AWS Cross-Account Database Access
You can deploy the Teleport Database Service with AWS IAM credentials in one AWS account and use an AWS IAM role to grant Teleport access to databases in another AWS account.
AWS cross-account database access is available starting from Teleport 13.0.
When the Teleport Database Service needs to discover, configure, or retrieve short-lived authentication tokens for AWS databases, it uses credentials for an AWS IAM identity to make requests to the AWS API. To access resources across AWS accounts, you can configure the Teleport Database Service to assume an AWS role in another account before it uses the AWS API for further actions.
This is not limited to a single AWS role: the Teleport Database Service can be configured to connect to databases in its own AWS account and multiple external AWS accounts at the same time.
You will need to configure the Teleport Database Service to assume an AWS IAM
role and ensure that AWS IAM permissions are configured to allow the
sts:AssumeRole call.
You should also check that your network configuration in AWS allows the Teleport Database Service to connect to the databases.
This guide does not cover AWS network configuration, because it depends on your specific AWS network setup and the kind(s) of AWS databases you wish to connect to Teleport. For more information, see how to connect your database.
Teleport configuration
The Teleport Database Service must be configured to assume an external AWS IAM
role and, optionally, pass an external ID when it assumes that role.
The configured AWS IAM role will be assumed via an AWS STS AssumeRole call
before the Teleport Database Service uses the AWS API to discover, configure, or retrieve
short-lived authentication tokens for AWS databases.
An "external ID" is used to address what AWS calls
the confused deputy problem.
When you configure the Teleport Database Service to use an external ID, it will
include that external ID when it calls AWS STS AssumeRole.
The external AWS IAM role's trust policy will be used to verify that the
correct external ID was provided in the AssumeRole call.
For information about when you should use an external ID, see:
purpose of an AWS external ID.
AWS database discovery config, static database config, and dynamic database
config all support the assume_role_arn and external_id settings.
- AWS Discovery
- Static Config
- Dynamic Config
Modify your Teleport Database Service configuration file to assume an external AWS IAM role when it is discovering AWS databases.
# This example configuration will discover AWS RDS databases in us-west-1
# within AWS account `222222222222` by assuming the external AWS IAM role
# "example-role".
db_service:
enabled: "yes"
aws:
- types: ["rds"]
regions: ["us-west-1"]
assume_role_arn: "arn:aws:iam::222222222222:role/example-role"
external_id: "example-external-id"
Restart the Teleport Database Service for the configuration file changes to take effect.
The AWS IAM role used to discover a database will also be used by the Teleport Database Service to provide access to that database.
Modify your Teleport Database Service configuration file to statically register an AWS database in an external account and proxy connections to it.
# This example configuration will statically register an RDS PostgreSQL instance
# in us-west-1 within AWS account `222222222222` by assuming an external AWS
# IAM role "example-role".
db_service:
enabled: "yes"
databases:
- name: "rds-postgres"
protocol: "postgres"
uri: "rds-postgres.abcdef012345.us-west-1.rds.amazonaws.com:5432"
aws:
assume_role_arn: "arn:aws:iam::222222222222:role/example-role"
external_id: "example-external-id"
Restart the Teleport Database Service for the configuration file changes to take effect.
Create a dynamic database resource to dynamically register an AWS database in an external account and proxy connections to it.
# This example configuration will dynamically register an RDS PostgreSQL instance
# in us-west-1 within AWS account `222222222222`.
# Teleport Database Service agents that match its labels with resource selectors
# will proxy the database by assuming the configured external AWS IAM role.
kind: db
version: v3
metadata:
name: "rds-postgres"
description: "Example dynamic database resource"
labels:
env: "dev"
spec:
protocol: "postgres"
uri: "rds-postgres.abcdef012345.us-west-1.rds.amazonaws.com:5432"
aws:
# Note that account_id must match the AWS account ID in `assume_role_arn`.
# Dynamic database resources do not derive `account_id` from
# `assume_role_arn` automatically (unlike static configuration).
account_id: "222222222222"
assume_role_arn: "arn:aws:iam::222222222222:role/example-role"
external_id: "example-external-id"
Save the configuration to a file like database.yaml and create it with tctl:
$ tctl create database.yaml
For more information about database registration using dynamic database resources, see: Dynamic Registration.
