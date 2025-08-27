Discovery Service AWS IAM Reference
The Teleport Discovery Service requires AWS IAM permissions to discover AWS resources. These permissions must be attached to an AWS IAM identity that the Discovery Service instance can use.
Each section below describes the IAM permissions used to discover a specific type of AWS resource.
EC2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2Discovery",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ssm:DescribeInstanceInformation",
"ssm:GetCommandInvocation",
"ssm:ListCommandInvocations",
"ssm:SendCommand"
],
"Resource": "*"
}
]
}
|Statement
|Purpose
EC2Discovery
|Discover EC2 instances.
EKS
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EKSDiscovery",
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
},
{
"Sid": "EKSManageAccess",
"Effect": "Allow",
"Action": [
"eks:AssociateAccessPolicy",
"eks:CreateAccessEntry",
"eks:DeleteAccessEntry",
"eks:DescribeAccessEntry",
"eks:TagResource",
"eks:UpdateAccessEntry"
],
"Resource": "*"
}
]
}
|Statement
|Purpose
EKSDiscovery
|Discover EKS clusters and fetch additional details about them.
EKSManageAccess
|Automatically set up Teleport access for discovered EKS clusters.
You can use a list of ARNs and narrow the scope of the permissions to specific regions or EKS clusters instead of using a wildcard. The resource ARN has the following format:
arn:{Partition}:eks:{Region}:{Account}:cluster/{ClusterName}
The permissions in the
EKSManageAccess statement are optional because the
Discovery Service will discover EKS clusters even when it cannot ensure that the
Teleport Kubernetes Service has access to the clusters it discovers.
If you omit any of the
EKSManageAccess permissions, then it is your
responsibility to ensure that the Teleport Kubernetes Service can access each
EKS cluster.
Databases
DocumentDB
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DocumentDBDiscovery",
"Effect": "Allow",
"Action": "rds:DescribeDBClusters",
"Resource": "*"
}
]
}
|Statement
|Purpose
DocumentDBDiscovery
|Discover Amazon DocumentDB Clusters.
DynamoDB
Database discovery is not available for DynamoDB.
Manual database registration?
To register a DynamoDB database with your Teleport cluster, you must
configure the database manually via static config or dynamic
db resource.
See the database access reference for more information.
ElastiCache for Redis and Valkey
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElastiCacheDiscovery",
"Effect": "Allow",
"Action": "elasticache:DescribeReplicationGroups",
"Resource": "*"
},
{
"Sid": "ElastiCacheFetchMetadata",
"Effect": "Allow",
"Action": [
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:ListTagsForResource"
],
"Resource": "*"
}
]
}
|Statement
|Purpose
ElastiCacheDiscovery
|Discover ElastiCache replication groups.
ElastiCacheFetchMetadata
|Import AWS tags and additional metadata for each database as Teleport database labels.
Keyspaces
Database discovery is not available for Keyspaces.
Manual database registration?
To register a Keyspaces database with your Teleport cluster, you must
configure the database manually via static config or dynamic
db resource.
See the database access reference for more information.
MemoryDB
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MemoryDBDiscovery",
"Effect": "Allow",
"Action": "memorydb:DescribeClusters",
"Resource": "*"
},
{
"Sid": "MemoryDBFetchMetadata",
"Effect": "Allow",
"Action": [
"memorydb:DescribeSubnetGroups",
"memorydb:ListTags"
],
"Resource": "*"
}
]
}
|Statement
|Purpose
MemoryDBDiscovery
|Discover MemoryDB databases.
MemoryDBFetchMetadata
|Import AWS tags and additional metadata for each database as Teleport database labels.
OpenSearch
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OpenSearchDiscovery",
"Effect": "Allow",
"Action": [
"es:DescribeDomains",
"es:ListDomainNames"
],
"Resource": "*"
},
{
"Sid": "OpenSearchFetchMetadata",
"Effect": "Allow",
"Action": "es:ListTags",
"Resource": "*"
}
]
}
|Statement
|Purpose
OpenSearchDiscovery
|Discover OpenSearch domains.
OpenSearchFetchMetadata
|Import each discovered domain's AWS tags as Teleport database labels.
RDS
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RDSDiscovery",
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusters",
"rds:DescribeDBInstances"
],
"Resource": "*"
}
]
}
|Statement
|Purpose
RDSDiscovery
|Discover RDS instances and Aurora clusters.
When configured to discover RDS databases, the Teleport Discovery Service
will attempt to discover both RDS instances and Aurora clusters.
The
rds:DescribeDBInstances permission is used to find RDS instances, but it
is also used to find additional information about discovered Aurora clusters, so
you should include this permission even if you only have Aurora clusters to
discover.
If you don't want Aurora cluster discovery, then you can omit the
rds:DescribeDBClusters permission.
RDS Proxy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RDSProxyDiscovery",
"Effect": "Allow",
"Action": "rds:DescribeDBProxies",
"Resource": "*"
},
{
"Sid": "RDSProxyFetchMetadata",
"Effect": "Allow",
"Action": [
"rds:DescribeDBProxyEndpoints",
"rds:ListTagsForResource"
],
"Resource": "*"
}
]
}
|Statement
|Purpose
RDSProxyDiscovery
|Discover RDS Proxies and register each proxy's default endpoint as a Teleport database.
RDSProxyFetchMetadata
|Fetch metadata for discovered proxies to import AWS resource tags as Teleport database labels and register custom endpoints as Teleport databases.
Redshift
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RedshiftDiscovery",
"Effect": "Allow",
"Action": "redshift:DescribeClusters",
"Resource": "*"
}
]
}
|Statement
|Purpose
RedshiftDiscovery
|Discover Amazon Redshift Clusters.
Redshift Serverless
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RedshiftServerlessDiscovery",
"Effect": "Allow",
"Action": "redshift-serverless:ListWorkgroups",
"Resource": "*"
},
{
"Sid": "RedshiftServerlessFetchMetadata",
"Effect": "Allow",
"Action": [
"redshift-serverless:ListEndpointAccess",
"redshift-serverless:ListTagsForResource"
],
"Resource": "*"
}
]
}
|Statement
|Purpose
RedshiftServerlessDiscovery
|Discover Redshift Serverless Workgroups.
RedshiftServerlessFetchMetadata
|Fetch metadata for discovered workgroups to import AWS tags as Teleport database labels and register any VPC endpoints as Teleport databases.