Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Database Access with Amazon Keyspaces (Apache Cassandra)

Teleport can provide secure access to Amazon Keyspaces (Apache Cassandra) via the Teleport Database Service. This allows for fine-grained access control through Teleport's RBAC.

In this guide, you will:

  1. Configure your Amazon Keyspaces (Apache Cassandra) database with IAM authentication.
  2. Add the database to your Teleport cluster.
  3. Connect to the database via Teleport.

How it works

The Teleport Database Service uses IAM authentication to communicate with Amazon Keyspaces. When a user connects to the database via Teleport, the Teleport Database Service obtains AWS credentials and authenticates to AWS as an IAM principal with permissions to access the database.

Prerequisites

  • A running Teleport cluster version 16.4.12 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl admin tool and tsh client tool.

    Visit Installation for instructions on downloading tctl and tsh.

  • AWS Account with Amazon Keyspaces database and permissions to create and attach IAM policies
  • The cqlsh Cassandra client installed and added to your system's PATH environment variable.
  • A host, e.g., an Amazon EC2 instance, where you will run the Teleport Database Service.
  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. For example:
    tsh login --proxy=teleport.example.com --user=[email protected]
    tctl status

    Cluster teleport.example.com

    Version 16.4.12

    CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Step 1/5. Set up the Teleport Database Service

The Database Service requires a valid join token to join your Teleport cluster. Run the following tctl command and save the token output in /tmp/token on the server that will run the Database Service:

tctl tokens add --type=db --format=text
abcd123-insecure-do-not-use-this

For users with a lot of infrastructure in AWS, or who might create or recreate many instances, consider alternative methods for joining new EC2 instances running Teleport:

Install Teleport on your Linux server:

  1. Assign edition to one of the following, depending on your Teleport edition:

    EditionValue
    Teleport Enterprise Cloudcloud
    Teleport Enterprise (Self-Hosted)enterprise
    Teleport Community Editionoss
  2. Get the version of Teleport to install. If you have automatic agent updates enabled in your cluster, query the latest Teleport version that is compatible with the updater:

    TELEPORT_DOMAIN=example.teleport.com
    TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')"

    Otherwise, get the version of your Teleport cluster:

    TELEPORT_DOMAIN=example.teleport.com
    TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/ping | jq -r '.server_version')"
  3. Install Teleport on your Linux server:

    curl https://cdn.teleport.dev/install-v16.4.12.sh | bash -s ${TELEPORT_VERSION} edition

    The installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide.

Create a configuration for the Teleport Database Service, pointing the --proxy flag to the address of your Teleport Proxy Service:

sudo teleport db configure create \ -o file \ --token=/tmp/token \ --proxy=teleport.example.com:443 \ --name=keyspaces \ --protocol=cassandra \ --aws-account-id=12345678912 \ --aws-region=us-east-1 \ --labels=env=dev

Create a configuration for the Teleport Database Service, pointing the --proxy flag to the address of your Teleport Proxy Service:

sudo teleport db configure create \ -o file \ --token=/tmp/token \ --proxy=mytenant.teleport.sh:443 \ --name=keyspaces \ --protocol=cassandra \ --aws-account-id=12345678912 \ --aws-region=us-east-1 \ --labels=env=dev

Grant the Teleport Database Service access to credentials that it can use to authenticate to AWS.

  • If you are running the Teleport Database Service on an EC2 instance, you may use the EC2 Instance Metadata Service method
  • If you are running the Teleport Database Service in Kubernetes, you can use IAM Roles for Service Accounts (IRSA)
  • Otherwise, you must use environment variables

Teleport will detect when it is running on an EC2 instance and use the Instance Metadata Service to fetch credentials.

The EC2 instance should be configured to use an EC2 instance profile. For more information, see: Using Instance Profiles.

Refer to IAM Roles for Service Accounts (IRSA) to set up an OIDC provider in AWS and configure an AWS IAM role that allows the pod's service account to assume the role.