Teleport AWS IAM identity
In order to assume an AWS IAM role, the Teleport Database Service will need credentials for an AWS IAM identity of its own.
Grant the Database Service access to credentials that it can use to authenticate to AWS.
- If you are running the Database Service on an EC2 instance, you may use the EC2 Instance Metadata Service method
- If you are running the Database Service in Kubernetes, you can use IAM Roles for Service Accounts (IRSA)
- Otherwise, you must use environment variables
- Instance Metadata Service
- Kubernetes IRSA
- Environment Variables
Teleport will detect when it is running on an EC2 instance and use the Instance Metadata Service to fetch credentials.
The EC2 instance should be configured to use an EC2 instance profile. For more information, see: Using Instance Profiles.
Refer to IAM Roles for Service Accounts (IRSA) to set up an OIDC provider in AWS and configure an AWS IAM role that allows the pod's service account to assume the role.
Teleport's built-in AWS client reads credentials from the following environment variables:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_DEFAULT_REGION
When you start the Database Service, the service reads environment variables from a
file at the path /etc/default/teleport. Obtain these credentials from your
organization. Ensure that /etc/default/teleport has the following content,
replacing the values of each variable:
AWS_ACCESS_KEY_ID=00000000000000000000
AWS_SECRET_ACCESS_KEY=0000000000000000000000000000000000000000
AWS_DEFAULT_REGION=<YOUR_REGION>
Have multiple sources of AWS credentials?
Teleport's AWS client loads credentials from different sources in the following order:
- Environment Variables
- Shared credentials file
- Shared configuration file (Teleport always enables shared configuration)
- EC2 Instance Metadata (credentials only)
While you can provide AWS credentials via a shared credentials file or shared
configuration file, you will need to run the Database Service with the AWS_PROFILE
environment variable assigned to the name of your profile of choice.
If you have a specific use case that the instructions above do not account for, consult the documentation for the AWS SDK for Go for a detailed description of credential loading behavior.
AWS IAM permissions
AWS IAM policies must be configured for both the Teleport Database Service's AWS IAM identity and the external AWS IAM role:
- The Teleport Database Service's AWS IAM identity must have permission to assume the external role.
- The external AWS IAM role's trust policy must trust the Teleport Database Service's AWS IAM identity.
Why are both required?
Unlike assuming a role within the same AWS account, when an AWS IAM role is in a different AWS account than the IAM identity that attempts to assume it, the role's trust policy alone is not sufficient to allow assuming the role.
For more details, see: AWS cross-account policy evaluation.
Database Service IAM policy
Attach the following permission policy to the Teleport Database Service's AWS IAM identity:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::222222222222:role/example-role"
}
]
}
External AWS IAM permission policy
You will also need to configure permissions for the external AWS IAM role, specific to the type of database(s) that it will be used to access.
- DocumentDB
- DynamoDB
- ElastiCache Redis
- Keyspaces
- MemoryDB
- Opensearch
- RDS
- RDS Proxy
- Redshift
- Redshift Serverless
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DocumentDBConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/DatabaseUserRole"
]
},
{
"Sid": "DocumentDBCheckDomainURL",
"Effect": "Allow",
"Action": "rds:DescribeDBClusters",
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
DocumentDBConnectAsIAMRole | Assume an IAM role to connect to a DocumentDB cluster with IAM authentication. |
DocumentDBCheckDomainURL | Validate a domain's URL if it was auto-discovered by the Discovery Service. |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DynamoDBConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/DatabaseUserRole"
]
},
{
"Sid": "DynamoDBSessionTagging",
"Effect": "Allow",
"Action": "sts:TagSession",
"Resource": [
"*"
]
}
]
}
| Statement | Purpose |
|---|---|
DynamoDBConnectAsIAMRole | Assume an IAM role to forward requests to DynamoDB. |
DynamoDBSessionTagging | Tag assumed role sessions if tags are specified in the Teleport database configuration under aws.session_tags. |
The session tagging permissions are only required if you have configured tags
under the aws.session_tags section of your Teleport database configuration.
