Teleport Database Access Preview

Teleport Database Access allows organizations to use Teleport as a proxy to provide secure access to their databases while improving both visibility and access control.

To find out whether you can benefit from using Database Access, see if you're facing any of the following challenges in your organization:

If so, Database Access might help you solve some of these challenges.

Features

With Database Access users can:

Demo

Getting Started

In this guide we will use Teleport Database Access to connect to a PostgreSQL flavored AWS Aurora database. Here's an overview of what we will do:

  1. Configure AWS Aurora database with IAM authentication.
  2. Download and install Teleport and connect it to the Aurora database.
  3. Connect to the Aurora database via Teleport.

Step 1/3. Setup Aurora

In order to allow Teleport connections to an Aurora instance, it needs to support IAM authentication.

If you don't have a database provisioned yet, create an instance of an Aurora PostgreSQL in the RDS control panel. Make sure to choose "Standard create" database creation method and enable "Password and IAM database authentication" in the Database Authentication dialog.

For existing Aurora instances, the status of IAM authentication is displayed on the Configuration tab and can be enabled by modifying the database instance.

Next, create the following IAM policy attached to a user whose credentials a Teleport process will be using to allow it to connect to the database:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:<region>:<account-id>:dbuser:<resource-id>/*"
         ]
      }
   ]
}

Resource ID

Database resource ID is shown on the Configuration tab of a particular database instance in RDS control panel, under "Resource id". For regular RDS database it starts with db- prefix. For Aurora, use the database cluster resource ID (cluster-), not individual instance ID.

Finally, connect to the database and create a database account with IAM auth support (or update an existing one). Once connected, execute the following SQL statements to create a new database account and allow IAM auth for it:

CREATE USER alice;
GRANT rds_iam TO alice;

For more information about connecting to the PostgreSQL instance directly, see Amazon documentation.

See a more detailed description of these steps in the reference below.

Step 2/3. Setup Teleport

Teleport Database Access is available starting from 6.0.0-alpha.1 pre-release.

Download the appropriate version of Teleport for your platform from the table below, or visit our downloads page.

OPERATING SYSTEM CHECKSUM DOWNLOAD LINK
Linux 32-bit SHA256 teleport-v6.0.0-alpha.2-linux-386-bin.tar.gz
Linux 64-bit SHA256 teleport-v6.0.0-alpha.2-linux-amd64-bin.tar.gz
Linux 64-bit (RHEL/CentOS 6.x compatible) SHA256 teleport-v6.0.0-alpha.2-linux-amd64-centos6-bin.tar.gz
Linux ARMv7 SHA256 teleport-v6.0.0-alpha.2-linux-arm-bin.tar.gz
Linux 64-bit DEB SHA256 teleport_v6.0.0-alpha.2_amd64.deb
Linux 32-bit DEB SHA256 teleport_v6.0.0-alpha.2_i386.deb
Linux 64-bit RPM SHA256 teleport-6.0.0-alpha.2-1.x86_64.rpm
Docker Image SHA256 docker pull quay.io/gravitational/teleport:6.0.0-alpha.2
OPERATING SYSTEM CHECKSUM DOWNLOAD LINK
Linux 32-bit SHA256 teleport-ent-v6.0.0-alpha.2-linux-386-bin.tar.gz
Linux 64-bit SHA256 teleport-ent-v6.0.0-alpha.2-linux-amd64-bin.tar.gz
Linux 64-bit (RHEL/CentOS 6.x compatible) SHA256 teleport-ent-v6.0.0-alpha.2-linux-amd64-centos6-bin.tar.gz
Linux ARMv7 SHA256 teleport-ent-v6.0.0-alpha.2-linux-arm-bin.tar.gz
Linux 64-bit DEB SHA256 teleport-ent_v6.0.0-alpha.2_amd64.deb
Linux 32-bit DEB SHA256 teleport-ent_v6.0.0-alpha.2_i386.deb
Linux 64-bit RPM SHA256 teleport-ent-6.0.0-alpha.2-1.x86_64.rpm
Docker Image SHA256 docker pull quay.io/gravitational/teleport-ent:6.0.0-alpha.2

Warning

Note, pre-releases are not suitable for production usage!

Start Teleport using the following command and point it to your Aurora database instance. Make sure to update the database endpoint and region appropriately.

sudo teleport start \
  --roles=proxy,auth,db \
  --db-name=aurora \
  --db-protocol=postgres \
  --db-uri=postgres-aurora-instance-1.abcdefghijklm.us-west-1.rds.amazonaws.com:5432 \
  --db-aws-region=us-west-1

AWS credentials

The node where the Teleport process is started should have AWS credentials configured with the policy from step 1.

