Teleport 애플리케이션 서비스를 구성하여 Amazon DynamoDB에 안전하게 접근할 수 있습니다.

이 가이드는 다음 작업을 안내합니다:

• Teleport 애플리케이션 서비스 설치
• AWS 콘솔 및 API에 접근하기 위한 Teleport 애플리케이션 서비스 설정
• Teleport 애플리케이션 서비스를 통해 DynamoDB 데이터베이스에 연결

작동 방식#

Teleport 애플리케이션 서비스는 AWS 관리 콘솔 및 API와의 통합을 통해 DynamoDB에 안전하게 접근할 수 있도록 합니다. 이는 Teleport로 Amazon DynamoDB 보호하기 가이드에 설명된 Teleport 데이터베이스 서비스를 통한 DynamoDB 접근의 대안입니다.

사전 요구 사항#

• AWS account with DynamoDB databases.
• IAM permissions to create IAM roles.
• aws Command Line Interface (CLI) tool installed in PATH.
• A host, e.g., an EC2 instance, where you will run the Teleport Application Service.

(!docs/pages/includes/edition-prereqs-tabs.mdx!)

• (!docs/pages/includes/tctl.mdx!)

We will assume your Teleport cluster is accessible at teleport.example.com and *.teleport.example.com. You can substitute the address of your Teleport Proxy Service. (For Teleport Cloud customers, this will be similar to mytenant.teleport.sh.)

1/5단계. DynamoDB 접근을 위한 IAM 역할 생성#

Create an IAM role that provides access to your DynamoDB resources. Teleport Application Service will assume this IAM role on behalf of the Teleport user that accesses these DynamoDB resources.

There are several methods to create an IAM role:

2/5단계. Teleport IAM 역할 매핑 구성#

Give your Teleport users permissions to assume IAM roles in your Teleport cluster.

You can do this by creating a Teleport role with the aws_role_arns field listing the IAM role ARN created in the previous step. Create a file called ExampleTeleportDynamoDBRole.yaml with the following content:

$ cat > ExampleTeleportDynamoDBRole.yaml <
  

See Role Templates for
details.

Create the new role:
$ tctl create -f ExampleTeleportDynamoDBRole.yaml

(!docs/pages/includes/create-role-using-web.mdx!)
(!docs/pages/includes/add-role-to-user.mdx role="ExampleTeleportDynamoDBRole"!)

3/5단계. Teleport 애플리케이션 서비스 설치#

Generate a token#
A join token is required to authorize a Teleport Application Service instance
to join the cluster. Generate a short-lived join token and save the output of
the command:
$ tctl tokens add \
    --type=app \
    --app-name=aws \
    --app-uri=https://console.aws.amazon.com/console/home

On the host where you will run the Teleport Application Service, copy the token
to a file called /tmp/token.

Install and start Teleport#
Install Teleport on the host where you will run the Teleport Application
Service. See our Installation page for options
besides Linux servers.
(!docs/pages/includes/install-linux.mdx!)
Edit the Teleport configuration file (/etc/teleport.yaml) to include the
following information, adjusting the value of proxy_server to specify the host
and port of your Teleport Proxy Service:
version: v3
teleport:
  join_params:
    token_name: "/tmp/token"
    method: token
  proxy_server: "teleport.example.com:443"
auth_service:
  enabled: false
proxy_service:
  enabled: false
ssh_service:
  enabled: false
app_service:
  enabled: true
  apps:
  - name: aws
    uri: https://console.aws.amazon.com/home/home

(!docs/pages/includes/aws-credentials.mdx service="the Teleport Application Service"!)
(!docs/pages/includes/start-teleport.mdx service="the Teleport Application Service"!)


4/5단계. 역할 위임을 위한 Teleport 권한 부여#

Next, attach the following policy to the IAM role or IAM user the Teleport
Application Service instance is using, which allows the Application Service to
assume the IAM roles:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "*"
    }
  ]
}



5/5단계. 연결#
애플리케이션 서비스가 시작되고 클러스터에 참여하면 DynamoDB 데이터베이스에 연결을 시작할 수 있습니다.
AWS 관리 콘솔 사용#

Log in to the Teleport Web UI at https://teleport.example.com (replace with
your Proxy Service's public address).
Navigate to the Applications tab in your Teleport cluster's control panel and
click on the Launch button for the AWS application. This will bring up an IAM
role selector:

Click on the role {{ iam-role }} and you will get redirected to the AWS
Management Console, signed in with the selected role.
In the console's top-right corner, you should see that you're logged in through
federated login and the name of your assumed IAM role is
{{ iam-role }}/<teleport-username> where the session name is your Teleport username.

AWS CLI 사용#

Log into the previously configured AWS app on your desktop:
$ tsh apps login --aws-role {{ iam-role }} aws
Logged into AWS app aws. Example AWS CLI command:

$ tsh aws s3 ls

The --aws-role flag allows you to specify the AWS IAM role to assume when
accessing the AWS API. You can either provide a role name like --aws-role ExampleTeleportDynamoDBRole or a full role ARN like
arn:aws:iam::123456789000:role/{{iam-role}}.
Now you can use the tsh aws command like the native aws command-line tool:
$ {{ tsh-example }}

To log out of the aws application and remove credentials:
$ tsh apps logout aws


다른 DynamoDB 애플리케이션 사용#
아직 하지 않은 경우 먼저 이전에 구성한 AWS 앱에 로그인하세요:
$ tsh apps login --aws-role ExampleTeleportDynamoDBRole aws

DynamoDB 애플리케이션을 연결하려면 AWS 요청을 Teleport 프록시 서비스로 전달하는 로컬 HTTPS 프록시를 시작하여 AWS 애플리케이션에 접근할 수 있도록 합니다.
다음 명령을 사용하여 애플리케이션이 연결할 프록시를 시작하세요:
$ tsh proxy aws -p 23456
Started AWS proxy on http://127.0.0.1:23456.

Use the following credentials and HTTPS proxy setting to connect to the proxy:
  AWS_ACCESS_KEY_ID=(=aws.aws_access_key=)
  AWS_SECRET_ACCESS_KEY=(=aws.aws_secret_access_key=)
  AWS_CA_BUNDLE=<local-ca-bundle-path>
  HTTPS_PROXY=http://127.0.0.1:23456

표시된 AWS 자격 증명과 HTTPS 프록시 설정을 애플리케이션 구성 시 사용하세요.
예를 들어 Python AWS SDK에 대한 환경 변수로 AWS 자격 증명과 HTTPS 프록시 주소를 할당할 수 있습니다:
$ export AWS_ACCESS_KEY_ID=(=aws.aws_access_key=)
$ export AWS_SECRET_ACCESS_KEY=(=aws.aws_secret_access_key=)
$ export AWS_CA_BUNDLE=<local-ca-bundle-path>
$ export HTTPS_PROXY=http://127.0.0.1:23456
$ python3
>>> import boto3
>>> boto3.client('dynamodb').list_tables()
{'TableNames': ['my-dynamodb-table'], 'ResponseMetadata': {...}}


aws 애플리케이션에서 로그아웃하고 자격 증명을 제거하려면:
$ tsh apps logout aws

다음 단계#

Teleport로 AWS 콘솔 보호하기에 대한 자세한 정보
AWS 서비스 엔드포인트에 대해 더 알아보기