ElastiCache supports IAM authentication for Redis engine version 7.0 or above. This is the recommended way to configure Teleport access to ElastiCache.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElastiCacheDescribeUsers",
"Effect": "Allow",
"Action": "elasticache:DescribeUsers",
"Resource": "*"
},
{
"Sid": "ElastiCacheConnect",
"Effect": "Allow",
"Action": "elasticache:Connect",
"Resource": [
"arn:aws:elasticache:us-east-2:aws-account-id:replicationgroup:replication-group",
"arn:aws:elasticache:us-east-2:aws-account-id:user:*"
]
}
]
}
| Statement | Purpose |
|---|---|
ElastiCacheDescribeUsers | Determine whether a user is compatible with IAM authentication. |
ElastiCacheConnect | Connect using IAM authentication. |
See Authenticating with IAM for ElastiCache for more information.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KeyspacesConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/DatabaseUserRole"
]
}
]
}
| Statement | Purpose |
|---|---|
KeyspacesConnectAsIAMRole | Assume an IAM role to forward requests to Keyspaces. |
MemoryDB supports IAM authentication for Redis engine version 7.0 or above. This is the recommended way to configure Teleport access to MemoryDB.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MemoryDBDescribeUsers",
"Effect": "Allow",
"Action": "memorydb:DescribeUsers",
"Resource": "*"
},
{
"Sid": "MemoryDBConnect",
"Effect": "Allow",
"Action": "memorydb:Connect",
"Resource": [
"arn:aws:memorydb:us-east-2:aws-account-id:replicationgroup:replication-group",
"arn:aws:memorydb:us-east-2:aws-account-id:user:*"
]
}
]
}
| Statement | Purpose |
|---|---|
MemoryDBDescribeUsers | Determine whether a user is compatible with IAM authentication. |
MemoryDBConnect | Connect using IAM authentication. |
See Authenticating with IAM for MemoryDB for more information.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OpenSearchCheckDomainURL",
"Effect": "Allow",
"Action": "es:DescribeDomains",
"Resource": [
"*"
]
},
{
"Sid": "OpenSearchConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/DatabaseUserRole"
]
}
]
}
| Statement | Purpose |
|---|---|
OpenSearchCheckDomainURL | Validate a domain's URL if it was auto-discovered by the Discovery Service. |
OpenSearchConnectAsIAMRole | Assume an IAM role to forward requests to OpenSearch. |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RDSAutoEnableIAMAuth",
"Effect": "Allow",
"Action": [
"rds:ModifyDBCluster",
"rds:ModifyDBInstance"
],
"Resource": "*"
},
{
"Sid": "RDSConnect",
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "*"
},
{
"Sid": "RDSFetchMetadata",
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusters",
"rds:DescribeDBInstances"
],
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
RDSAutoEnableIAMAuth | Automatically enable IAM auth on RDS instances and Aurora clusters. |
RDSConnect | Generate an IAM authentication token to connect to a database. |
RDSFetchMetadata | Automatically import AWS tags as database labels or find missing information such as the database's AWS region. |
The Teleport Database Service uses rds:ModifyDBInstance and
rds:ModifyDBCluster to automatically enable
IAM authentication
on RDS instances and Aurora clusters, respectively.
You can omit the RDSAutoEnableIAMAuth permissions if IAM authentication is
already enabled on your databases.
The rds-db:connect permission is required to connect to databases.
You can reduce the scope of the permission to only allow specific databases,
regions, or users.
The resource ARN has the following format:
arn:aws:rds-db:{Region}:{AccountID}:dbuser:{ResourceID}/{UserName}
Refer to
Creating and using an IAM policy for IAM database access
for more information about the rds-db:connect permission grant syntax.
