Teleport can provide secure access to Azure Cache for Redis via the Teleport Database Service. This allows for fine-grained access control through Teleport's RBAC.

In this guide, you will:

1. Configure your Azure Cache for Redis database with Microsoft Entra ID-based authentication.
2. Add the database to your Teleport cluster.
3. Connect to the database via Teleport.

작동 방식#

Teleport Database Service는 Teleport 사용자와 Azure Cache for Redis 간의 트래픽을 프록시합니다. 사용자가 Teleport를 통해 데이터베이스에 연결하면 Database Service는 Microsoft Entra ID에서 액세스 토큰을 가져와 데이터베이스를 관리할 권한이 있는 주체로 Azure에 인증합니다.

사전 요구 사항#

• A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

• The tctl and tsh clients.

  Installing `tctl` and `tsh` clients

  1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace with the web address of your Teleport Proxy Service:

     $ TELEPORT_DOMAIN=
     $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"
     

  2. Follow the instructions for your platform to install tctl and tsh clients:

• 배포된 Azure Redis 서버 또는 Azure Redis Enterprise 클러스터.
• 서비스 주체 및 액세스 제어를 관리하기 위한 Azure 관리자 권한.
• Teleport Database Service를 실행할 호스트(예: Azure VM 인스턴스).
• redis-cli 버전 6.2 이상이 설치되어 있고 시스템 PATH 환경 변수에 추가되어 있어야 합니다.

To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials.

For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and to your Teleport username:

$ tsh login --proxy= --user=
$ tctl status
# Cluster  (=teleport.url=)
# Version  (=teleport.version=)
# CA pin   (=presets.ca_pin=)

If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

1/5단계. Teleport 토큰 및 사용자 생성#

The Database Service requires a valid join token to join your Teleport cluster. Run the following tctl command and save the token output in /tmp/token on the server that will run the Database Service:

$ tctl tokens add --type=db --format=text
(=presets.tokens.first=)

For more detailed information about database access controls and how to restrict access see RBAC documentation.

2/5단계. Database Service 구성 생성#

Teleport Database Service를 실행할 호스트에 Teleport를 설치합니다:

To install a Teleport Agent on your Linux server:

The recommended installation method is the cluster install script. It will select the correct version, edition, and installation mode for your cluster.

1. Assign to your Teleport cluster hostname and port, but not the scheme (https://).

2. Run your cluster's install script:

   $ curl "https:///scripts/install.sh" | sudo bash
   

다음과 같이 지역을 지정하여 Database Service 구성을 생성합니다:

$ sudo teleport db configure create \
  -o file \
  --proxy=tele.example.com:443 \
  --token=/tmp/token \
  --azure-redis-discovery=eastus

$ sudo teleport db configure create \
  -o file \
  --proxy=teleport.example.com:443 \
  --token=/tmp/token \
  --azure-redis-discovery=eastus

이 명령은 eastus 지역에서 Azure Cache for Redis 자동 검색이 활성화된 Database Service 구성을 생성하여 /etc/teleport.yaml 위치에 저장합니다.

3/5단계. Teleport를 위한 IAM 권한 구성#

Teleport Database Service에는 다음을 위한 Azure IAM 권한이 필요합니다:

• Azure Cache for Redis 데이터베이스 검색 및 등록.
• 데이터베이스 인증을 위한 Redis 액세스 키 검색.

Azure 서비스 주체 구성#

There are a couple of ways for the Teleport Database Service to access Azure resources:

• The Database Service can run on an Azure VM with attached managed identity. This is the recommended way of deploying the Database Service in production since it eliminates the need to manage Azure credentials.
• The Database Service can be registered as a Microsoft Entra ID application (via "App registrations") and configured with its credentials. This is only recommended for development and testing purposes since it requires Azure credentials to be present in the Database Service's environment.

Go to the App registrations page of Microsoft Entra ID and click on New registration:

Pick a name (e.g. DatabaseService) and register a new application. Once the app has been created, take note of its Application (client) ID and click on Add a certificate or secret:

Create a new client secret that the Database Service agent will use to authenticate with the Azure API:

The Teleport Database Service uses Azure SDK's default credential provider chain to look for credentials. Refer to Azure SDK Authorization to pick a method suitable for your use-case. For example, to use environment-based authentication with a client secret, the Database Service should have the following environment variables set:

export AZURE_TENANT_ID=
export AZURE_CLIENT_ID=
export AZURE_CLIENT_SECRET=

사용자 지정 역할 생성#

Teleport는 검색을 위해 <resource-type>/read 권한과 Redis 서버 인증을 위해 <resource-type>/listKeys/action 권한이 필요하지만, 실제로 보유한 리소스 유형에 대한 권한만 필요합니다.

