Fork me on GitHub
Teleport

Database Access AWS IAM Reference

Improve

Auto-discovery

With the appropriate IAM permissions, Teleport automatically discovers and configures IAM policies for Amazon RDS and Redshift.

Teleport also requires permission to update database configurations, for example, to enable IAM authentication on RDS databases.

You can generate and manage the permissions with the teleport db configure bootstrap command. For example, the following command would generate and print the IAM policies:

teleport db configure bootstrap --manual

Or if you prefer, you manage the IAM permissions yourself. Examples of policies for each discovery type are shown below.

Aurora/RDS

Use this policy if you're connecting to RDS instances and your Teleport database agent runs as an IAM user (for example, uses an AWS credentials file).

Replace {account-id} with your AWS Account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:ModifyDBInstance"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:PutUserPolicy",
                "iam:DeleteUserPolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:user/sample-user"
        }
    ]
}

Use this policy if you're connecting to RDS instances and your Teleport database agent runs as an IAM role (for example, on an EC2 instance with an attached IAM role).

Replace {account-id} with your AWS Account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:ModifyDBInstance"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRolePolicy",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:role/sample-role"
        }
    ]
}

Use this policy if you're connecting to Aurora clusters and your Teleport database agent runs as an IAM user (for example, uses an AWS credentials file).

Replace {account-id} with your AWS Account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBClusters",
                "rds:ModifyDBCluster"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:PutUserPolicy",
                "iam:DeleteUserPolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:user/sample-user"
        }
    ]
}

Use this policy if you're connecting to Aurora clusters and your Teleport database agent runs as an IAM role (for example, on an EC2 instance with an attached IAM role).

Replace {account-id} with your AWS Account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBClusters",
                "rds:ModifyDBCluster"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRolePolicy",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:role/sample-role"
        }
    ]
}

Redshift

Use this permission boundary if your Teleport database agent runs as an IAM user (for example, it uses an AWS credentials file).

Replace {account-id} with your AWS Account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "redshift:DescribeClusters",
                "redshift:GetClusterCredentials"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:PutUserPolicy",
                "iam:DeleteUserPolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:user/sample-user"
        }
    ]
}

Use this permission boundary if your Teleport database agent runs as an IAM role (for example, on an EC2 instance with an attached IAM role).

Replace {account-id} with your AWS Account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "redshift:DescribeClusters",
                "redshift:GetClusterCredentials",
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRolePolicy",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": "arn:aws:iam::{account-id}:role/sample-role"
        }
    ]
}

Manual registration

If you prefer to register RDS or Redshift databases manually using a static configuration or tctl and manage IAM yourself, example IAM policies with the required permissions are shown below.

RDS or Aurora policy

To connect to an RDS database, the database agent's IAM identity needs to have rds-db:connect permissions for it:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             // Use db-XXX as a resource identifier for RDS databases.
             "arn:aws:rds-db:us-east-2:1234567890:dbuser:db-ABCDEFGHIJKL01234/*",
             // Use cluster-XXX as a resource identifier for Aurora clusters.
             "arn:aws:rds-db:us-east-2:1234567890:dbuser:cluster-ABCDEFGHIJKL01234/*"
         ]
      }
   ]
}

The resource ARN in the policy has the following format:

arn:aws:rds-db:<region>:<account-id>:dbuser:<resource-id>/<db-user>
ParameterDescription
regionAWS region where the database cluster is deployed.
account-idAWS account ID the database cluster is deployed under.
resource-idDatabase AWS resource identifier: db-XXX for RDS, cluster-XXX for Aurora. Can be found under Configuration section in the RDS control panel.
db-userDatabase user to associate with IAM authentication. Can be a wildcard.

See Creating and using an IAM policy for IAM database access for more information.

Redshift policy

Teleport uses temporary credentials generated by AWS to authenticate with Redshift databases.

In order to authorize Teleport to generate temporary IAM tokens, create an IAM role with the GetClusterCredentials permission:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "redshift:GetClusterCredentials",
            "Resource": [
                "arn:aws:redshift:*:1234567890:dbuser:*/*",
                "arn:aws:redshift:*:1234567890:dbname:*/*",
                "arn:aws:redshift:*:1234567890:dbgroup:*/*"
            ]
        }
    ]
}

The resource ARN string has the following format:

arn:aws:redshift:<region>:<account-id>:<resource>:<cluster-id>/<name>

Parameters:

ParameterDescription
regionAWS region where your Redshift cluster is deployed, or a wildcard.
account-idID of the AWS account where the Redshift cluster is deployed.
resourceOne of dbuser, dbname or dbgroup to restrict access to database accounts, names or groups respectively.
cluster-idRedshift cluster identifier, or a wildcard.
nameName of a particular database account, name or group (depending on the resource), or a wildcard.

See Create an IAM role or user with permissions to call GetClusterCredentials for more information.