Teleport
Discovery Service AWS IAM Reference
- Version 17.x
- Version 16.x
- Version 15.x
- Version 14.x
- Older Versions
The Teleport Discovery Service requires AWS IAM permissions to discover AWS resources. These permissions must be attached to an AWS IAM identity that the Discovery Service instance can use.
Each section below describes the IAM permissions used to discover a specific type of AWS resource.
EC2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2Discovery",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ssm:DescribeInstanceInformation",
"ssm:GetCommandInvocation",
"ssm:ListCommandInvocations",
"ssm:SendCommand"
],
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
EC2Discovery | Discover EC2 instances. |
EKS
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EKSDiscovery",
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
},
{
"Sid": "EKSManageAccess",
"Effect": "Allow",
"Action": [
"eks:AssociateAccessPolicy",
"eks:CreateAccessEntry",
"eks:DeleteAccessEntry",
"eks:DescribeAccessEntry",
"eks:TagResource",
"eks:UpdateAccessEntry"
],
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
EKSDiscovery | Discover EKS clusters and fetch additional details about them. |
EKSManageAccess | Automatically set up Teleport access for discovered EKS clusters. |
You can use a list of ARNs and narrow the scope of the permissions to specific regions or EKS clusters instead of using a wildcard. The resource ARN has the following format:
arn:{Partition}:eks:{Region}:{Account}:cluster/{ClusterName}
The permissions in the EKSManageAccess statement are optional because the
Discovery Service will discover EKS clusters even when it cannot ensure that the
Teleport Kubernetes Service has access to the clusters it discovers.
If you omit any of the EKSManageAccess permissions, then it is your
responsibility to ensure that the Teleport Kubernetes Service can access each
EKS cluster.
Databases
DocumentDB
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DocumentDBDiscovery",
"Effect": "Allow",
"Action": "rds:DescribeDBClusters",
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
DocumentDBDiscovery | Discover Amazon DocumentDB Clusters. |
DynamoDB
Database discovery is not available for DynamoDB.
To register a DynamoDB database with your Teleport cluster, you must
configure the database manually via static config or dynamic db resource.
See the database access reference for more information.
ElastiCache for Redis
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElastiCacheDiscovery",
"Effect": "Allow",
"Action": "elasticache:DescribeReplicationGroups",
"Resource": "*"
},
{
"Sid": "ElastiCacheFetchMetadata",
"Effect": "Allow",
"Action": [
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:ListTagsForResource"
],
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
ElastiCacheDiscovery | Discover ElastiCache replication groups. |
ElastiCacheFetchMetadata | Import AWS tags and additional metadata for each database as Teleport database labels. |
Keyspaces
Database discovery is not available for Keyspaces.
To register a Keyspaces database with your Teleport cluster, you must
configure the database manually via static config or dynamic db resource.
See the database access reference for more information.
MemoryDB
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MemoryDBDiscovery",
"Effect": "Allow",
"Action": "memorydb:DescribeClusters",
"Resource": "*"
},
{
"Sid": "MemoryDBFetchMetadata",
"Effect": "Allow",
"Action": [
"memorydb:DescribeSubnetGroups",
"memorydb:ListTags"
],
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
MemoryDBDiscovery | Discover MemoryDB databases. |
MemoryDBFetchMetadata | Import AWS tags and additional metadata for each database as Teleport database labels. |
OpenSearch
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OpenSearchDiscovery",
"Effect": "Allow",
"Action": [
"es:DescribeDomains",
"es:ListDomainNames"
],
"Resource": "*"
},
{
"Sid": "OpenSearchFetchMetadata",
"Effect": "Allow",
"Action": "es:ListTags",
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
OpenSearchDiscovery | Discover OpenSearch domains. |
OpenSearchFetchMetadata | Import each discovered domain's AWS tags as Teleport database labels. |
RDS
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RDSDiscovery",
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusters",
"rds:DescribeDBInstances"
],
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
RDSDiscovery | Discover RDS instances and Aurora clusters. |
When configured to discover RDS databases, the Teleport Discovery Service
will attempt to discover both RDS instances and Aurora clusters.
The rds:DescribeDBInstances permission is used to find RDS instances, but it
is also used to find additional information about discovered Aurora clusters, so
you should include this permission even if you only have Aurora clusters to
discover.
If you don't want Aurora cluster discovery, then you can omit the
rds:DescribeDBClusters permission.
RDS Proxy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RDSProxyDiscovery",
"Effect": "Allow",
"Action": "rds:DescribeDBProxies",
"Resource": "*"
},
{
"Sid": "RDSProxyFetchMetadata",
"Effect": "Allow",
"Action": [
"rds:DescribeDBProxyEndpoints",
"rds:ListTagsForResource"
],
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
RDSProxyDiscovery | Discover RDS Proxies and register each proxy's default endpoint as a Teleport database. |
RDSProxyFetchMetadata | Fetch metadata for discovered proxies to import AWS resource tags as Teleport database labels and register custom endpoints as Teleport databases. |
Redshift
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RedshiftDiscovery",
"Effect": "Allow",
"Action": "redshift:DescribeClusters",
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
RedshiftDiscovery | Discover Amazon Redshift Clusters. |
Redshift Serverless
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RedshiftServerlessDiscovery",
"Effect": "Allow",
"Action": "redshift-serverless:ListWorkgroups",
"Resource": "*"
},
{
"Sid": "RedshiftServerlessFetchMetadata",
"Effect": "Allow",
"Action": [
"redshift-serverless:ListEndpointAccess",
"redshift-serverless:ListTagsForResource"
],
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
RedshiftServerlessDiscovery | Discover Redshift Serverless Workgroups. |
RedshiftServerlessFetchMetadata | Fetch metadata for discovered workgroups to import AWS tags as Teleport database labels and register any VPC endpoints as Teleport databases. |