title | description |
---|---|
Database Access AWS IAM Reference |
AWS IAM policies for Teleport database access. |
With the appropriate IAM permissions, Teleport automatically discovers and configures IAM policies for Amazon RDS and Redshift. Teleport also requires permission to update database configurations, for example, to enable IAM authentication on RDS databases.
For Amazon ElastiCache and MemoryDB, Teleport requires permission to automatically discover the Redis clusters. Teleport also requires permission to automatically discover and modify any Teleport-managed ElastiCache or MemoryDB users and permission to manage the passwords in AWS Secrets Manager.
You can generate and manage the permissions with the teleport db configure bootstrap
command. For example, the following command would generate and print the IAM
policies:
$ teleport db configure bootstrap --manual
Or if you prefer, you can manage the IAM permissions yourself. Examples of policies for each discovery type are shown below.
Use this policy if you're connecting to RDS instances and your Teleport Database Service instance runs as an IAM user (for example, uses an AWS credentials file).Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:ModifyDBInstance"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:DeleteUserPolicy"
],
"Resource": "arn:aws:iam::{account-id}:user/sample-user"
}
]
}
Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:ModifyDBInstance"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::{account-id}:role/sample-role"
}
]
}
Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusters",
"rds:ModifyDBCluster"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:DeleteUserPolicy"
],
"Resource": "arn:aws:iam::{account-id}:user/sample-user"
}
]
}
Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusters",
"rds:ModifyDBCluster"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::{account-id}:role/sample-role"
}
]
}
Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBProxies",
"rds:DescribeDBProxyEndpoints",
"rds:ListTagsForResource",
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:DeleteUserPolicy"
],
"Resource": "arn:aws:iam::{account-id}:user/sample-user"
}
]
}
Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBProxies",
"rds:DescribeDBProxyEndpoints",
"rds:ListTagsForResource",
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::{account-id}:role/sample-role"
}
]
}
Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:GetClusterCredentials"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:DeleteUserPolicy"
],
"Resource": "arn:aws:iam::{account-id}:user/sample-user"
}
]
}
Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:GetClusterCredentials",
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::{account-id}:role/sample-role"
}
]
}
In addition to database discovery, Teleport requires permissions to modify user passwords, and save passwords in AWS Secrets Manager, if any ElastiCache or MemoryDB users are tagged to be managed by Teleport.
Use this policy if you are connecting to ElastiCache clusters.Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:ListTagsForResource",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeUsers",
"elasticache:ModifyUser"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
]
}
]
}
Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"memorydb:ListTags",
"memorydb:DescribeClusters",
"memorydb:DescribeSubnetGroups",
"memorydb:DescribeUsers",
"memorydb:UpdateUser"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
]
}
]
}
If you prefer to register RDS, Redshift, ElastiCache or MemoryDB databases
manually using a static configuration or
tctl
and manage IAM yourself, example
IAM policies with the required permissions are shown below.
To connect to an RDS database, the Database Service instance's IAM identity
needs to have rds-db:connect
permissions for it:
The resource ARN in the policy has the following format:
arn:aws:rds-db:<region>:<account-id>:dbuser:<resource-id>/<db-user>
Parameter | Description |
---|---|
region |
AWS region where the database cluster is deployed. |
account-id |
AWS account ID the database cluster is deployed under. |
resource-id |
Database AWS resource identifier: db-XXX for RDS instances, cluster-XXX for Aurora clusters, "prx-XXX` for RDS Proxy. Can be found under Configuration section in the RDS control panel. |
db-user |
Database user to associate with IAM authentication. Can be a wildcard. |
See Creating and using an IAM policy for IAM database access for more information.
Teleport uses temporary credentials generated by AWS to authenticate with Redshift databases.
In order to authorize Teleport to generate temporary IAM tokens, create an IAM
role with the GetClusterCredentials
permission:
The resource ARN string has the following format:
arn:aws:redshift:<region>:<account-id>:<resource>:<cluster-id>/<name>
Parameters:
Parameter | Description |
---|---|
region |
AWS region where your Redshift cluster is deployed, or a wildcard. |
account-id |
ID of the AWS account where the Redshift cluster is deployed. |
resource |
One of dbuser , dbname or dbgroup to restrict access to database accounts, names or groups respectively. |
cluster-id |
Redshift cluster identifier, or a wildcard. |
name |
Name of a particular database account, name or group (depending on the resource ), or a wildcard. |
See Create an IAM role or user with permissions to call GetClusterCredentials for more information.
If any ElastiCache or MemoryDB users are tagged to be managed by Teleport, below are the IAM permissions required for managing the ElastiCache or MemoryDB users. Otherwise, no additional IAM permissions are required.
Use this policy for managing ElastiCache users.Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:ListTagsForResource",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeUsers",
"elasticache:ModifyUser"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
]
}
]
}
Replace {account-id}
with your AWS Account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"memorydb:ListTags",
"memorydb:DescribeClusters",
"memorydb:DescribeUsers",
"memorydb:UpdateUser"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:{account-id}:secret:teleport/*"
]
}
]
}
If any custom key prefix or KMS key ID is used in the static configuration, add the following to the IAM policy.
Replace {account-id}
, {my-prefix}
and {my-kms-id}
accordingly:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:{account-id}:secret:{my-prefix}/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:*:{account-id}:key/{my-kms-id}",
]
}
]
}