Skip to main content

Database Access with AWS ElastiCache and AWS MemoryDB for Redis

Teleport can provide secure access to AWS ElastiCache and MemoryDB for Redis via the Teleport Database Service. This allows for fine-grained access control through Teleport's RBAC.

In this guide, you will:

  1. Configure an AWS ElastiCache and MemoryDB for Redis cluster database with IAM authentication.
  2. Join the AWS ElastiCache and MemoryDB for Redis database to your Teleport cluster.
  3. Connect to the AWS ElastiCache and MemoryDB for Redis database via the Teleport Database Service.

Prerequisites

  • A running Teleport cluster version 14.3.33 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl admin tool and tsh client tool.

    Visit Installation for instructions on downloading tctl and tsh.

  • AWS account with at least one ElastiCache or MemoryDB for Redis clusters In-transit encryption via (TLS) must be enabled.
  • Permissions to create and attach IAM policies.
  • redis-cli version 6.2 or newer installed and added to your system's PATH environment variable.
  • A host, e.g., an EC2 instance, where you will run the Teleport Database Service.
  • A running Teleport Discovery Service if you plan to use Database Auto-Discovery.
  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines. For example:
    $ tsh login --proxy=teleport.example.com --user=email@example.com
    $ tctl status
    # Cluster teleport.example.com
    # Version 14.3.33
    # CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Step 1/7. Create a Teleport user

tip

To modify an existing user to provide access to the Database Service, see Database Access Access Controls

Create a local Teleport user with the built-in access role:

$ tctl users add \
--roles=access \
--db-users="*" \
--db-names="*" \
alice
FlagDescription
--rolesList of roles to assign to the user. The builtin access role allows them to connect to any database server registered with Teleport.
--db-usersList of database usernames the user will be allowed to use when connecting to the databases. A wildcard allows any user.
--db-namesList of logical databases (aka schemas) the user will be allowed to connect to within a database server. A wildcard allows any database.
warning

Database names are only enforced for PostgreSQL and MongoDB databases.

For more detailed information about database access controls and how to restrict access see RBAC documentation.

Step 2/7. Create a Database Service configuration

The Database Service requires a valid join token to join your Teleport cluster. Run the following tctl command and save the token output in /tmp/token on the server that will run the Database Service:

$ tctl tokens add --type=db --format=text
abcd123-insecure-do-not-use-this
Alternative methods

For users with a lot of infrastructure in AWS, or who might create or recreate many instances, consider alternative methods for joining new EC2 instances running Teleport:

Install Teleport on the host where you will run the Teleport Database Service:

Select an edition, then follow the instructions for that edition to install Teleport.

The following command updates the repository for the package manager on the local operating system and installs the provided Teleport version:

$ curl https://cdn.teleport.dev/install-v14.3.33.sh | bash -s 14.3.33

Databases can be registered dynamically by Discovery Service, tctl, etc.

Generate a Database Service configuration that monitors the dynamic database resources:

$ sudo teleport db configure create \
-o file \
--proxy=mytenant.teleport.sh:443 \
--token=/tmp/token \
--dynamic-resources-labels env=prod

This command will place the Database Service configuration at the /etc/teleport.yaml location.

Enable auto-discovery for AWS ElastiCache in Discovery Service?

In your Teleport Discovery Service's configuration, use AWS matcher type elasticache, and update region and tags that match your ElastiCache databases:

discovery_service:
enabled: "yes"
aws:
- types: ["elasticache"]
regions: ["us-west-1"]
tags:
"env": "prod" # Match database resource tags where tag:env=prod

Restart the Discovery Service.

Step 3/7. Create an IAM policy for Teleport

Teleport needs AWS IAM permissions to be able to:

  • Modify ElastiCache and MemoryDB user passwords for Teleport-managed users.
  • Save user passwords in AWS Secrets Manager for Teleport-managed users.
  • Connect to an ElastiCache or MemoryDB cluster using IAM auth.

Before you can generate IAM permissions, you must provide the Teleport Database Service access to AWS credentials.

Grant the Database Service access to credentials that it can use to authenticate to AWS. If you are running the Database Service on an EC2 instance, you should use the EC2 Instance Metadata Service method. Otherwise, you must use environment variables:

Teleport will detect when it is running on an EC2 instance and use the Instance Metadata Service to fetch credentials.

