Fork me on GitHub
Teleport

Database Access AWS IAM Reference

Improve

Teleport automatically discovers and configures IAM for RDS and Aurora access given proper IAM permissions as described in the RDS guide.

If you prefer to register RDS databases manually using static configuration or tctl and manage IAM yourself, example IAM policies you'd need to create are shown below.

RDS or Aurora policy

To connect to an RDS database, the database agent's IAM identity needs to have rds-db:connect permissions for it:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             // Use db-XXX as a resource identifier for RDS databases.
             "arn:aws:rds-db:us-east-2:1234567890:dbuser:db-ABCDEFGHIJKL01234/*",
             // Use cluster-XXX as a resource identifier for Aurora clusters.
             "arn:aws:rds-db:us-east-2:1234567890:dbuser:cluster-ABCDEFGHIJKL01234/*"
         ]
      }
   ]
}

The resource ARN in the policy has the following format:

arn:aws:rds-db:<region>:<account-id>:dbuser:<resource-id>/<db-user>
ParameterDescription
regionAWS region where the database cluster is deployed.
account-idAWS account ID the database cluster is deployed under.
resource-idDatabase AWS resource identifier: db-XXX for RDS, cluster-XXX for Aurora. Can be found under Configuration section in the RDS control panel.
db-userDatabase user to associate with IAM authentication. Can be a wildcard.

See Creating and using an IAM policy for IAM database access for more information.

Have a suggestion or can’t find something?
IMPROVE THE DOCS