Teleport Database Service는 데이터베이스 유형 및 설정에 따라 데이터베이스 서버의 엔드포인트 및 메타데이터 발견, IAM 인증 토큰 생성, IAM 역할 수임 등 다양한 작업에 대한 IAM 권한이 필요합니다.

teleport db configure aws print-iam 명령으로 IAM 권한을 생성할 수 있습니다. 예를 들어, 다음 명령은 IAM 정책을 생성하고 출력합니다:

$ teleport db configure aws print-iam --types rds,redshift --role teleport-db-service-role

특정 유형의 데이터베이스에 대한 IAM 권한에 대해 자세히 알아보려면 아래 관련 섹션을 참조하십시오.

DocumentDB#

Assign to your AWS account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DocumentDBConnectAsIAMRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::



2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires sts:AssumeRole permissions, for example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::



2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires sts:AssumeRole permissions, for example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::
If any ElastiCache users are tagged to be managed by Teleport, below are the
IAM permissions required for managing the ElastiCache users:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ElastiCacheManageUsers",
            "Effect": "Allow",
            "Action": [
                "elasticache:DescribeUsers",
                "elasticache:ModifyUser",
                "elasticache:ListTagsForResource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ElastiCacheManagePasswords",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:CreateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "secretsmanager:TagResource",
                "secretsmanager:UpdateSecret"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:

Keyspaces#

Assign  to your AWS account ID:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "KeyspacesConnectAsIAMRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::



2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires sts:AssumeRole permissions, for example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::
If any MemoryDB users are tagged to be managed by Teleport, below are the
IAM permissions required for managing the MemoryDB users:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MemoryDBManageUsers",
            "Effect": "Allow",
            "Action": [
                "memorydb:DescribeUsers",
                "memorydb:UpdateUser",
                "memorydb:ListTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "MemoryDBManagePasswords",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:CreateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "secretsmanager:TagResource",
                "secretsmanager:UpdateSecret"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:



2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires sts:AssumeRole permissions, for example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::



2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires sts:AssumeRole permissions, for example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::



2. Configure Permissions Policies on teleport-db-service-role
teleport-db-service-role requires sts:AssumeRole permissions, for example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::aws-account-id"/>:role/redshift-serverless-user-role"
        }
    ]
}

Note that this policy can be omitted when teleport-db-service-role and redshift-serverless-user-role are in the same
AWS account and teleport-db-service-role's full ARN is configured as Principal in redshift-serverless-user-role's
trust policy.
3. Configure Permissions Boundary on teleport-db-service-role
If teleport-db-service-role does not have an attached
Permissions boundary
then you can skip this step.
Otherwise, the boundary policy attached to teleport-db-service-role must include
sts:AssumeRole permissions, for example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}