Teleport can provide secure access to Amazon ElastiCache via the Teleport Database Service. This allows for fine-grained access control through Teleport's RBAC.

In this guide, you will:

1. Configure your Amazon ElastiCache database with IAM authentication.
2. Add the database to your Teleport cluster.
3. Connect to the database via Teleport.

작동 방식#

The Teleport Database Service proxies traffic from users to Amazon ElastiCache for Redis and Valkey. Authentication between the Database Service and the Amazon ElastiCache database can take one of two forms:

• IAM authentication (preferred): The Teleport Database Service connects to the database using a short-lived AWS IAM authentication token. AWS IAM authentication is available for Amazon ElastiCache with engine version 7.0 or above.
• Managing users: The Teleport Database Service manages users in a access control list, rotates their passwords every 15 minutes, and saves these passwords in AWS Secrets Manager. The Database Service automatically sends an AUTH command with the saved password when connecting the client to the Amazon ElastiCache server.

This guide shows how to register a single Amazon Elasticache cluster with your Teleport cluster. For a more scalable approach, learn how to set up Database Auto-Discovery to automatically enroll all AWS databases in your infrastructure.

사전 요구 사항#

• A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

• The tctl and tsh clients.

  Installing `tctl` and `tsh` clients

  1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace with the web address of your Teleport Proxy Service:

     $ TELEPORT_DOMAIN=
     $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"
     

  2. Follow the instructions for your platform to install tctl and tsh clients:

• ElastiCache for Redis 또는 Valkey 클러스터가 있는 AWS 계정. 전송 중 암호화(TLS)가 반드시 활성화되어 있어야 합니다.
• IAM 정책을 생성하고 연결할 수 있는 권한.
• redis-cli 버전 6.2 이상이 설치되어 있고 시스템 PATH 환경 변수에 추가되어 있어야 합니다.
• Teleport Database Service를 실행할 호스트(예: EC2 인스턴스).
• ElastiCache 클러스터에 ACL이 활성화되어 있어야 합니다.

A running Teleport Discovery Service if you plan to use Database Auto-Discovery.

To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials.

For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and to your Teleport username:

$ tsh login --proxy= --user=
$ tctl status
# Cluster  (=teleport.url=)
# Version  (=teleport.version=)
# CA pin   (=presets.ca_pin=)

If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

1/6단계. Teleport 사용자 생성#

For more detailed information about database access controls and how to restrict access see RBAC documentation.

2/6단계. Database Service 구성 생성#

The Database Service requires a valid join token to join your Teleport cluster. Run the following tctl command and save the token output in /tmp/token on the server that will run the Database Service:

$ tctl tokens add --type=db --format=text
(=presets.tokens.first=)

To install a Teleport Agent on your Linux server:

The recommended installation method is the cluster install script. It will select the correct version, edition, and installation mode for your cluster.

1. Assign to your Teleport cluster hostname and port, but not the scheme (https://).

2. Run your cluster's install script:

   $ curl "https:///scripts/install.sh" | sudo bash
   

Database Service 구성을 생성합니다:

$ ELASTICACHE_URI=""
$ sudo teleport db configure create \
   -o file \
   --name="elasticache" \
   --proxy=example.teleport.sh:443 \
   --protocol="redis" \
   --uri=${ELASTICACHE_URI?} \
   --token=/tmp/token

example.teleport.sh:443를 Teleport Proxy Service의 호스트 및 포트로 변경하세요. ELASTICACHE_URI를 ElastiCache 데이터베이스의 도메인 이름 및 포트로 설정합니다.

이 명령은 Database Service 구성을 생성하여 /etc/teleport.yaml 위치에 저장합니다.

3/6단계. Teleport를 위한 IAM 역할 생성#

The Teleport Database Service needs AWS IAM permissions to provide access to ElastiCache databases.

Teleport를 위한 IAM 역할 생성#

Grant the Database Service access to credentials that it can use to authenticate to AWS.

• If you are running the Database Service on an EC2 instance, you may use the EC2 Instance Metadata Service method
• If you are running the Database Service in Kubernetes, you can use IAM Roles for Service Accounts (IRSA)
• Otherwise, you must use environment variables

권한 부여#

ElastiCache supports IAM authentication for Redis and Valkey engine version 7.0 or above. This is the recommended way to configure Teleport access to ElastiCache.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ElastiCacheFetchMetadata",
            "Effect": "Allow",
            "Action": "elasticache:DescribeReplicationGroups",
            "Resource": "*"
        },
        {
            "Sid": "ElastiCacheDescribeUsers",
            "Effect": "Allow",
            "Action": "elasticache:DescribeUsers",
            "Resource": "*"
        },
        {
            "Sid": "ElastiCacheConnect",
            "Effect": "Allow",
            "Action": "elasticache:Connect",
            "Resource": "*"
        }
    ]
}

You can reduce the scope of the ElastiCacheConnect statement by updating it to only allow specific ElastiCache clusters and IAM users. The resource ARN you can specify has the following formats:

arn:aws:elasticache:{Region}:{AccountID}:replicationgroup:{ReplicationGroup}
arn:aws:elasticache:{Region}:{AccountID}:user:{UserName}

See Authenticating with IAM for ElastiCache for more information.

