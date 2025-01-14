Version: 15.x

On this page

Database Access Configuration Reference

The following snippet shows full YAML configuration of a Database Service appearing in teleport.yaml configuration file:

db_service: enabled: "yes" resources: - labels: "*" : "*" aws: assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name" external_id: "example-external-id" aws: - types: [ "rds" , "rdsproxy" , "redshift" , "redshift-serverless" , "elasticache" , "memorydb" , "opensearch" ] regions: [ "us-west-1" , "us-east-2" ] assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name" external_id: "example-external-id" tags: "*" : "*" azure: - types: [ "mysql" , "postgres" , "redis" , "sqlserver" ] regions: [ "eastus" , "westus" ] subscriptions: [ "11111111-2222-3333-4444-555555555555" ] resource_groups: [ "group1" , "group2" ] tags: "*" : "*" databases: - name: "prod" description: "Production database" protocol: "postgres" uri: "postgres.example.com:5432" tls: mode: verify-full server_name: db.example.com ca_cert_file: /path/to/pem trust_system_cert_pool: false mysql: server_version: 8.0 .28 admin_user: name: "teleport-admin" default_database: "teleport" aws: region: "us-east-1" assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name" external_id: "example-external-id" redshift: cluster_id: "redshift-cluster-1" rds: instance_id: "rds-instance-1" cluster_id: "aurora-cluster-1" elasticache: replication_group_id: "elasticache-replication-group-1" memorydb: cluster_name: "memorydb-cluster-1" secret_store: key_prefix: "teleport/" kms_key_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" session_tags: dynamodb_table_name: "table-a" gcp: project_id: "xxx-1234" instance_id: "example" ad: keytab_file: /path/to/keytab domain: EXAMPLE.COM spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433 krb5_file: /etc/krb5.conf azure: is_flexi_server: false resource_id: "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/example-group/providers/Microsoft.Cache/Redis/example-db-name" static_labels: env: "prod" dynamic_labels: - name: "hostname" command: [ "hostname" ] period: 1m0s

Self-Hosted

Cloud-Hosted The following Proxy service configuration is relevant for database access: TLS for database connections The --insecure-no-tls tsh flag is only supported for MySQL/MariaDB and PostgreSQL connections using a unique port, specified with mysql_public_addr or postgres_public_addr . proxy_service: enabled: "yes" web_listen_addr: "0.0.0.0:443" mysql_listen_addr: "0.0.0.0:3036" public_addr: "teleport.example.com:443" mysql_public_addr: "mysql.teleport.example.com:3306" postgres_public_addr: "postgres.teleport.example.com:443" mongo_public_addr: "mongo.teleport.example.com:443" Teleport Enterprise Cloud automatically configures the Teleport Proxy Service with the following settings that are relevant to database access. This reference configuration uses example.teleport.sh in place of your Teleport Enterprise Cloud tenant address: proxy_service: enabled: "yes" web_listen_addr: "0.0.0.0:3080" mysql_listen_addr: "0.0.0.0:3036" public_addr: "mytenant.teleport.sh:443" mysql_public_addr: "mytenant.teleport.sh:3036" postgres_public_addr: "mytenant.teleport.sh:443" mongo_public_addr: "mongo.teleport.example.com:443

Full YAML spec of database resources managed by tctl resource commands:

kind: db version: v3 metadata: name: example description: "Example database" labels: env: example spec: protocol: "postgres" uri: "localhost:5432" tls: mode: verify-full server_name: db.example.com ca_cert: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- trust_system_cert_pool: false admin_user: name: "teleport-admin" mysql: server_version: 8.0 .28 aws: region: "us-east-1" assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name" external_id: "example-external-id" redshift: cluster_id: "redshift-cluster-1" gcp: project_id: "xxx-1234" instance_id: "example" ad: keytab_file: /path/to/keytab domain: EXAMPLE.COM spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433 krb5_file: /etc/krb5.conf dynamic_labels: - name: "hostname" command: [ "hostname" ] period: 1m0s

You can create a new db resource by running the following commands, which assume that you have created a YAML file called db.yaml with your configuration: