Teleport
Database Access AWS IAM Reference
- Version 16.x
- Version 15.x
- Version 14.x
- Version 13.x
- Older Versions
Auto-discovery
With the appropriate IAM permissions, Teleport automatically discovers and configures IAM policies for Amazon RDS and Redshift. Teleport also requires permission to update database configurations, for example, to enable IAM authentication on RDS databases.
For Amazon ElastiCache and MemoryDB, Teleport requires permission to automatically discover the Redis clusters. Teleport also requires permission to automatically discover and modify any Teleport-managed ElastiCache or MemoryDB users and permission to manage the passwords in AWS Secrets Manager.
You can generate and manage the permissions with the teleport db configure bootstrap
command. For example, the following command would generate and print the IAM
policies:
teleport db configure bootstrap --manual
Or if you prefer, you can manage the IAM permissions yourself. Examples of policies for each discovery type are shown below.
Aurora/RDS
Use this policy if you're connecting to RDS instances and your Teleport Database Service instance runs as an IAM user (for example, uses an AWS credentials file).
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:ModifyDBInstance"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:DeleteUserPolicy"
],
"Resource": "arn:aws:iam::{account-id}:user/sample-user"
}
]
}
Use this policy if you're connecting to RDS instances and your Teleport Database Service runs as an IAM role (for example, on an EC2 instance with an attached IAM role).
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:ModifyDBInstance"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::{account-id}:role/sample-role"
}
]
}
Use this policy if you're connecting to Aurora clusters and your Teleport Database Service runs as an IAM user (for example, uses an AWS credentials file).
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusters",
"rds:ModifyDBCluster"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:DeleteUserPolicy"
],
"Resource": "arn:aws:iam::{account-id}:user/sample-user"
}
]
}
Use this policy if you're connecting to Aurora clusters and your Teleport Database Service runs as an IAM role (for example, on an EC2 instance with an attached IAM role).
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusters",
"rds:ModifyDBCluster"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::{account-id}:role/sample-role"
}
]
}
Teleport uses rds:ModifyDBInstance and rds:ModifyDBCluster to
automatically enable IAM
authentication
on the RDS instance and the Aurora cluster, respectively. You can omit these
permissions if IAM authentication is already enabled.
RDS Proxy
Use this policy if you're connecting to RDS Proxy instances and your Teleport Database Service instance runs as an IAM user (for example, uses an AWS credentials file).
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBProxies",
"rds:DescribeDBProxyEndpoints",
"rds:ListTagsForResource",
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:DeleteUserPolicy"
],
"Resource": "arn:aws:iam::{account-id}:user/sample-user"
}
]
}
Use this policy if you're connecting to RDS Proxy instances and your Teleport Database Service runs as an IAM role (for example, on an EC2 instance with an attached IAM role).
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBProxies",
"rds:DescribeDBProxyEndpoints",
"rds:ListTagsForResource",
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::{account-id}:role/sample-role"
}
]
}
Redshift
Use this permission boundary if your Teleport Database Service runs as an IAM user (for example, it uses an AWS credentials file).
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:GetClusterCredentials"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:DeleteUserPolicy"
],
"Resource": "arn:aws:iam::{account-id}:user/sample-user"
}
]
}
Use this permission boundary if your Teleport Database Service instance runs as an IAM role (for example, on an EC2 instance with an attached IAM role).
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:GetClusterCredentials",
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::{account-id}:role/sample-role"
}
]
}
ElastiCache/MemoryDB
In addition to database discovery, Teleport requires permissions to modify user passwords, and save passwords in AWS Secrets Manager, if any ElastiCache or MemoryDB users are tagged to be managed by Teleport.
Use this policy if you are connecting to ElastiCache clusters.
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:ListTagsForResource",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeUsers",
"elasticache:ModifyUser"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
]
}
]
}
Use this policy if you are connecting to MemoryDB clusters.
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"memorydb:ListTags",
"memorydb:DescribeClusters",
"memorydb:DescribeSubnetGroups",
"memorydb:DescribeUsers",
"memorydb:UpdateUser"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
]
}
]
}
Manual registration
If you prefer to register RDS, Redshift, ElastiCache or MemoryDB databases
manually using a static configuration or
tctl and manage IAM yourself, example
IAM policies with the required permissions are shown below.
RDS, Aurora, or RDS Proxy policy
To connect to an RDS database, the Database Service instance's IAM identity
needs to have rds-db:connect permissions for it:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
// Use db-XXX as a resource identifier for RDS instances.
"arn:aws:rds-db:us-east-2:1234567890:dbuser:db-ABCDEFGHIJKL01234/*",
// Use cluster-XXX as a resource identifier for Aurora clusters.
"arn:aws:rds-db:us-east-2:1234567890:dbuser:cluster-ABCDEFGHIJKL01234/*"
// Use prx-XXX as a resource identifier for RDS proxies.
"arn:aws:rds-db:us-east-2:1234567890:dbuser:prx-ABCDEFGHIJKL01234/*"
]
}
]
}
The resource ARN in the policy has the following format:
arn:aws:rds-db:<region>:<account-id>:dbuser:<resource-id>/<db-user>
| Parameter | Description |
|---|---|
region | AWS region where the database cluster is deployed. |
account-id | AWS account ID the database cluster is deployed under. |
resource-id | Database AWS resource identifier: db-XXX for RDS instances, cluster-XXX for Aurora clusters, "prx-XXX` for RDS Proxy. Can be found under Configuration section in the RDS control panel. |
db-user | Database user to associate with IAM authentication. Can be a wildcard. |
See Creating and using an IAM policy for IAM database access for more information.
Redshift policy
Teleport uses temporary credentials generated by AWS to authenticate with Redshift databases.
In order to authorize Teleport to generate temporary IAM tokens, create an IAM
role with the GetClusterCredentials permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:*:1234567890:dbuser:*/*",
"arn:aws:redshift:*:1234567890:dbname:*/*",
"arn:aws:redshift:*:1234567890:dbgroup:*/*"
]
}
]
}
The resource ARN string has the following format:
arn:aws:redshift:<region>:<account-id>:<resource>:<cluster-id>/<name>
Parameters:
| Parameter | Description |
|---|---|
region | AWS region where your Redshift cluster is deployed, or a wildcard. |
account-id | ID of the AWS account where the Redshift cluster is deployed. |
resource | One of dbuser, dbname or dbgroup to restrict access to database accounts, names or groups respectively. |
cluster-id | Redshift cluster identifier, or a wildcard. |
name | Name of a particular database account, name or group (depending on the resource), or a wildcard. |
See Create an IAM role or user with permissions to call GetClusterCredentials for more information.
ElastiCache/MemoryDB policy
If any ElastiCache or MemoryDB users are tagged to be managed by Teleport, below are the IAM permissions required for managing the ElastiCache or MemoryDB users. Otherwise, no additional IAM permissions are required.
Use this policy for managing ElastiCache users.
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:ListTagsForResource",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeUsers",
"elasticache:ModifyUser"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
]
}
]
}
Use this policy for managing MemoryDB users.
Replace {account-id} with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"memorydb:ListTags",
"memorydb:DescribeClusters",
"memorydb:DescribeUsers",
"memorydb:UpdateUser"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
]
}
]
}
If any custom key prefix or KMS key ID is used in the static configuration, add the following to the IAM policy.
Replace {account-id}, {my-prefix} and {my-kms-id} accordingly:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:{account-id}:secret:{my-prefix}/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:*:{account-id}:key/{my-kms-id}",
]
}
]
}