The EC2 instance should be configured to use an EC2 instance profile. For more information, see: Using Instance Profiles.

Have multiple sources of AWS credentials?

Teleport's AWS client loads credentials from different sources in the following order:

  • Environment Variables
  • Shared credentials file
  • Shared configuration file (Teleport always enables shared configuration)
  • EC2 Instance Metadata (credentials only)

While you can provide AWS credentials via a shared credentials file or shared configuration file, you will need to run the Database Service with the AWS_PROFILE environment variable assigned to the name of your profile of choice.

If you have a specific use case that the instructions above do not account for, consult the documentation for the AWS SDK for Go for a detailed description of credential loading behavior.

Teleport can bootstrap IAM permissions for the Database Service based on its configuration:

Teleport can bootstrap IAM permissions for the Database Service based on Discovery Service's configuration while bootstrapping the Discovery Service using the teleport discovery bootstrap command. You can use this command in automatic or manual mode:

  • In automatic mode, Teleport will attempt to create appropriate IAM policies and attach them to the specified IAM role. This requires IAM permissions to create and attach IAM policies.
  • In manual mode, Teleport will print required IAM policies. You can then create and attach them manually using the AWS management console. Add --manual flag to the command to enable manual mode.
$ teleport discovery bootstrap \
--attach-to-role arn:aws:iam::aws-account-id:role/discovery-iam-role-name \
--policy-name TeleportDatabaseDiscovery \
--database-service-role arn:aws:iam::aws-account-id:role/database-iam-role-name \
--database-service-policy-name TeleportDatabaseAccess \
-c path to Discovery's teleport.yaml

Alternatively, you can create or print the required IAM policies with the following commands and manually attach them to the IAM role:

  • teleport db configure aws create-iam --types elasticache
  • teleport db configure aws print-iam --types elasticache

Step 4/7. Start the Database Service

Configure the Database Service to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed the Database Service.

On the host where you will run the Database Service, enable and start Teleport:

$ sudo systemctl enable teleport
$ sudo systemctl start teleport

You can check the status of the Database Service with systemctl status teleport and view its logs with journalctl -fu teleport.

Step 5/6. Configure authentication for ElastiCache or MemoryDB users

There are a few authentication options when creating an ElastiCache or MemoryDB user.

If your ElastiCache or MemoryDB cluster supports IAM authentication, the Teleport Database Service can connect to your ElastiCache or MemoryDB cluster using a short-lived AWS IAM authentication token. AWS IAM authentication is available for ElastiCache and MemoryDB with Redis version 7.0 or above. Redis ACL must be enabled as well. IAM authentication is the preferred method for authentication.

The second option is to allow Teleport to manage ElastiCache or MemoryDB users. The Teleport Database Service rotates any passwords managed by Teleport every 15 minutes, saves these passwords in AWS Secrets Manager, and automatically sends an AUTH command with the saved password when connecting the client to the Redis server.

To enable Redis ACL, please see Authenticating users with Role-Based Access Control for ElastiCache.

Some additional limitations apply when using IAM authentication - for more information, see: ElastiCache Auth IAM Limits.

There are a few requirements for configuring an ElastiCache IAM-enabled user:

  • the user must have identical username and user id properties.
  • the user must have authentication mode set to "IAM".
  • the user must be attached to an ElastiCache user group.

Create an ElastiCache IAM-enabled user. The following example creates an ElastiCache user with the access string on ~* +@all that represents an active user with access to all available keys and commands:

$ aws elasticache create-user \
--user-name iam-user-01 \
--user-id iam-user-01 \
--authentication-mode Type=iam \
--engine redis \
--access-string "on ~* +@all"
Access Strings

You may prefer a less permissive access string for your ElastiCache users. For more information about ElastiCache access strings, please see: ElastiCache Cluster RBAC Access String.

Create an ElastiCache user group and attach it to your ElastiCache replication group:

$ aws elasticache create-user-group \
--user-group-id iam-user-group-01 \
--engine redis \
--user-ids default iam-user-01
$ aws elasticache modify-replication-group \
--replication-group-id replication-group-01 \
--user-group-ids-to-add iam-user-group-01

Once the ElastiCache user has been created, verify that the user is configured to satisfy the requirements for IAM authentication:

If you choose not to use the above options, Teleport will not automatically authenticate with the Redis server.

