Database Access with Amazon Keyspaces (Apache Cassandra)
Teleport can provide secure access to Amazon Keyspaces (Apache Cassandra) via the Teleport Database Service. This allows for fine-grained access control through Teleport's RBAC.
In this guide, you will:
- Configure your Amazon Keyspaces (Apache Cassandra) database with IAM authentication.
- Add the database to your Teleport cluster.
- Connect to the database via Teleport.
How it works
The Teleport Database Service uses IAM authentication to communicate with Amazon Keyspaces. When a user connects to the database via Teleport, the Teleport Database Service obtains AWS credentials and authenticates to AWS as an IAM principal with permissions to access the database.
- Self-Hosted
- Teleport Enterprise Cloud
Prerequisites
-
A running Teleport cluster version 17.0.0-dev or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctl
admin tool andtsh
client tool.Visit Installation for instructions on downloading
tctl
andtsh
.
- AWS Account with Amazon Keyspaces database and permissions to create and attach IAM policies
- The
cqlsh
Cassandra client installed and added to your system'sPATH
environment variable. - A host, e.g., an Amazon EC2 instance, where you will run the Teleport Database Service.
- To check that you can connect to your Teleport cluster, sign in with
tsh login
, then verify that you can runtctl
commands using your current credentials. For example:If you can connect to the cluster and run the$ tsh login --proxy=teleport.example.com --user=email@example.com
$ tctl status
# Cluster teleport.example.com
# Version 17.0.0-dev
# CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678tctl status
command, you can use your current credentials to run subsequenttctl
commands from your workstation. If you host your own Teleport cluster, you can also runtctl
commands on the computer that hosts the Teleport Auth Service for full permissions.
Step 1/5. Set up the Teleport Database Service
The Database Service requires a valid join token to join your Teleport cluster.
Run the following tctl
command and save the token output in /tmp/token
on the server that will run the Database Service:
$ tctl tokens add --type=db --format=text
abcd123-insecure-do-not-use-this
Alternative methods
For users with a lot of infrastructure in AWS, or who might create or recreate many instances, consider alternative methods for joining new EC2 instances running Teleport:
Install Teleport on your Linux server:
-
Assign edition to one of the following, depending on your Teleport edition:
Edition Value Teleport Enterprise Cloud cloud
Teleport Enterprise (Self-Hosted) enterprise
Teleport Community Edition oss
-
Get the version of Teleport to install. If you have automatic agent updates enabled in your cluster, query the latest Teleport version that is compatible with the updater:
$ TELEPORT_DOMAIN=example.teleport.com
$ TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')"Otherwise, get the version of your Teleport cluster:
$ TELEPORT_DOMAIN=example.teleport.com
$ TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/ping | jq -r '.server_version')" -
Install Teleport on your Linux server:
$ curl https://cdn.teleport.dev/install-v15.4.11.sh | bash -s ${TELEPORT_VERSION} edition
The installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide.
- Self-Hosted
- Teleport Enterprise Cloud
Create a configuration for the Teleport Database Service, pointing the
--proxy
flag to the address of your Teleport Proxy Service:
$ sudo teleport db configure create \
-o file \
--token=/tmp/token \
--proxy=teleport.example.com:443 \
--name=keyspaces \
--protocol=cassandra \
--aws-account-id=12345678912 \
--aws-region=us-east-1 \
--labels=env=dev
Create a configuration for the Teleport Database Service, pointing the
--proxy
flag to the address of your Teleport Proxy Service:
$ sudo teleport db configure create \
-o file \
--token=/tmp/token \
--proxy=mytenant.teleport.sh:443 \
--name=keyspaces \
--protocol=cassandra \
--aws-account-id=12345678912 \
--aws-region=us-east-1 \
--labels=env=dev
Grant the Teleport Database Service access to credentials that it can use to authenticate to AWS.
- If you are running the Teleport Database Service on an EC2 instance, you may use the EC2 Instance Metadata Service method
- If you are running the Teleport Database Service in Kubernetes, you can use IAM Roles for Service Accounts (IRSA)
- Otherwise, you must use environment variables
- Instance Metadata Service
- Kubernetes IRSA
- Environment Variables
Teleport will detect when it is running on an EC2 instance and use the Instance Metadata Service to fetch credentials.
The EC2 instance should be configured to use an EC2 instance profile. For more information, see: Using Instance Profiles.
Refer to IAM Roles for Service Accounts (IRSA) to set up an OIDC provider in AWS and configure an AWS IAM role that allows the pod's service account to assume the role.
Teleport's built-in AWS client reads credentials from the following environment variables:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_DEFAULT_REGION
When you start the Teleport Database Service, the service reads environment variables from a
file at the path /etc/default/teleport
. Obtain these credentials from your
organization. Ensure that /etc/default/teleport
has the following content,
replacing the values of each variable:
AWS_ACCESS_KEY_ID=00000000000000000000
AWS_SECRET_ACCESS_KEY=0000000000000000000000000000000000000000
AWS_DEFAULT_REGION=<YOUR_REGION>
Have multiple sources of AWS credentials?
