Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Database Labels Reference

Teleport assigns system-defined labels to protected databases. This guide describes the system-defined labels and how Teleport uses them.

Origin

All registered databases have a predefined teleport.dev/origin label with one of the following values:

Label ValueDescription
clouddatabase resources created by auto-discovery.
configdatabase resources manually defined in the database_service.databases section of teleport.yaml.
dynamicdatabase resources created through dynamic registration like tcl create command.

Auto-discovery

The labels of auto-discovered databases primarily come from the tags that are assigned to the original cloud resources, such as the resources tags of an Amazon RDS instance.

The following tags will override Teleport's default behavior if assigned to the original cloud resources:

Tag nameDescription
TeleportDatabaseNameOverrides the name of the discovered database.
teleport.dev/database_name(AWS only, legacy) Overrides the name of the discovered database. TeleportDatabaseName is preferred.
teleport.dev/db-admin(AWS only) Specifies the name of the admin user for Automatic User Provisioning.
teleport.dev/db-admin-default-database(AWS only) Overrides the default database the admin user logs into for Automatic User Provisioning.

Additionally, Teleport will generate certain labels derived from the cloud resource attributes:

Label nameDescription
account-idID of the AWS account the resource resides in.
endpoint-typeType of the endpoint. See section below for more details.
engineAmazon RDS: engine type of the RDS instance or Aurora cluster.
Amazon RDS Proxy: engine family of the proxy.
Azure-hosted databases: resource type of the resource ID.
engine-versionDatabase engine version, if available.
namespaceAmazon Redshift Serverless namespace name.
regionAWS region or Azure location.
replication-roleThe replication role of an Azure DB Flexible server.
source-serverThe source server of an Azure DB Flexible server replica.
vpc-idID of the Amazon VPC the resource resides in, if available.
workgroupAmazon Redshift Serverless workgroup name.

endpoint-type

The following values are used to indicate the type of the database endpoint:

Database TypeValues
Amazon RDS instanceinstance
Amazon RDS Aurora clusterone of primary, reader, custom
Amazon RDS Proxyone of READ_WRITE, READ_ONLY (custom endpoints only)
Amazon Redshift Serverlessone of workgroup, vpc-endpoint
Amazon ElastiCacheone of configuration, primary, reader, node
Amazon MemoryDBone of cluster, node
Amazon OpenSearchone of default, custom, vpc
Azure Redis Enterpriseone of EnterpriseCluster, OSSCluster

Manual and dynamic registration

Static labels and dynamic labels can be specified in labels and dynamic_labels fields respectively in database definition. See Configuration for reference.

Database Service on Amazon EC2

All registered databases can inherit the labels converted from the tags of the EC2 instance running the Teleport Database Service. Labels created this way will have the aws/ prefix. See Sync EC2 Tags for more details.