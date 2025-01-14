Version: 17.x

Database Labels Reference

Teleport assigns system-defined labels to protected databases. This guide describes the system-defined labels and how Teleport uses them.

All registered databases have a predefined teleport.dev/origin label with one of the following values:

Label Value Description cloud database resources created by auto-discovery. config database resources manually defined in the database_service.databases section of teleport.yaml . dynamic database resources created through dynamic registration like tcl create command.

The labels of auto-discovered databases primarily come from the tags that are assigned to the original cloud resources, such as the resources tags of an Amazon RDS instance.

The following tags will override Teleport's default behavior if assigned to the original cloud resources:

Tag name Description TeleportDatabaseName Overrides the name of the discovered database. teleport.dev/database_name (AWS only, legacy) Overrides the name of the discovered database. TeleportDatabaseName is preferred. teleport.dev/db-admin (AWS only) Specifies the name of the admin user for Automatic User Provisioning. teleport.dev/db-admin-default-database (AWS only) Overrides the default database the admin user logs into for Automatic User Provisioning.

Additionally, Teleport will generate certain labels derived from the cloud resource attributes:

Label name Description account-id ID of the AWS account the resource resides in. endpoint-type Type of the endpoint. See section below for more details. engine Amazon RDS: engine type of the RDS instance or Aurora cluster.

Amazon RDS Proxy: engine family of the proxy.

Azure-hosted databases: resource type of the resource ID. engine-version Database engine version, if available. namespace Amazon Redshift Serverless namespace name. region AWS region or Azure location. replication-role The replication role of an Azure DB Flexible server. source-server The source server of an Azure DB Flexible server replica. vpc-id ID of the Amazon VPC the resource resides in, if available. workgroup Amazon Redshift Serverless workgroup name. teleport.dev/discovery-type Specifies the type of resource matched by the Teleport Discovery Service, e.g. "rds", "redshift", etc.

The following values are used to indicate the type of the database endpoint:

Database Type Values Amazon RDS instance instance Amazon RDS Aurora cluster one of primary , reader , custom Amazon RDS Proxy one of READ_WRITE , READ_ONLY (custom endpoints only) Amazon Redshift Serverless one of workgroup , vpc-endpoint Amazon ElastiCache one of configuration , primary , reader , node Amazon MemoryDB one of cluster , node Amazon OpenSearch one of default , custom , vpc Azure Redis Enterprise one of EnterpriseCluster , OSSCluster

Static labels and dynamic labels can be specified in labels and dynamic_labels fields respectively in database definition. See Configuration for reference.