Teleport's AWS client loads credentials from different sources in the following order:
- Environment Variables
- Shared credentials file
- Shared configuration file (Teleport always enables shared configuration)
- EC2 Instance Metadata (credentials only)
While you can provide AWS credentials via a shared credentials file or shared
configuration file, you will need to run the Teleport Database Service with the AWS_PROFILE
environment variable assigned to the name of your profile of choice.
If you have a specific use case that the instructions above do not account for, consult the documentation for the AWS SDK for Go for a detailed description of credential loading behavior.
Configure the Teleport Database Service to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed the Teleport Database Service.
- Package Manager
- TAR Archive
On the host where you will run the Teleport Database Service, enable and start Teleport:
$ sudo systemctl enable teleport
$ sudo systemctl start teleport
On the host where you will run the Teleport Database Service, create a systemd service configuration for Teleport, enable the Teleport service, and start Teleport:
$ sudo teleport install systemd -o /etc/systemd/system/teleport.service
$ sudo systemctl enable teleport
$ sudo systemctl start teleport
You can check the status of the Teleport Database Service with systemctl status teleport
and view its logs with journalctl -fu teleport
.
Step 2/5. Create a Teleport user
To modify an existing user to provide access to the Database Service, see Database Access Controls
- Teleport Community Edition
- Teleport Enterprise/Enterprise Cloud
Create a local Teleport user with the built-in access
role:
$ tctl users add \
--roles=access \
--db-users="*" \
--db-names="*" \
alice
Create a local Teleport user with the built-in access
and requester
roles:
$ tctl users add \
--roles=access,requester \
--db-users="*" \
--db-names="*" \
alice
Flag | Description |
---|---|
--roles | List of roles to assign to the user. The builtin access role allows them to connect to any database server registered with Teleport. |
--db-users | List of database usernames the user will be allowed to use when connecting to the databases. A wildcard allows any user. |
--db-names | List of logical databases (aka schemas) the user will be allowed to connect to within a database server. A wildcard allows any database. |
Database names are only enforced for PostgreSQL, MongoDB, and Cloud Spanner databases.
For more detailed information about database access controls and how to restrict access see RBAC documentation.
Step 3/5. Create an Amazon Keyspaces role
Create an AWS IAM Role that will be used as your Keyspaces user. Go to the IAM -> Access Management -> Roles. Press Create Role.
AWS provides the AmazonKeyspacesReadOnlyAccess
and AmazonKeyspacesFullAccess
IAM policies that you can incorporate into your Keyspaces user's role.
You can choose AmazonKeyspacesReadOnlyAccess
for read-only access to Amazon Keyspaces or AmazonKeyspacesFullAccess
for full access.
The AmazonKeyspacesReadOnlyAccess
and AmazonKeyspacesReadOnlyAccess
policies may
provide too much or not enough access for your intentions.
Validate that these meet your expectations if you plan on using them.
You can also create your own custom Amazon Keyspaces Permissions Policies: Amazon Keyspaces identity-based policy examples.
Enter a role name and press "Create role".
Step 4/5. Give Teleport permissions to assume roles
Next, attach the following policy to the IAM role or IAM user the Teleport Database Service instance is using, which allows the Database Service to assume the IAM roles:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}
You can make the policy more strict by providing specific IAM role resource ARNs in the "Resource" field instead of using a wildcard.
Step 5/5. Connect
Once the Database Service has joined the cluster, log in to see the available databases:
- Self-Hosted
- Teleport Enterprise Cloud
$ tsh login --proxy=teleport.example.com --user=alice
$ tsh db ls
# Name Description Allowed Users Labels Connect
# --------- ----------- ------------- ------- -------
# keyspaces [*] env=dev
$ tsh login --proxy=mytenant.teleport.sh --user=alice
$ tsh db ls
# Name Description Allowed Users Labels Connect
# --------- ----------- ------------- ------- -------
# keyspaces [*] env=dev
To connect to a particular database instance using the KeyspacesReader
AWS IAM Keyspaces role as a database user:
$ tsh db connect --db-user=KeyspacesReader keyspaces
# Connected to Amazon Keyspaces at localhost:55084
# [cqlsh 6.0.0 | Cassandra 3.11.2 | CQL spec 3.4.4 | Native protocol v4]
# Use HELP for help.
# KeyspacesReader@cqlsh>
To log out of the database and remove credentials:
# Remove credentials for a particular database instance.
$ tsh db logout keyspaces
# Remove credentials for all database instances.
$ tsh db logout
Further reading
Next steps
- Learn how to restrict access to certain users and databases.
- View the High Availability (HA) guide.
- Take a look at the YAML configuration reference.
- See the full CLI reference.