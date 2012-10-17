Database Access AWS IAM Reference
The Teleport Database Service requires IAM permissions for various tasks depending on the database type and setup, such as discovering endpoints and metadata of the database servers, generating IAM authentication tokens, and assuming IAM roles.
You can generate IAM permissions with the
teleport db configure aws print-iam
command. For example, the following command would generate and print the IAM
policies:
teleport db configure aws print-iam --types rds,redshift --role teleport-db-service-role
To learn more about IAM permissions for a specific type of database, refer to the related section below.
DocumentDB
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DocumentDBConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/documentdb-user-role"
]
},
{
"Sid": "DocumentDBCheckDomainURL",
"Effect": "Allow",
"Action": "rds:DescribeDBClusters",
"Resource": "*"
}
]
}
|Statement
|Purpose
DocumentDBConnectAsIAMRole
|Assume an IAM role to connect to a DocumentDB cluster with IAM authentication.
DocumentDBCheckDomainURL
|Validate a domain's URL if it was auto-discovered by the Discovery Service.
IAM role as a DocumentDB database user
The Teleport Database Service assumes a IAM role when connecting to a DocumentDB cluster with IAM authentication.
Refer to Authentication using IAM Identity for more information about DocumentDB IAM authentication.
To allow IAM Role
teleport-db-service-role to assume IAM Role
documentdb-user-role, the following is
generally required:
1. Configure Trust Relationships on documentdb-user-role
teleport-db-service-role or its AWS account should be set as
Principal in
documentdb-user-role's trust
policy.
- Role as principal
- Account as principal
- Cross-account with external-id
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole"
}
]
}
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:root"
},
"Action": "sts:AssumeRole"
}
]
}
Assign external-aws-account-id to an external AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::external-aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "example-external-id"
}
}
}
]
}
2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::aws-account-id:role/documentdb-user-role"
}
]
}
Note that this policy can be omitted when
teleport-db-service-role and
documentdb-user-role are in the same
AWS account and
teleport-db-service-role's full ARN is configured as Principal in
documentdb-user-role's
trust policy.
3. Configure Permissions Boundary on teleport-db-service-role
If
teleport-db-service-role does not have an attached
Permissions boundary
then you can skip this step.
Otherwise, the boundary policy attached to
teleport-db-service-role must include
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
]
}
DynamoDB
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DynamoDBConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/dynamodb-user-role"
]
},
{
"Sid": "DynamoDBSessionTagging",
"Effect": "Allow",
"Action": "sts:TagSession",
"Resource": [
"*"
]
}
]
}
|Statement
|Purpose
DynamoDBConnectAsIAMRole
|Assume an IAM role to forward requests to DynamoDB.
DynamoDBSessionTagging
|Tag assumed role sessions if tags are specified in the Teleport database configuration under
aws.session_tags.
The session tagging permissions are only required if you have configured tags
under the
aws.session_tags section of your Teleport database configuration.
IAM role as a DynamoDB database user
The Teleport Database Service assumes a user-specified IAM role when forwarding requests to DynamoDB on their behalf. DynamoDB-related IAM permissions must be attached to that IAM role.
Refer to Actions, resources, and condition keys for Amazon DynamoDB for more information about DynamoDB permissions.
To allow IAM Role
teleport-db-service-role to assume IAM Role
dynamodb-user-role, the following is
generally required:
1. Configure Trust Relationships on dynamodb-user-role
teleport-db-service-role or its AWS account should be set as
Principal in
dynamodb-user-role's trust
policy.
- Role as principal
- Account as principal
- Cross-account with external-id
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole"
}
]
}
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:root"
},
"Action": "sts:AssumeRole"
}
]
}
Assign external-aws-account-id to an external AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::external-aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "example-external-id"
}
}
}
]
}
2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::aws-account-id:role/dynamodb-user-role"
}
]
}
Note that this policy can be omitted when
teleport-db-service-role and
dynamodb-user-role are in the same
AWS account and
teleport-db-service-role's full ARN is configured as Principal in
dynamodb-user-role's
trust policy.
