| title | description | videoBanner |
|---|---|---|
Database Access with Redshift on AWS |
How to configure Teleport Database Access with AWS Redshift PostgreSQL. |
UFhT52d5bYg |
This guide will help you to:
- Install Teleport
(=teleport.version=). - Set up Teleport to access your AWS Redshift instances.
- Connect to your databases through Teleport.
<ScopedBlock scope={["oss", "enterprise"]}>
<ScopedBlock scope={["cloud"]}>
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
- AWS account with a Redshift cluster and permissions to create and attach IAM policies.
- Command-line client
psqlinstalled and added to your system'sPATHenvironment variable. - A host, e.g., an EC2 instance, where you will run the Teleport Database Service.
(!docs/pages/includes/tctl.mdx!)
(!docs/pages/includes/database-access/create-user.mdx!)
(!docs/pages/includes/database-access/token.mdx!)
Install Teleport on the host where you will run the Teleport Database Service:
(!docs/pages/includes/install-linux.mdx!)
On the node that is running the Database Service, create a configuration file:
<ScopedBlock scope={["oss", "enterprise"]}>
$ teleport db configure create \
-o file \
--proxy=teleport.example.com:3080 \
--token=/tmp/token \
--redshift-discovery=us-west-1
$ teleport db configure create \
-o file \
--proxy=mytenant.teleport.sh:443 \
--token=/tmp/token \
--redshift-discovery=us-west-1
The command will generate a Database Service configuration with Redshift
database auto-discovery enabled on the us-west-1 region and place it at the
/etc/teleport.yaml location.
Teleport needs AWS IAM permissions to be able to:
- Discover and register Redshift databases.
- Manage IAM user or IAM role policies.
Before you can generate IAM permissions, you must provide the Teleport Database Service access to AWS credentials.
(!docs/pages/includes/aws-credentials.mdx service="the Database Service"!)
(!docs/pages/includes/database-access/aws-bootstrap.mdx!)
(!docs/pages/includes/start-teleport.mdx service="the Database Service"!)
The Database Service will discover all Redshift databases according to the configuration and register them in the cluster. The Database Service will also attempt to configure IAM access policies for the discovered databases. Keep in mind that AWS IAM changes may not propagate immediately and can take a few minutes to come into effect.
<ScopedBlock scope={["oss", "enterprise"]}>
Once the Database Service has started and joined the cluster, log in to see the
registered databases. Replace --proxy with the address of your Teleport Proxy
Service.
$ tsh login --proxy=teleport.example.com --user=alice
$ tsh db ls
# Name Description Labels
# ----------- ------------------------------ --------
# my-redshift Redshift cluster in us-east-1 ...
Once the Database Service has started and joined the cluster, log in to see the
registered databases. Replace --proxy with the address of your Teleport Cloud
tenant.
$ tsh login --proxy=mytenant.teleport.sh --user=alice
$ tsh db ls
# Name Description Labels
# ----------- ------------------------------ --------
# my-redshift Redshift cluster in us-east-1 ...
To retrieve credentials for a database and connect to it:
$ tsh db connect my-redshift
You can optionally specify the database name and the user to use by default when connecting to the database instance:
$ tsh db connect --db-user=awsuser --db-name=dev my-redshift
To log out of the database and remove credentials:
$ tsh db logout my-redshift
(!docs/pages/includes/database-access/aws-troubleshooting.mdx!)
- Learn more about using IAM authentication to generate database user credentials for AWS Redshift.
- Learn how to restrict access to certain users and databases.
- View the High Availability (HA) guide.
- Take a look at the YAML configuration reference.