Create a Teleport user that is allowed to connect to a particular database (e.g. postgres) within the Aurora instance as a particular database account (e.g. alice).

sudo tctl users add alice root \
  --db-names=postgres \
  --db-users=alice

Step 3/3. Connect to Database

Now that Aurora is configured with IAM authentication, Teleport is running and the local user is created, we're ready to connect to the database.

Log into Teleport with the user we've just created. Make sure to use tsh version 6.0.0-alpha.2 or newer that includes Database Access support.

For simplicity, we're using an --insecure flag to accept Teleport's self-signed certificate. For production usage make sure to configure proxy with a proper certificate/key pair. See Teleport's general quickstart guide.

tsh login --insecure --proxy=localhost:3080 --user=alice

Now we can inspect available databases and retrieve credentials for the configured Aurora instance:

tsh db ls
tsh db login aurora

Finally, connect to the database using psql command shown in the output of tsh db login command, which may look like this:

psql "service=<cluster>-aurora user=alice dbname=postgres"

Next Steps

Congratulations on completing the Teleport Database Access getting started guide!

For the next steps, dive deeper into the topics relevant to your Database Access use-case, for example:

Diagram

The following diagram shows an example Database Access setup:

Teleport database access diagram

Release Schedule

Teleport Database Access is under active development and is available starting from 6.0.0-alpha.1 release. The alpha version includes support for self-hosted PostgreSQL as well as PostgreSQL compatible AWS RDS and Aurora.

See release schedule.

Configure PostgreSQL

Self-Hosted PostgreSQL

Note

This section explains how to configure a self-hosted instance of PostgreSQL to work with Teleport Database Access. For information about configuring AWS RDS/Aurora see the section below.

Create Certificate/Key Pair

Teleport uses mutual TLS for authentication to PostgreSQL instances. As such, self-hosted PostgreSQL instances must be configured with Teleport's certificate authority and a certificate/key pair that Teleport can validate.

To create these secrets, use tctl auth sign command. Note that it requires a running Teleport cluster and should be run on the auth server.

# Export Teleport's certificate authority and generate certificate/key pair
# for host db.example.com with a one year validity period.
$ tctl auth sign --format=db --host=db.example.com --out=server --ttl=8760h

Flag descriptions:

The command will create 3 files: server.cas with Teleport's certificate authority and server.crt/server.key with generated certificate/key pair.

Certificate Rotation

Teleport signs database certificates with the host authority. As such, when performing host certificates rotation, the database certificates must be updated as well.

Configure PostgreSQL Server

To configure PostgreSQL server to accept TLS connections, add the following to PostgreSQL configuration file postgresql.conf:

ssl = on
ssl_cert_file = '/path/to/server.crt'
ssl_key_file = '/path/to/server.key'
ssl_ca_file = '/path/toa/server.cas'

See Secure TCP/IP Connections with SSL in PostgreSQL documentation for more details.

Additionally, PostgreSQL should be configured to require client certificate authentication from clients connecting over TLS. This can be done by adding the following entries to PostgreSQL host-based authentication file pg_hba.conf:

hostssl all             all             ::/0                    cert
hostssl all             all             0.0.0.0/0               cert

See The pg_hba.conf File in PostgreSQL documentation for more details.

AWS RDS/Aurora PostgreSQL

Note

This section explains how to configure a PostgreSQL-flavored instance of AWS RDS or Aurora database to work with Teleport Database Access. For information about configuring a self-hosted PostgreSQL see the section above.

Teleport Database Access for AWS RDS and Aurora uses IAM authentication which can be enabled with the following steps.

Enable IAM Authentication

Open Amazon RDS console and create a new database instance with IAM authentication enabled, or modify an existing one to turn it on. Make sure to use PostgreSQL database type.

See Enabling and disabling IAM database authentication for more information.

Create IAM Policy

To allow Teleport database service to log into the database instance using auth token, create an IAM policy and attach it to the user whose credentials the database service will be using, for example:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:us-east-2:1234567890:dbuser:cluster-ABCDEFGHIJKL01234/*"
         ]
      }
   ]
}

The resource ARN in the policy has the following format:

arn:aws:rds-db:<region>:<account-id>:dbuser:<db-cluster-resource-id>/<db-user-name>

Parameters:

See Creating and using an IAM policy for IAM database access for more information.