3. Configure Permissions Boundary on teleport-db-service-role
If
teleport-db-service-role does not have an attached
Permissions boundary
then you can skip this step.
Otherwise, the boundary policy attached to
teleport-db-service-role must include
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
]
}
ElastiCache for Redis and Valkey
ElastiCache supports IAM authentication for Redis and Valkey engine version 7.0 or above. This is the recommended way to configure Teleport access to ElastiCache.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElastiCacheFetchMetadata",
"Effect": "Allow",
"Action": "elasticache:DescribeReplicationGroups",
"Resource": "*"
},
{
"Sid": "ElastiCacheDescribeUsers",
"Effect": "Allow",
"Action": "elasticache:DescribeUsers",
"Resource": "*"
},
{
"Sid": "ElastiCacheConnect",
"Effect": "Allow",
"Action": "elasticache:Connect",
"Resource": "*"
}
]
}
|Statement
|Purpose
ElastiCacheFetchMetadata
|Automatically import AWS tags as database labels or find missing information such as the database's AWS region.
ElastiCacheDescribeUsers
|Determine whether a user is compatible with IAM authentication.
ElastiCacheConnect
|Connect using IAM authentication.
You can reduce the scope of the
ElastiCacheConnect statement by updating it to
only allow specific ElastiCache clusters and IAM users. The resource ARN you can
specify has the following formats:
arn:aws:elasticache:{Region}:{AccountID}:replicationgroup:{ReplicationGroup}arn:aws:elasticache:{Region}:{AccountID}:user:{UserName}
See Authenticating with IAM for ElastiCache for more information.
ElastiCache managed users
The recommended way to configure Teleport access to ElastiCache is to use IAM auth, which is supported for Redis engine version 7.0 and up. Using managed users with passwords stored in AWS Secrets Manager is a legacy method for configuring Teleport access to ElastiCache.
If any ElastiCache users are tagged to be managed by Teleport, below are the IAM permissions required for managing the ElastiCache users:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElastiCacheManageUsers",
"Effect": "Allow",
"Action": [
"elasticache:DescribeUsers",
"elasticache:ModifyUser",
"elasticache:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "ElastiCacheManagePasswords",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource",
"secretsmanager:UpdateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:aws-account-id:secret:teleport/*"
]
}
]
}
The default Secrets Manager key prefix that Teleport will use is "teleport/". If you have configured a custom key prefix in your Teleport database config, then you must update the IAM policy resource name teleport to match that custom prefix.
If you have configured a custom KMS key ID in your Teleport database config, then add the following to the IAM policy, assigning your-kms-id to your KMS ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:*:aws-account-id:key/your-kms-id"
]
}
]
}
ElastiCache Serverless for Redis and Valkey
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElastiCacheServerlessFetchMetadata",
"Effect": "Allow",
"Action": "elasticache:DescribeServerlessCaches",
"Resource": "*"
},
{
"Sid": "ElastiCacheServerlessDescribeUsers",
"Effect": "Allow",
"Action": "elasticache:DescribeUsers",
"Resource": "*"
},
{
"Sid": "ElastiCacheServerlessConnect",
"Effect": "Allow",
"Action": "elasticache:Connect",
"Resource": "*"
}
]
}
|Statement
|Purpose
ElastiCacheServerlessFetchMetadata
|Automatically import AWS metadata about the database.
ElastiCacheServerlessDescribeUsers
|Determine whether a user is compatible with IAM authentication.
ElastiCacheServerlessConnect
|Connect using IAM authentication.
Details
You can reduce the scope of the
ElastiCacheServerlessConnect statement by
updating it to only allow specific ElastiCache Serverless caches and IAM users.