You can either set up a "no password" configuration for your ElastiCache or MemoryDB user, or manually enter an AUTH command with the password you have configured after a successful client connection. However, it is strongly advised to use one of the first two options or a strong password for better security.

Step 6/6. Connect

Once the Database Service has started and joined the cluster, log in to see the registered databases:

$ tsh login --proxy=teleport.example.com --user=alice
$ tsh db ls
# Name Description Labels
# --------------------------- --------------------------------------------------------- --------
# my-cluster-mode-elasticache ElastiCache cluster in us-west-1 (configuration endpoint) ...
# my-elasticache ElastiCache cluster in us-west-1 (primary endpoint) ...
# my-elasticache-reader ElastiCache cluster in us-west-1 (reader endpoint) ...
# my-memorydb MemoryDB cluster in us-west-1 ...

To retrieve credentials for a database and connect to it:

$ tsh db connect --db-user=my-database-user my-elasticache

If flag --db-user is not provided, Teleport logs in as the default user.

Now, depending on the authentication configurations, you may need to send an AUTH command to authenticate with the Redis server:

The Database Service automatically authenticates Teleport-managed and IAM-enabled users with the Redis server. No AUTH command is required after successful connection.

If you are connecting as a user that is not managed by Teleport and is not IAM-enabled, the connection normally starts as the default user. Now you can authenticate the database user with its password:

AUTH my-database-user <USER_PASSWORD>

To log out of the database and remove credentials:

# Remove credentials for a particular database instance.
$ tsh db logout my-elasticache
# Remove credentials for all database instances.
$ tsh db logout

Troubleshooting

Certificate error

If your tsh db connect error includes the following text, you likely have an RDS database created before July 28, 2020, which presents an X.509 certificate that is incompatible with Teleport:

x509: certificate relies on legacy Common Name field, use SANs instead

AWS provides instructions to rotate your SSL/TLS certificate.

No credential providers error

If you see the error NoCredentialProviders: no valid providers in chain in Database Service logs then Teleport is not detecting the required credentials to connect via AWS IAM permissions. Check whether the credentials or security role has been applied in the machine running the Teleport Database Service.

Timeout errors

The Teleport Database Service needs connectivity to your database endpoints. That may require enabling inbound traffic on the database from the Database Service on the same VPC or routing rules from another VPC. Using the nc program you can verify connections to databases:

$ nc -zv postgres-instance-1.sadas.us-east-1.rds.amazonaws.com 5432
# Connection to postgres-instance-1.sadas.us-east-1.rds.amazonaws.com (172.31.24.172) 5432 port [tcp/postgresql] succeeded!

Not authorized to perform sts:AssumeRole

The Database Service assumes an IAM role in one of following situations:

  • An IAM role is used as db_user when accessing AWS services that require IAM roles as database users, such as DynamoDB, Keyspaces, Opensearch, and Redshift Serverless.
  • The assume_role_arn field is specified for the database resources or dynamic resource matchers.
Role chaining

When both of the above conditions are true for a database connection, the Database Service performs a role chaining by assuming the IAM role specified assume_role_arn first then using that IAM role to assume the IAM role for db_user.

You may encounter the following error if the trust relationship is not configured properly between the IAM roles:

AccessDenied: User: arn:aws:sts::111111111111:assumed-role/database-service-role/i-* is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/database-user-role

To allow IAM Role role1 to assume IAM Role role2, the following is generally required:

1. Configure Trust Relationships on role2

role1 or its AWS account should be set as Principal in role2's trust policy.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/role1"
},
"Action": "sts:AssumeRole"
}
]
}
2. Configure Permissions Policies on role1

role1 requires sts:AssumeRole permissions, for example:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::111111111111:role/role2"
}
]
}

Note that this policy can be omitted when role1 and role2 are in the same AWS account and role1's full ARN is configured as Principal in role2's trust policy.

3. Configure Permissions Boundary on role1

role1 also requires sts:AssumeRole permissions in its boundary policy, for example:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
]
}

Note that this is only required when a boundary policy is attached to role1.

You can test the trust relationship by running this AWS CLI command as role1:

aws sts assume-role --role-arn arn:aws:iam::111111111111:role/role2 --role-session-name test-trust-relationship

Learn more on how to use trust policies with IAM roles.

Next steps

  • See the YAML configuration reference for updating dynamic resource matchers or static database definitions.