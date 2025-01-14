Database Labels Reference
Teleport assigns system-defined labels to protected databases. This guide describes the system-defined labels and how Teleport uses them.
Origin
All registered databases have a predefined
teleport.dev/origin label with one
of the following values:
|Label Value
|Description
cloud
|database resources created by auto-discovery.
config
|database resources manually defined in the
database_service.databases section of
teleport.yaml.
dynamic
|database resources created through dynamic registration like
tcl create command.
Auto-discovery
The labels of auto-discovered databases primarily come from the tags that are assigned to the original cloud resources, such as the resources tags of an Amazon RDS instance.
The following tags will override Teleport's default behavior if assigned to the original cloud resources:
|Tag name
|Description
TeleportDatabaseName
|Overrides the name of the discovered database.
teleport.dev/database_name
|(AWS only, legacy) Overrides the name of the discovered database.
TeleportDatabaseName is preferred.
teleport.dev/db-admin
|(AWS only) Specifies the name of the admin user for Automatic User Provisioning.
teleport.dev/db-admin-default-database
|(AWS only) Overrides the default database the admin user logs into for Automatic User Provisioning.
Additionally, Teleport will generate certain labels derived from the cloud resource attributes:
|Label name
|Description
account-id
|ID of the AWS account the resource resides in.
endpoint-type
|Type of the endpoint. See section below for more details.
engine
|Amazon RDS: engine type of the RDS instance or Aurora cluster.
Amazon RDS Proxy: engine family of the proxy.
Azure-hosted databases: resource type of the resource ID.
engine-version
|Database engine version, if available.
namespace
|Amazon Redshift Serverless namespace name.
region
|AWS region or Azure location.
replication-role
|The replication role of an Azure DB Flexible server.
source-server
|The source server of an Azure DB Flexible server replica.
vpc-id
|ID of the Amazon VPC the resource resides in, if available.
workgroup
|Amazon Redshift Serverless workgroup name.
teleport.dev/discovery-type
|Specifies the type of resource matched by the Teleport Discovery Service, e.g. "rds", "redshift", etc.
endpoint-type
The following values are used to indicate the type of the database endpoint:
|Database Type
|Values
|Amazon RDS instance
instance
|Amazon RDS Aurora cluster
|one of
primary,
reader,
custom
|Amazon RDS Proxy
|one of
READ_WRITE,
READ_ONLY (custom endpoints only)
|Amazon Redshift Serverless
|one of
workgroup,
vpc-endpoint
|Amazon ElastiCache
|one of
configuration,
primary,
reader,
node
|Amazon MemoryDB
|one of
cluster,
node
|Amazon OpenSearch
|one of
default,
custom,
vpc
|Azure Redis Enterprise
|one of
EnterpriseCluster,
OSSCluster
Manual and dynamic registration
Static labels and dynamic labels can be specified in
labels and
dynamic_labels fields respectively in database definition. See
Configuration for reference.
Database Service on Amazon EC2
All registered databases can inherit the labels converted from the tags of the
EC2 instance running the Teleport Database Service. Labels created this way
will have the
aws/ prefix. See Sync EC2
Tags for more details.