The resource ARN you can specify has the following formats:
arn:aws:elasticache:{Region}:{AccountID}:serverlesscache:{CacheName}arn:aws:elasticache:{Region}:{AccountID}:user:{UserName}
See Authenticating with IAM for ElastiCache for more information.
Keyspaces
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KeyspacesConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/keyspaces-user-role"
]
}
]
}
|Statement
|Purpose
KeyspacesConnectAsIAMRole
|Assume an IAM role to forward requests to Keyspaces.
IAM role as a Keyspaces database user
The Teleport Database Service assumes a user-specified IAM role when forwarding requests to Keyspaces on their behalf. Keyspaces-related IAM permissions must be attached to that IAM role.
Refer to the Amazon Keyspaces identity-based policy examples for more information about the Keyspaces permissions that you can grant to an IAM role.
To allow IAM Role
teleport-db-service-role to assume IAM Role
keyspaces-user-role, the following is
generally required:
1. Configure Trust Relationships on keyspaces-user-role
teleport-db-service-role or its AWS account should be set as
Principal in
keyspaces-user-role's trust
policy.
- Role as principal
- Account as principal
- Cross-account with external-id
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole"
}
]
}
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:root"
},
"Action": "sts:AssumeRole"
}
]
}
Assign external-aws-account-id to an external AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::external-aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "example-external-id"
}
}
}
]
}
2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::aws-account-id:role/keyspaces-user-role"
}
]
}
Note that this policy can be omitted when
teleport-db-service-role and
keyspaces-user-role are in the same
AWS account and
teleport-db-service-role's full ARN is configured as Principal in
keyspaces-user-role's
trust policy.
3. Configure Permissions Boundary on teleport-db-service-role
If
teleport-db-service-role does not have an attached
Permissions boundary
then you can skip this step.
Otherwise, the boundary policy attached to
teleport-db-service-role must include
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
]
}
MemoryDB
MemoryDB supports IAM authentication for Redis engine version 7.0 or above. This is the recommended way to configure Teleport access to MemoryDB.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MemoryDBFetchMetadata",
"Effect": "Allow",
"Action": "memorydb:DescribeClusters",
"Resource": "*"
},
{
"Sid": "MemoryDBDescribeUsers",
"Effect": "Allow",
"Action": "memorydb:DescribeUsers",
"Resource": "*"
},
{
"Sid": "MemoryDBConnect",
"Effect": "Allow",
"Action": "memorydb:Connect",
"Resource": "*"
}
]
}
|Statement
|Purpose
MemoryDBFetchMetadata
|Automatically import AWS tags as database labels or find missing information such as the database's AWS region.
MemoryDBDescribeUsers
|Determine whether a user is compatible with IAM authentication.
MemoryDBConnect
|Connect using IAM authentication.
You can reduce the scope of the
MemoryDBConnect statement by updating it to
only allow specific MemoryDB clusters and IAM users. The resource ARN you can
specify has the following formats:
arn:aws:memorydb:{Region}:{AccountID}:cluster:{ClusterName}arn:aws:memorydb:{Region}:{AccountID}:user:{UserName}
See Authenticating with IAM for MemoryDB for more information.
MemoryDB managed users
The recommended way to configure Teleport access to MemoryDB is to use IAM auth, which is supported for Redis engine version 7.0 and up. Using managed users with passwords stored in AWS Secrets Manager is a legacy method for configuring Teleport access to MemoryDB.
If any MemoryDB users are tagged to be managed by Teleport, below are the IAM permissions required for managing the MemoryDB users:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MemoryDBManageUsers",
"Effect": "Allow",
"Action": [
"memorydb:DescribeUsers",
"memorydb:UpdateUser",
"memorydb:ListTags"
],
"Resource": "*"
},
{
"Sid": "MemoryDBManagePasswords",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource",
"secretsmanager:UpdateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:aws-account-id:secret:teleport/*"
]
}
]
}
The default Secrets Manager key prefix that Teleport will use is "teleport/". If you have configured a custom key prefix in your Teleport database config, then you must update the IAM policy resource name teleport to match that custom prefix.