Teleport's built-in AWS client reads credentials from the following environment variables:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_DEFAULT_REGION

When you start the Teleport Database Service, the service reads environment variables from a file at the path /etc/default/teleport. Obtain these credentials from your organization. Ensure that /etc/default/teleport has the following content, replacing the values of each variable:

AWS_ACCESS_KEY_ID=00000000000000000000
AWS_SECRET_ACCESS_KEY=0000000000000000000000000000000000000000
AWS_DEFAULT_REGION=<YOUR_REGION>

Teleport's AWS client loads credentials from different sources in the following order:

  • Environment Variables
  • Shared credentials file
  • Shared configuration file (Teleport always enables shared configuration)
  • EC2 Instance Metadata (credentials only)

While you can provide AWS credentials via a shared credentials file or shared configuration file, you will need to run the Teleport Database Service with the AWS_PROFILE environment variable assigned to the name of your profile of choice.

If you have a specific use case that the instructions above do not account for, consult the documentation for the AWS SDK for Go for a detailed description of credential loading behavior.

Configure the Teleport Database Service to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed the Teleport Database Service.

On the host where you will run the Teleport Database Service, enable and start Teleport:

sudo systemctl enable teleport
sudo systemctl start teleport

On the host where you will run the Teleport Database Service, create a systemd service configuration for Teleport, enable the Teleport service, and start Teleport:

sudo teleport install systemd -o /etc/systemd/system/teleport.service
sudo systemctl enable teleport
sudo systemctl start teleport

You can check the status of the Teleport Database Service with systemctl status teleport and view its logs with journalctl -fu teleport.

Step 2/5. Create a Teleport user

Tip

To modify an existing user to provide access to the Database Service, see Database Access Controls

Create a local Teleport user with the built-in access role:

tctl users add \ --roles=access \ --db-users="*" \ --db-names="*" \ alice

Create a local Teleport user with the built-in access and requester roles:

tctl users add \ --roles=access,requester \ --db-users="*" \ --db-names="*" \ alice
FlagDescription
--rolesList of roles to assign to the user. The builtin access role allows them to connect to any database server registered with Teleport.
--db-usersList of database usernames the user will be allowed to use when connecting to the databases. A wildcard allows any user.
--db-namesList of logical databases (aka schemas) the user will be allowed to connect to within a database server. A wildcard allows any database.
Warning

Database names are only enforced for PostgreSQL, MongoDB, and Cloud Spanner databases.

For more detailed information about database access controls and how to restrict access see RBAC documentation.

Step 3/5. Create an Amazon Keyspaces role

Create an AWS IAM Role that will be used as your Keyspaces user. Go to the IAM -> Access Management -> Roles. Press Create Role.

AWS provides the AmazonKeyspacesReadOnlyAccess and AmazonKeyspacesFullAccess IAM policies that you can incorporate into your Keyspaces user's role. You can choose AmazonKeyspacesReadOnlyAccess for read-only access to Amazon Keyspaces or AmazonKeyspacesFullAccess for full access.

Tip

The AmazonKeyspacesReadOnlyAccess and AmazonKeyspacesReadOnlyAccess policies may provide too much or not enough access for your intentions. Validate that these meet your expectations if you plan on using them. You can also create your own custom Amazon Keyspaces Permissions Policies: Amazon Keyspaces identity-based policy examples.

Enter a role name and press "Create role".

Step 4/5. Give Teleport permissions to assume roles

Next, attach the following policy to the IAM role or IAM user the Teleport Database Service instance is using, which allows the Database Service to assume the IAM roles:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "*"
    }
  ]
}
Tip

You can make the policy more strict by providing specific IAM role resource ARNs in the "Resource" field instead of using a wildcard.

Step 5/5. Connect

Once the Database Service has joined the cluster, log in to see the available databases:

tsh login --proxy=teleport.example.com --user=alice
tsh db ls

Name Description Allowed Users Labels Connect

--------- ----------- ------------- ------- -------

keyspaces [*] env=dev

tsh login --proxy=mytenant.teleport.sh --user=alice
tsh db ls

Name Description Allowed Users Labels Connect

--------- ----------- ------------- ------- -------

keyspaces [*] env=dev

To connect to a particular database instance using the KeyspacesReader AWS IAM Keyspaces role as a database user:

tsh db connect --db-user=KeyspacesReader keyspaces

Connected to Amazon Keyspaces at localhost:55084

[cqlsh 6.0.0 | Cassandra 3.11.2 | CQL spec 3.4.4 | Native protocol v4]

Use HELP for help.

KeyspacesReader@cqlsh>

To log out of the database and remove credentials:

Remove credentials for a particular database instance.

tsh db logout keyspaces

Remove credentials for all database instances.

tsh db logout

Further reading

Next steps

  • Take a look at the YAML configuration reference.