다음은 Teleport가 Azure Redis와 Azure Redis Enterprise 모두에 대해 읽기 및 키 나열을 허용하는 샘플 역할 정의입니다:

{
    "properties": {
        "roleName": "TeleportDiscovery",
        "description": "Allows Teleport to discover Azure Cache For Redis databases and list keys",
        "assignableScopes": [
            "/subscriptions/11111111-2222-3333-4444-555555555555"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Cache/redis/read",
                    "Microsoft.Cache/redis/listKeys/action",
                    "Microsoft.Cache/redisEnterprise/read",
                    "Microsoft.Cache/redisEnterprise/databases/read",
                    "Microsoft.Cache/redisEnterprise/databases/listKeys/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

위의 assignableScopes 필드에는 구독 /subscriptions/<subscription>이 포함되어 있어 해당 구독 내의 모든 리소스 범위 또는 구독 범위 자체에서 역할을 할당할 수 있습니다. assignableScopes를 더 제한하려면 리소스 그룹 /subscriptions/<subscription>/resourceGroups/<group> 또는 관리 그룹 /providers/Microsoft.Management/managementGroups/<group>을 사용할 수 있습니다.

구독 페이지로 이동하여 구독을 선택합니다.

구독에서 *액세스 제어(IAM)*를 클릭하고 추가 > 사용자 지정 역할 추가를 선택합니다:

사용자 지정 역할 생성 페이지에서 JSON 탭을 클릭하고 편집을 클릭한 다음 JSON 예시를 붙여넣고 assignableScopes의 구독을 본인의 구독 ID로 교체합니다:

Teleport Database Service 주체에 역할 할당 생성#

To grant Teleport permissions, the custom role you created must be assigned to the Teleport service principal - either the managed identity or the app registration you created earlier.

Navigate to the resource scope where you want to make the role assignment. Click Access control (IAM) and select Add > Add role assignment. Choose the custom role you created as the role and the Teleport service principal as a member.

4/5단계. Database Service 시작#

Configure the Teleport Database Service to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed the Teleport Database Service.

You can check the status of the Teleport Database Service with systemctl status teleport and view its logs with journalctl -fu teleport.

5/5단계. 연결#

Teleport 클러스터에 로그인합니다. Azure Cache for Redis 데이터베이스가 사용 가능한 데이터베이스 목록에 나타나야 합니다:

$ tsh login --proxy=teleport.example.com --user=alice
$ tsh db ls
Name                      Description                              Allowed Users Labels  Connect
------------------------- ---------------------------------------- ------------- ------- -------
my-azure-redis            Azure Redis server in East US            [*]           ...
my-azure-redis-enterprise Azure Redis Enterprise server in East US [*]           ...

$ tsh login --proxy=mytenant.teleport.sh --user=alice
$ tsh db ls
Name                      Description                              Allowed Users Labels  Connect
------------------------- ---------------------------------------- ------------- ------- -------
my-azure-redis            Azure Redis server in East US            [*]           ...
my-azure-redis-enterprise Azure Redis Enterprise server in East US [*]           ...

데이터베이스에 대한 자격 증명을 검색하고 연결하려면:

$ tsh db connect my-azure-redis

Teleport Database Service가 백엔드에서 액세스 키를 검색하고 Redis 서버에 자동으로 인증합니다. 따라서 연결 후 AUTH <access-key> 명령은 필요하지 않습니다.

데이터베이스에서 로그아웃하고 자격 증명을 제거하려면:

$ tsh db logout my-azure-redis

문제 해결#

No credential providers error#

If you see the error DefaultAzureCredential: failed to acquire a token. in Database Service logs then Teleport is not detecting the required credentials to connect to the Azure SDK. Check whether the credentials have been applied in the machine running the Teleport Database Service and restart the Teleport Database Service. Refer to Azure SDK Authorization for more information.

Timeout errors#

The Teleport Database Service needs connectivity to your database endpoints. That may require enabling inbound traffic on the database from the Database Service on the same VPC or routing rules from another VPC. Using the nc program you can verify connections to databases:

$ nc -zv server-name.postgres.database.azure.com 5432
# Connection to server-name.postgres.database.azure.com 5432 port [tcp/postgresql] succeeded!

다음 단계#

• Learn how to restrict access to certain users and databases.

• View the High Availability (HA) guide.

• Take a look at the YAML configuration reference.

• See the full CLI reference.

추가 참고 자료#

• Azure 역할 정의 이해 - AssignableScopes
• Azure RBAC 사용자 지정 역할