If you have configured a custom KMS key ID in your Teleport database config, then add the following to the IAM policy, assigning your-kms-id to your KMS ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:*:aws-account-id:key/your-kms-id"
]
}
]
}
OpenSearch
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OpenSearchCheckDomainURL",
"Effect": "Allow",
"Action": "es:DescribeDomains",
"Resource": [
"*"
]
},
{
"Sid": "OpenSearchConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/opensearch-user-role"
]
}
]
}
|Statement
|Purpose
OpenSearchCheckDomainURL
|Validate a domain's URL if it was auto-discovered by the Discovery Service.
OpenSearchConnectAsIAMRole
|Assume an IAM role to forward requests to OpenSearch.
IAM role as an OpenSearch database user
OpenSearch maps IAM roles to OpenSearch backend roles. The Teleport Database Service must be able to assume these "access" IAM roles to sign the OpenSearch API requests.
Refer to Fine-grained access control in Amazon OpenSearch Service for more information about the permissions you can configure for these roles.
To allow IAM Role
teleport-db-service-role to assume IAM Role
opensearch-user-role, the following is
generally required:
1. Configure Trust Relationships on opensearch-user-role
teleport-db-service-role or its AWS account should be set as
Principal in
opensearch-user-role's trust
policy.
- Role as principal
- Account as principal
- Cross-account with external-id
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole"
}
]
}
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:root"
},
"Action": "sts:AssumeRole"
}
]
}
Assign external-aws-account-id to an external AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::external-aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "example-external-id"
}
}
}
]
}
2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::aws-account-id:role/opensearch-user-role"
}
]
}
Note that this policy can be omitted when
teleport-db-service-role and
opensearch-user-role are in the same
AWS account and
teleport-db-service-role's full ARN is configured as Principal in
opensearch-user-role's
trust policy.
3. Configure Permissions Boundary on teleport-db-service-role
If
teleport-db-service-role does not have an attached
Permissions boundary
then you can skip this step.
Otherwise, the boundary policy attached to
teleport-db-service-role must include
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
]
}
RDS
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RDSAutoEnableIAMAuth",
"Effect": "Allow",
"Action": [
"rds:ModifyDBCluster",
"rds:ModifyDBInstance"
],
"Resource": "*"
},
{
"Sid": "RDSConnect",
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "*"
},
{
"Sid": "RDSFetchMetadata",
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusters",
"rds:DescribeDBInstances"
],
"Resource": "*"
}
]
}
|Statement
|Purpose
RDSAutoEnableIAMAuth
|Automatically enable IAM auth on RDS instances and Aurora clusters.
RDSConnect
|Generate an IAM authentication token to connect to a database.
RDSFetchMetadata
|Automatically import AWS tags as database labels or find missing information such as the database's AWS region.
The Teleport Database Service uses
rds:ModifyDBInstance and
rds:ModifyDBCluster to automatically enable
IAM authentication
on RDS instances and Aurora clusters, respectively.
You can omit the
RDSAutoEnableIAMAuth permissions if IAM authentication is
already enabled on your databases.
The
rds-db:connect permission is required to connect to databases.
You can reduce the scope of the permission to only allow specific databases,
regions, or users.
The resource ARN has the following format:
arn:aws:rds-db:{Region}:{AccountID}:dbuser:{ResourceID}/{UserName}
Refer to
Creating and using an IAM policy for IAM database access
for more information about the
rds-db:connect permission grant syntax.
Databases discovered by the Teleport Discovery Service should be registered with
complete metadata, so you can also omit the
RDSFetchMetadata permissions if all of
your AWS databases are being auto-discovered.
