
        }
    ]
}

Use this policy if you're connecting to Aurora clusters and your Teleport Database Service runs as an IAM role (for example, on an EC2 instance with an attached IAM role).

Replace {account-id} with your AWS Account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBClusters",
                "rds:ModifyDBCluster"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRolePolicy",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:role/sample-role"
        }
    ]
}

Redshift

Use this permission boundary if your Teleport Database Service runs as an IAM user (for example, it uses an AWS credentials file).

Replace {account-id} with your AWS Account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "redshift:DescribeClusters",
                "redshift:GetClusterCredentials"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:PutUserPolicy",
                "iam:DeleteUserPolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:user/sample-user"
        }
    ]
}

Use this permission boundary if your Teleport database agent runs as an IAM role (for example, on an EC2 instance with an attached IAM role).

Replace {account-id} with your AWS Account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "redshift:DescribeClusters",
                "redshift:GetClusterCredentials",
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRolePolicy",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:role/sample-role"
        }
    ]
}

ElastiCache/MemoryDB

In addition to database discovery, Teleport requires permissions to modify user passwords, and save passwords in AWS Secrets Manager, if any ElastiCache or MemoryDB users are tagged to be managed by Teleport.

Use this policy if you are connecting to ElastiCache clusters.

Replace {account-id} with your AWS Account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticache:ListTagsForResource",
                "elasticache:DescribeReplicationGroups",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:DescribeUsers",
                "elasticache:ModifyUser"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:UpdateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "secretsmanager:TagResource"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
            ]
        }
    ]
}

Use this policy if you are connecting to MemoryDB clusters.

Replace {account-id} with your AWS Account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "memorydb:ListTags",
                "memorydb:DescribeClusters",
                "memorydb:DescribeSubnetGroups",
                "memorydb:DescribeUsers",
                "memorydb:UpdateUser"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:UpdateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "secretsmanager:TagResource"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
            ]
        }
    ]
}

Manual registration

If you prefer to register RDS, Redshift, ElastiCache or MemoryDB databases manually using a static configuration or tctl and manage IAM yourself, example IAM policies with the required permissions are shown below.

RDS or Aurora policy

To connect to an RDS database, the database agent's IAM identity needs to have rds-db:connect permissions for it:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             // Use db-XXX as a resource identifier for RDS databases.
             "arn:aws:rds-db:us-east-2:1234567890:dbuser:db-ABCDEFGHIJKL01234/*",
             // Use cluster-XXX as a resource identifier for Aurora clusters.
             "arn:aws:rds-db:us-east-2:1234567890:dbuser:cluster-ABCDEFGHIJKL01234/*"
         ]
      }
   ]
}

The resource ARN in the policy has the following format:

arn:aws:rds-db:<region>:<account-id>:dbuser:<resource-id>/<db-user>
ParameterDescription
regionAWS region where the database cluster is deployed.
account-idAWS account ID the database cluster is deployed under.
resource-idDatabase AWS resource identifier: db-XXX for RDS, cluster-XXX for Aurora. Can be found under Configuration section in the RDS control panel.
db-userDatabase user to associate with IAM authentication. Can be a wildcard.

See Creating and using an IAM policy for IAM database access for more information.

Redshift policy

Teleport uses temporary credentials generated by AWS to authenticate with Redshift databases.

In order to authorize Teleport to generate temporary IAM tokens, create an IAM role with the GetClusterCredentials permission:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "redshift:GetClusterCredentials",
            "Resource": [
                "arn:aws:redshift:*:1234567890:dbuser:*/*",
                "arn:aws:redshift:*:1234567890:dbname:*/*",
                "arn:aws:redshift:*:1234567890:dbgroup:*/*"
            ]
        }
    ]
}

The resource ARN string has the following format:

arn:aws:redshift:<region>:<account-id>:<resource>:<cluster-id>/<name>

Parameters:

ParameterDescription
regionAWS region where your Redshift cluster is deployed, or a wildcard.
account-idID of the AWS account where the Redshift cluster is deployed.
resourceOne of dbuser, dbname or dbgroup to restrict access to database accounts, names or groups respectively.
cluster-idRedshift cluster identifier, or a wildcard.
nameName of a particular database account, name or group (depending on the resource), or a wildcard.

See Create an IAM role or user with permissions to call GetClusterCredentials for more information.

ElastiCache/MemoryDB policy

If any ElastiCache or MemoryDB users are tagged to be managed by Teleport, below are the IAM permissions required for managing the ElastiCache or MemoryDB users. Otherwise, no additional IAM permissions are required.

Use this policy for managing ElastiCache users.

Replace {account-id} with your AWS Account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticache:ListTagsForResource",
                "elasticache:DescribeReplicationGroups",
                "elasticache:DescribeUsers",
                "elasticache:ModifyUser"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:UpdateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "secretsmanager:TagResource"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
            ]
        }
    ]
}

Use this policy for managing MemoryDB users.

Replace {account-id} with your AWS Account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
              "memorydb:ListTags",
              "memorydb:DescribeClusters",
              "memorydb:DescribeUsers",
              "memorydb:UpdateUser"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:UpdateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "secretsmanager:TagResource"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
            ]
        }
    ]
}

If any custom key prefix or KMS key ID is used in the static configuration, add the following to the IAM policy.

Replace {account-id}, {my-prefix} and {my-kms-id} accordingly:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:UpdateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "secretsmanager:TagResource"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:{account-id}:secret:{my-prefix}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:*:{account-id}:key/{my-kms-id}",
            ]
        }
    ]
}