Fork me on GitHub
Teleport

Database Access CLI Reference

Database Access CLI Reference

teleport db start

Starts Teleport Database Service agent.

teleport db start \ --token=/path/to/token \ --auth-server=proxy.example.com:3080 \ --name=example \ --protocol=postgres \ --uri=postgres.example.com:5432
FlagDescription
-d/--debugEnable verbose logging to stderr.
--pid-fileFull path to the PID file. By default no PID file will be created.
--auth-serverAddress of the Teleport proxy server.
--tokenInvitation token to register with an auth server.
--ca-pinCA pin to validate the auth server.
-c/--configPath to a configuration file (default /etc/teleport.yaml).
--labelsComma-separated list of labels for this node, for example env=dev,app=web.
--fipsStart Teleport in FedRAMP/FIPS 140-2 mode.
--nameName of the proxied database.
--descriptionDescription of the proxied database.
--protocolProxied database protocol. Supported are: postgres and mysql.
--uriAddress the proxied database is reachable at.
--ca-certDatabase CA certificate path.
--aws-region(Only for RDS, Aurora or Redshift) AWS region RDS, Aurora or Redshift database instance is running in.
--aws-redshift-cluster-id(Only for Redshift) Redshift database cluster identifier.
--gcp-project-id(Only for Cloud SQL) GCP Cloud SQL project identifier.
--gcp-instance-id(Only for Cloud SQL) GCP Cloud SQL instance identifier.

tctl auth sign

When invoked with a --format=db (or --format=mongodb for MongoDB) flag, produces a CA certificate, a client certificate and a private key file used for configuring Database Access with self-hosted database instances.

tctl auth sign --format=db --host=db.example.com --out=db --ttl=2190h
FlagDescription
--formatWhen given value db, produces secrets in database compatible format. Use mongodb when generating MongoDB secrets.
--hostServer name to encode in the certificate. Must match the hostname Teleport will be connecting to the database at.
--outName prefix for output files.
--ttlCertificate validity period.
TTL
We recommend using shorter TTL but keep mind that you'll need to update the database server certificate before it expires to not lose the ability to connect, so pick the TTL value that best fits your use-case.

tctl db ls

Administrative command to list all databases registered with the cluster.

tctl db ls
tctl db ls --format=yaml
FlagDescription
--formatOutput format, one of text, yaml or json. Defaults to text.

tsh db ls

Lists available databases and their connection information.

tsh db ls

Displays only the databases a user has access to (see RBAC).

tsh db login

Retrieves database credentials.

tsh db login example
tsh db login --db-user=postgres --db-name=postgres example
FlagDescription
--db-userOptionally, set default database account name to connect as.
--db-nameOptionally, set default database name to connect to.

tsh db logout

Removes database credentials.

tsh db logout example
tsh db logout

tsh db connect

Connect to a database using its CLI client.

Short syntax when only logged into a single database.

tsh db connect

Specify database service to connect to explicitly.

tsh db connect example

Provide database user and name to connect to.

tsh db connect --db-user=alice --db-name=db example
Note
Respective database CLI clients (psql, mysql or mongo) should be available in PATH.
FlagDescription
--db-userOptionally, set database user name to connect as.
--db-nameOptionally, set database name to connect to.

tsh db env

Outputs environment variables for a particular database.

tsh db env
tsh db env example
eval $(tsh db env)

tsh db config

Prints database connection information. Useful when configuring GUI clients.

tsh db config
tsh db config example
tsh db config --format=cmd example
FlagDescription
--formatOutput format: text is default, cmd to print native database client connect command.
Have a suggestion or can’t find something?
IMPROVE THE DOCS