RDS Proxy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RDSProxyConnect",
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "*"
},
{
"Sid": "RDSProxyFetchMetadata",
"Effect": "Allow",
"Action": [
"rds:DescribeDBProxies",
"rds:DescribeDBProxyEndpoints"
],
"Resource": "*"
}
]
}
|Statement
|Purpose
RDSProxyConnect
|Generate an IAM authentication token to connect to a database.
RDSProxyFetchMetadata
|Automatically import AWS tags as database labels or find missing information such as the database's AWS region.
The
rds-db:connect permission is required to connect to databases.
You can reduce the scope of the permission to only allow specific databases,
regions, or users.
The resource ARN has the following format:
arn:aws:rds-db:{Region}:{AccountID}:dbuser:{ResourceID}/{UserName}
Refer to
Creating and using an IAM policy for IAM database access
for more information about the
rds-db:connect permission grant syntax.
Databases discovered by the Teleport Discovery Service should be registered with
complete metadata, so you can also omit the
RDSProxyFetchMetadata permissions if all of
your AWS databases are being auto-discovered.
Redshift
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RedshiftConnectAsDBUser",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": "*"
},
{
"Sid": "RedshiftConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/redshift-user-role"
]
},
{
"Sid": "RedshiftFetchMetadata",
"Effect": "Allow",
"Action": "redshift:DescribeClusters",
"Resource": "*"
}
]
}
|Statement
|Purpose
RedshiftConnectAsDBUser
|Connect to a database as an existing database user.
RedshiftConnectAsIAMRole
|Assume an IAM role to connect to a database with permissions mapped into the database 1:1 from the role's IAM permissions.
RedshiftFetchMetadata
|Automatically import AWS tags as database labels or find missing information such as the database's AWS region.
You can reduce the scope of the
RedshiftConnectAsDBUser statement by updating
it to only allow specific users, databases, and database groups.
The resource ARN you can specify has the following formats:
arn:aws:redshift:{Region}:{AccountID}:dbuser:{ClusterName}/{UserName}arn:aws:redshift:{Region}:{AccountID}:dbname:{ClusterName}/{DatabaseName}arn:aws:redshift:{Region}:{AccountID}:dbgroup:{ClusterName}/{DatabaseGroupName}
See Create an IAM role or user with permissions to call GetClusterCredentials
for more information about the
redshift:GetClusterCredentials permission
grant syntax.
You can authenticate as an existing database user or as an IAM role that will
be automatically mapped into the database.
The corresponding IAM statement is only required for the method(s) you want to
use.
If an IAM role names the Database Service's identity as a trusted principal,
and both identities are in the same AWS account, then the
RedshiftConnectAsIAMRole statement can also be omitted.
Databases discovered by the Teleport Discovery Service should be registered with
complete metadata, so you can also omit the
RedshiftFetchMetadata permissions if all of
your AWS databases are being auto-discovered.
IAM role as a Redshift database user
The following permissions policy should be attached to an IAM role that Teleport users can specify as a database user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RedshiftConnectWithIAM",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentialsWithIAM",
"Resource": "*"
}
]
}
|Statement
|Purpose
RedshiftConnectWithIAM
|Connect to a Redshift database as a database user mapped 1:1 from this IAM identity.
An IAM role can connect as an automatically created database user with
permissions mapped 1:1 from the identity's IAM permissions.
Permissions in the database are granted with
redshift-data:* statements
attached to the IAM identity, for example
redshift-data:GetStatementResult.
Teleport users can connect as that role by specifying "role/{RoleName}" as a
database user, e.g.
tsh db connect my-redshift --db-user=role/redshift-user-role
See Using identity-based policies for Amazon Redshift for more information about available Redshift IAM permissions that are mapped to the database user.
To allow IAM Role
teleport-db-service-role to assume IAM Role
redshift-user-role, the following is
generally required:
1. Configure Trust Relationships on redshift-user-role
teleport-db-service-role or its AWS account should be set as
Principal in
redshift-user-role's trust
policy.