4/6단계. Database Service 시작#

Configure the Database Service to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed the Database Service.

You can check the status of the Database Service with systemctl status teleport and view its logs with journalctl -fu teleport.

5/6단계. ElastiCache 사용자 인증 구성#

ElastiCache 데이터베이스에 대한 인증을 구성합니다. 따라야 할 단계는 Teleport Database Service가 ElastiCache와 IAM 인증을 사용할지, 아니면 AWS Secrets Manager를 통한 비밀번호 관리 기반 인증을 사용할지에 따라 다릅니다:

$ aws elasticache create-user \
  --user-name iam-user-01 \
  --user-id iam-user-01 \
  --authentication-mode Type=iam \
  --engine redis \
  --access-string "on ~* +@all"

$ aws elasticache create-user-group \
  --user-group-id iam-user-group-01 \
  --engine redis \
  --user-ids default iam-user-01
$ aws elasticache modify-replication-group \
  --replication-group-id replication-group-01 \
  --user-group-ids-to-add iam-user-group-01

If you choose not to use the above options, Teleport will not automatically authenticate with the database.

You can either set up a "no password" configuration for your ElastiCache user, or manually enter an AUTH command with the password you have configured after a successful client connection. However, it is strongly advised to use one of the first two options or a strong password for better security.

6/6단계. 연결#

Database Service가 시작되어 클러스터에 연결된 후, 등록된 데이터베이스를 보려면 로그인합니다:

$ tsh login --proxy=teleport.example.com --user=alice
$ tsh db ls
# Name                        Description Labels
# --------------------------- ----------- --------
# my-cluster-mode-elasticache             ...
# my-elasticache                          ...
# my-elasticache-reader                   ...

$ tsh login --proxy=mytenant.teleport.sh --user=alice
$ tsh db ls
# Name                        Description Labels
# --------------------------- ----------- --------
# my-cluster-mode-elasticache             ...
# my-elasticache                          ...
# my-elasticache-reader                   ...

데이터베이스에 대한 자격 증명을 검색하고 연결하려면:

$ tsh db connect --db-user=my-database-user my-elasticache

If flag --db-user is not provided, Teleport logs in as the default user.

Now, depending on the authentication configurations, you may need to send an AUTH command to authenticate with the Redis server:

데이터베이스에서 로그아웃하고 자격 증명을 제거하려면:

# 특정 데이터베이스 인스턴스의 자격 증명을 제거합니다.
$ tsh db logout my-elasticache
# 모든 데이터베이스 인스턴스의 자격 증명을 제거합니다.
$ tsh db logout

문제 해결#

Certificate error#

If your tsh db connect error includes the following text, you likely have an RDS or DocumentDB database created before July 28, 2020, which presents an X.509 certificate that is incompatible with Teleport:

x509: certificate relies on legacy Common Name field, use SANs instead

AWS provides instructions to rotate your SSL/TLS certificate.

(!docs/pages/includes/aws-no-credential-provider.mdx service="Database"!)

Timeout errors#

(!docs/pages/includes/database-access/connection-timeout-troubleshooting.mdx!)

Not authorized to perform sts:AssumeRole#

The Database Service assumes an IAM role in one of following situations:

• A Teleport user specifies an IAM role as the database user they wish to use when accessing AWS services that require IAM roles as database users. Databases that support using an IAM role as a database user include: DynamoDB, Keyspaces, Opensearch, Redshift, and Redshift Serverless.
• The assume_role_arn field is specified for the database resources or dynamic resource matchers.

You may encounter the following error if the trust relationship is not configured properly between the IAM roles:

AccessDenied: User: arn:aws:sts::111111111111:assumed-role/teleport-db-service-role/i-* is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/db-user-role

You can test the trust relationship by running this AWS CLI command as teleport-db-service-role:

$ aws sts assume-role --role-arn arn:aws:iam::111111111111:role/db-user-role --role-session-name test-trust-relationship

Learn more on how to use trust policies with IAM roles.

다음 단계#

• Learn how to restrict access to certain users and databases.

• View the High Availability (HA) guide.

• Take a look at the YAML configuration reference.

• See the full CLI reference.