Create Database User

Database users must have a rds_iam role in order to be allowed access. For PostgreSQL:

CREATE USER alice;
GRANT rds_iam TO alice;

See Creating a database account using IAM authentication for more information.

Configure Teleport

Teleport Database Access is available starting from 6.0.0-alpha.1 pre-release.

Download the appropriate version of Teleport for your platform from the table below, or visit our downloads page.

OPERATING SYSTEM CHECKSUM DOWNLOAD LINK
Linux 32-bit SHA256 teleport-v6.0.0-alpha.2-linux-386-bin.tar.gz
Linux 64-bit SHA256 teleport-v6.0.0-alpha.2-linux-amd64-bin.tar.gz
Linux 64-bit (RHEL/CentOS 6.x compatible) SHA256 teleport-v6.0.0-alpha.2-linux-amd64-centos6-bin.tar.gz
Linux ARMv7 SHA256 teleport-v6.0.0-alpha.2-linux-arm-bin.tar.gz
Linux 64-bit DEB SHA256 teleport_v6.0.0-alpha.2_amd64.deb
Linux 32-bit DEB SHA256 teleport_v6.0.0-alpha.2_i386.deb
Linux 64-bit RPM SHA256 teleport-6.0.0-alpha.2-1.x86_64.rpm
Docker Image SHA256 docker pull quay.io/gravitational/teleport:6.0.0-alpha.2
OPERATING SYSTEM CHECKSUM DOWNLOAD LINK
Linux 32-bit SHA256 teleport-ent-v6.0.0-alpha.2-linux-386-bin.tar.gz
Linux 64-bit SHA256 teleport-ent-v6.0.0-alpha.2-linux-amd64-bin.tar.gz
Linux 64-bit (RHEL/CentOS 6.x compatible) SHA256 teleport-ent-v6.0.0-alpha.2-linux-amd64-centos6-bin.tar.gz
Linux ARMv7 SHA256 teleport-ent-v6.0.0-alpha.2-linux-arm-bin.tar.gz
Linux 64-bit DEB SHA256 teleport-ent_v6.0.0-alpha.2_amd64.deb
Linux 32-bit DEB SHA256 teleport-ent_v6.0.0-alpha.2_i386.deb
Linux 64-bit RPM SHA256 teleport-ent-6.0.0-alpha.2-1.x86_64.rpm
Docker Image SHA256 docker pull quay.io/gravitational/teleport-ent:6.0.0-alpha.2

Warning

Note, pre-releases are not suitable for production usage!

Follow the installation instructions.

Start Auth/Proxy Service

Create a configuration file for a Teleport service that will be running auth and proxy servers:

teleport:
  data_dir: /var/lib/teleport
  nodename: test
auth_service:
  enabled: "yes"
  cluster_name: "test"
  listen_addr: 0.0.0.0:3025
  tokens:
  - proxy,node,database:cbdeeab9-6f88-436d-a673-44d14bd86bb7
proxy_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3023
  web_listen_addr: 0.0.0.0:3080
  tunnel_listen_addr: 0.0.0.0:3024
  public_addr: teleport.example.com:3080
ssh_service:
  enabled: "no"

Start the service:

$ teleport start --debug --config=/path/to/teleport.yaml

Start Database Service with CLI Flags

For a quick try-out, Teleport database service doesn't require a configuration file and can be launched using a single CLI command:

$ teleport start --debug \
   --roles=db \
   --token=cbdeeab9-6f88-436d-a673-44d14bd86bb7 \
   --auth-server=teleport.example.com:3080 \
   --db-name=test \
   --db-protocol=postgres \
   --db-uri=db.example.com:5432 \
   --labels=env=test

Note that the --auth-server flag must point to cluster's proxy endpoint because database service always connects back to the cluster over a reverse tunnel.