- Role as principal
- Account as principal
- Cross-account with external-id
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole"
}
]
}
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:root"
},
"Action": "sts:AssumeRole"
}
]
}
Assign external-aws-account-id to an external AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::external-aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "example-external-id"
}
}
}
]
}
2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::aws-account-id:role/redshift-user-role"
}
]
}
Note that this policy can be omitted when
teleport-db-service-role and
redshift-user-role are in the same
AWS account and
teleport-db-service-role's full ARN is configured as Principal in
redshift-user-role's
trust policy.
3. Configure Permissions Boundary on teleport-db-service-role
If
teleport-db-service-role does not have an attached
Permissions boundary
then you can skip this step.
Otherwise, the boundary policy attached to
teleport-db-service-role must include
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
]
}
Redshift Serverless
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RedshiftServerlessConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/redshift-serverless-user-role"
]
},
{
"Sid": "RedshiftServerlessFetchMetadata",
"Effect": "Allow",
"Action": [
"redshift-serverless:GetEndpointAccess",
"redshift-serverless:GetWorkgroup"
],
"Resource": "*"
}
]
}
|Statement
|Purpose
RedshiftServerlessFetchMetadata
|Automatically import AWS tags as database labels or find missing information such as the database's AWS region.
RedshiftServerlessConnectAsIAMRole
|Assume an IAM role to connect as a database user.
Databases discovered by the Teleport Discovery Service should be registered with
complete metadata, so you can also omit the
RedshiftServerlessFetchMetadata permissions if all of
your AWS databases are being auto-discovered.
Redshift Serverless maps IAM roles to database users. The Teleport Database Service must be able to assume these "access" IAM roles which are granted IAM permissions to generate IAM authentication tokens.
IAM role as a Redshift Serverless database user
The following permissions policy should be attached to an IAM role that Teleport users can specify as a database user. Assign us-east-2 to an AWS region, aws-account-id to your AWS account ID, and workgroup-id to a workgroup ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RedshiftServerlessConnect",
"Effect": "Allow",
"Action": "redshift-serverless:GetCredentials",
"Resource": "arn:aws:redshift-serverless:us-east-2:aws-account-id:workgroup/workgroup-id"
}
]
}
|Statement
|Purpose
RedshiftServerlessConnect
|Get credentials to connect to a database.
The resource ARN string has the following format:
arn:aws:redshift-serverless:{Region}:{AccountID}:workgroup/{WorkgroupID}
Teleport users can connect as the IAM role by specifying the role name as a database user, e.g.
tsh db connect redshift-serverless-example-db --db-user=redshift-serverless-user-role
See Identity and access management in Amazon Redshift Serverless for more information about configuring Redshift Serverless permissions.
To allow IAM Role
teleport-db-service-role to assume IAM Role
redshift-serverless-user-role, the following is
generally required:
1. Configure Trust Relationships on redshift-serverless-user-role
teleport-db-service-role or its AWS account should be set as
Principal in
redshift-serverless-user-role's trust
policy.
- Role as principal
- Account as principal
- Cross-account with external-id
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole"
}
]
}
Assign aws-account-id to your AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:root"
},
"Action": "sts:AssumeRole"
}
]
}
Assign external-aws-account-id to an external AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::external-aws-account-id:role/teleport-db-service-role"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "example-external-id"
}
}
}
]
}
2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::aws-account-id:role/redshift-serverless-user-role"
}
]
}
Note that this policy can be omitted when
teleport-db-service-role and
redshift-serverless-user-role are in the same
AWS account and
teleport-db-service-role's full ARN is configured as Principal in
redshift-serverless-user-role's
trust policy.
3. Configure Permissions Boundary on teleport-db-service-role
If
teleport-db-service-role does not have an attached
Permissions boundary
then you can skip this step.
Otherwise, the boundary policy attached to
teleport-db-service-role must include
sts:AssumeRole permissions, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
]
}