Skip to main content
Version: 14.x

Database Access with AWS Keyspaces (Apache Cassandra)

Teleport can provide secure access to AWS Keyspaces via the Teleport Database Service. This allows for fine-grained access control through Teleport's RBAC.

In this guide, you will:

  1. Configure an AWS Keyspaces database with IAM authentication.
  2. Join the AWS Keyspaces database to your Teleport cluster.
  3. Connect to the AWS Keyspaces database via the Teleport Database Service.

Teleport Database Access Redis Self-Hosted

Prerequisites

Database access for AWS Keyspaces (Apache Cassandra) is available starting from Teleport v11.0.

  • A running Teleport cluster version 14.3.33 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl admin tool and tsh client tool.

    Visit Installation for instructions on downloading tctl and tsh.

  • AWS Account with AWS Keyspaces database and permissions to create and attach IAM policies
  • The cqlsh Cassandra client installed and added to your system's PATH environment variable.
  • A host, e.g., an Amazon EC2 instance, where you will run the Teleport Database Service.
  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines. For example: 
    $ tsh login --proxy=teleport.example.com [email protected]
    $ tctl status
    # Cluster  teleport.example.com
    # Version  14.3.33
    # CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Step 1/5. Set up the Teleport Database Service

The Database Service requires a valid join token to join your Teleport cluster. Run the following tctl command and save the token output in /tmp/token on the server that will run the Database Service:

$ tctl tokens add --type=db --format=text
abcd123-insecure-do-not-use-this
Alternative methods

For users with a lot of infrastructure in AWS, or who might create or recreate many instances, consider alternative methods for joining new EC2 instances running Teleport:

Install Teleport on the host where you will run the Teleport Database Service:

Select an edition, then follow the instructions for that edition to install Teleport.

The following command updates the repository for the package manager on the local operating system and installs the provided Teleport version:

$ curl https://cdn.teleport.dev/install-v14.3.33.sh | bash -s 14.3.33

Create a configuration for the Teleport Database Service, pointing the --proxy flag to the address of your Teleport Proxy Service:

$ sudo teleport db configure create \
   -o file \
  --token=/tmp/token \
  --proxy=teleport.example.com:443 \
  --name=keyspaces \
  --protocol=cassandra \
  --aws-account-id=12345678912 \
  --aws-region=us-east-1 \
  --labels=env=dev

Grant the Teleport Database Service access to credentials that it can use to authenticate to AWS. If you are running the Teleport Database Service on an EC2 instance, you should use the EC2 Instance Metadata Service method. Otherwise, you must use environment variables:

Teleport will detect when it is running on an EC2 instance and use the Instance Metadata Service to fetch credentials.

The EC2 instance should be configured to use an EC2 instance profile. For more information, see: Using Instance Profiles.

Have multiple sources of AWS credentials?

Teleport's AWS client loads credentials from different sources in the following order:

  • Environment Variables
  • Shared credentials file
  • Shared configuration file (Teleport always enables shared configuration)
  • EC2 Instance Metadata (credentials only)

While you can provide AWS credentials via a shared credentials file or shared configuration file, you will need to run the Teleport Database Service with the AWS_PROFILE environment variable assigned to the name of your profile of choice.

If you have a specific use case that the instructions above do not account for, consult the documentation for the AWS SDK for Go for a detailed description of credential loading behavior.

Configure the Teleport Database Service to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed the Teleport Database Service.

On the host where you will run the Teleport Database Service, enable and start Teleport:

$ sudo systemctl enable teleport
$ sudo systemctl start teleport

You can check the status of the Teleport Database Service with systemctl status teleport and view its logs with journalctl -fu teleport.

Step 2/5. Create a Teleport user

tip

To modify an existing user to provide access to the Database Service, see Database Access Access Controls

Create a local Teleport user with the built-in access role:

$ tctl users add \
  --roles=access \
  --db-users="*" \
  --db-names="*" \
  alice
FlagDescription
--rolesList of roles to assign to the user. The builtin access role allows them to connect to any database server registered with Teleport.
--db-usersList of database usernames the user will be allowed to use when connecting to the databases. A wildcard allows any user.
--db-namesList of logical databases (aka schemas) the user will be allowed to connect to within a database server. A wildcard allows any database.
warning

Database names are only enforced for PostgreSQL and MongoDB databases.

For more detailed information about database access controls and how to restrict access see RBAC documentation.

Step 3/5. Create an AWS Keyspaces role

Create an AWS IAM Role that will be used as your Keyspaces user. Go to the IAM -> Access Management -> Roles. Press Create Role.

Create Role Step 1 AWS provides the AmazonKeyspacesReadOnlyAccess and AmazonKeyspacesFullAccess IAM policies that you can incorporate into your Keyspaces user's role. You can choose AmazonKeyspacesReadOnlyAccess for read-only access to AWS Keyspaces or AmazonKeyspacesFullAccess for full access.

tip

The AmazonKeyspacesReadOnlyAccess and AmazonKeyspacesReadOnlyAccess policies may provide too much or not enough access for your intentions. Validate that these meet your expectations if you plan on using them. You can also create your own custom AWS Keyspaces Permissions Policies: Amazon Keyspaces identity-based policy examples.

Create Role Step 1 Enter a role name and press "Create role". Create Role Step 1

Step 4/5. Give Teleport permissions to assume roles

Next, attach the following policy to the IAM role or IAM user the Teleport Database Service instance is using, which allows the Database Service to assume the IAM roles:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "*"
    }
  ]
}
tip

You can make the policy more strict by providing specific IAM role resource ARNs in the "Resource" field instead of using a wildcard.

Step 5/5. Connect

Once the Database Service has joined the cluster, log in to see the available databases:

$ tsh login --proxy=teleport.example.com --user=alice
$ tsh db ls
# Name      Description Allowed Users Labels  Connect
# --------- ----------- ------------- ------- -------
# keyspaces             [*]           env=dev

To connect to a particular database instance using the KeyspacesReader AWS IAM Keyspaces role as a database user:

$ tsh db connect --db-user=KeyspacesReader keyspaces
# Connected to Amazon Keyspaces at localhost:55084
# [cqlsh 6.0.0 | Cassandra 3.11.2 | CQL spec 3.4.4 | Native protocol v4]
# Use HELP for help.
# KeyspacesReader@cqlsh>

To log out of the database and remove credentials:

# Remove credentials for a particular database instance.
$ tsh db logout keyspaces
# Remove credentials for all database instances.
$ tsh db logout

Further reading

Next steps

  • See the YAML configuration reference for updating dynamic resource matchers or static database definitions.