Instead of using a static auth token, a short-lived dynamic token can also be generated for a database service:

$ tctl tokens add \
    --type=db \
    --db-name=test \
    --db-protocol=postgres \
    --db-uri=db.example.com:5432

Start Database Service with Config File

Below is an example of a database service configuration file that proxies a single AWS Aurora database:

teleport:
  data_dir: /var/lib/teleport-db
  nodename: test
  # Auth token to connect to the auth server.
  auth_token: cbdeeab9-6f88-436d-a673-44d14bd86bb7
  # Proxy address to connect to. Note that it has to be the proxy address
  # because database service always connects to the cluster over reverse
  # tunnel.
  auth_servers:
  - teleport.example.com:3080
db_service:
  enabled: "yes"
  # This section contains definitions of all databases proxied by this
  # service, can contain multiple items.
  databases:
    # Name of the database proxy instance, used to reference in CLI.
  - name: "aurora"
    # Free-form description of the database proxy instance.
    description: "AWS Aurora instance of PostgreSQL 13.0"
    # Database protocol.
    protocol: "postgres"
    # Database address, example of a AWS Aurora endpoint in this case.
    uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432"
    # AWS specific configuration, only required for RDS and Aurora.
    aws:
      # Region the database is deployed in.
      region: us-east-1
    # Labels to assign to the database, used in RBAC.
    labels:
      env: dev
auth_service:
  enabled: "no"
ssh_service:
  enabled: "no"
proxy_service:
  enabled: "no"

Tip

A single Teleport process can run multiple different services, for example multiple database access proxies as well as running other services such an SSH service or an application access proxy.

Start the database service:

$ teleport start --debug --config=/path/to/teleport-db.yaml

AWS Credentials

When setting up Teleport database service with AWS RDS or Aurora, it must have an IAM role allowing it to connect to that particular database instance. An example of such a policy is shown in the AWS RDS/Aurora section above. See Creating and using an IAM policy for IAM database access in AWS documentation.

Teleport database service uses the default credential provider chain to find AWS credentials. See Specifying Credentials for more information.

Connect

Once the database service has joined the cluster, login to see the available databases:

$ tsh login --proxy=teleport.example.com:3080
$ tsh db ls
Name   Description Labels
------ ----------- --------
aurora AWS Aurora  env=dev

Note that you will only be able to see databases your role has access to. See RBAC section for more details.

To connect to a particular database server, first retrieve credentials from Teleport using tsh db login command:

$ tsh db login aurora

Tip

You can be logged into multiple databases simultaneously.

You can optionally specify the database name and the user to use by default when connecting to the database instance:

$ tsh db login --db-user=postgres --db-name=postgres aurora

When logging into a PostgreSQL database, tsh automatically configures a section in the connection service file with the name of <cluster-name>-<database-service-name>.

Suppose the cluster name is "root", then you can connect to the database using the following psql command:

# Use default database user/name.
$ psql "service=root-aurora"
# Specify database name/user explicitly.
$ psql "service=root-aurora user=alice dbname=metrics"

To log out of the database and remove credentials:

# Log out of a particular database instance.
$ tsh db logout aurora
# Log out of all database instances.
$ tsh db logout

RBAC

Teleport's "role" resource provides the following instruments for restricting database access:

kind: role
version: v3
metadata:
  name: developer
spec:
  allow:
    # Label selectors for database instances this role has access to. These
    # will be matched against the static/dynamic labels set on the database
    # service.
    db_labels:
      environment: ["dev", "stage"]
    # Database names this role will be able to connect to. Note: this is not
    # the same as the "name" field in "db_service", this is the database names
    # within a particular database instance.
    db_names: ["main", "metrics", "postgres"]
    # Database users this role can connect as.
    db_users: ["alice", "bob"]

It is possible to use wildcards to match any database names/users. For example, the following role permits access to any database/user within a production database except for the internal "postgres" database/user:

kind: role
version: v3
metadata:
  name: developer
spec:
  allow:
    db_labels:
      environment: ["dev", "prod"]
    db_names: ["*"]
    db_users: ["*"]
  deny:
    db_labels:
      environment: ["dev", "prod"]
    db_names: ["postgres"]
    db_users: ["postgres"]

Similar to other role fields, these support templating variables to allow propagating information from identity providers:

spec:
  allow:
    db_names: ["{{internal.db_names}}", "{{external.xxx}}"]
    db_users: ["{{internal.db_users}}", "{{external.yyy}}"]

See general RBAC documentation for more details.

FAQ

Which database protocols does Teleport Database Access support?

Currently Teleport Database Access Preview supports only PostgreSQL.

MySQL support is planned for Teleport 6.0 release, with other databases to follow over the course of 2021 and beyond.

Which PostgreSQL protocol features are not supported?

The following PostgreSQL protocol features aren't currently supported:

RFD

Please refer to the RFD document for a more in-depth description of the feature scope and design.

Feedback

We value your feedback. Please schedule a Zoom call with us to get in-depth demo and give us feedback using this link.

If you found a bug, please create a Github Issue.

Try Teleport Today

In the Cloud, Self-hosted, or Open Source

View Developer Docs