Databases discovered by the Teleport Discovery Service should be registered with
complete metadata, so you can also omit the RDSFetchMetadata permissions if all of
your AWS databases are being auto-discovered.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RDSProxyConnect",
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "*"
},
{
"Sid": "RDSProxyFetchMetadata",
"Effect": "Allow",
"Action": [
"rds:DescribeDBProxies",
"rds:DescribeDBProxyEndpoints"
],
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
RDSProxyConnect | Generate an IAM authentication token to connect to a database. |
RDSProxyFetchMetadata | Automatically import AWS tags as database labels or find missing information such as the database's AWS region. |
The rds-db:connect permission is required to connect to databases.
You can reduce the scope of the permission to only allow specific databases,
regions, or users.
The resource ARN has the following format:
arn:aws:rds-db:{Region}:{AccountID}:dbuser:{ResourceID}/{UserName}
Refer to
Creating and using an IAM policy for IAM database access
for more information about the rds-db:connect permission grant syntax.
Databases discovered by the Teleport Discovery Service should be registered with
complete metadata, so you can also omit the RDSProxyFetchMetadata permissions if all of
your AWS databases are being auto-discovered.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RedshiftConnectAsDBUser",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": "*"
},
{
"Sid": "RedshiftConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/DatabaseUserRole"
]
},
{
"Sid": "RedshiftFetchMetadata",
"Effect": "Allow",
"Action": "redshift:DescribeClusters",
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
RedshiftConnectAsDBUser | Connect to a database as an existing database user. |
RedshiftConnectAsIAMRole | Assume an IAM role to connect to a database with permissions mapped into the database 1:1 from the role's IAM permissions. |
RedshiftFetchMetadata | Automatically import AWS tags as database labels or find missing information such as the database's AWS region. |
You can reduce the scope of the RedshiftConnectAsDBUser statement by updating
it to only allow specific users, databases, and database groups.
The resource ARN you can specify has the following formats:
arn:aws:redshift:{Region}:{AccountID}:dbuser:{ClusterName}/{UserName}
arn:aws:redshift:{Region}:{AccountID}:dbname:{ClusterName}/{DatabaseName}
arn:aws:redshift:{Region}:{AccountID}:dbgroup:{ClusterName}/{DatabaseGroupName}
See Create an IAM role or user with permissions to call GetClusterCredentials
for more information about the redshift:GetClusterCredentials permission
grant syntax.
You can authenticate as an existing database user or as an IAM role that will
be automatically mapped into the database.
The corresponding IAM statement is only required for the method(s) you want to
use.
If an IAM role names the Database Service's identity as a trusted principal,
and both identities are in the same AWS account, then the
RedshiftConnectAsIAMRole statement can also be omitted.
Databases discovered by the Teleport Discovery Service should be registered with
complete metadata, so you can also omit the RedshiftFetchMetadata permissions if all of
your AWS databases are being auto-discovered.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RedshiftServerlessConnectAsIAMRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::aws-account-id:role/DatabaseUserRole"
]
},
{
"Sid": "RedshiftServerlessFetchMetadata",
"Effect": "Allow",
"Action": [
"redshift-serverless:GetEndpointAccess",
"redshift-serverless:GetWorkgroup"
],
"Resource": "*"
}
]
}
| Statement | Purpose |
|---|---|
RedshiftServerlessFetchMetadata | Automatically import AWS tags as database labels or find missing information such as the database's AWS region. |
RedshiftServerlessConnectAsIAMRole | Assume an IAM role to connect as a database user. |
Databases discovered by the Teleport Discovery Service should be registered with
complete metadata, so you can also omit the RedshiftServerlessFetchMetadata permissions if all of
your AWS databases are being auto-discovered.
Redshift Serverless maps IAM roles to database users. The Teleport Database Service must be able to assume these "access" IAM roles which are granted IAM permissions to generate IAM authentication tokens.
External AWS IAM trust policy
Modify the external AWS IAM role's trust policy to allow the Teleport Database Service's AWS IAM identity as a trusted principal. If you require an external ID, provide a condition in the statement that allows the action only when the correct external ID is given.
For example, if the Teleport Database Service will be deployed to an EC2
instance with an attached role teleport-db-service in AWS account
123456789012, and you want to require an external ID to assume the external
role, then the trust policy might look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/teleport-db-service"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "example-external-id"
}
}
}
]
}
Next steps
- Get started by connecting your database.