Skip to content

Can't tctl auth sign database certificate remotely via proxy / in Teleport Cloud #7071

Answered by r0mant
r0mant asked this question in Q&A
Discussion options

You must be logged in to vote

Prior to Teleport version 6.2.1 only cluster admin could generate self-hosted database certificates by running tctl auth sign command locally on the auth server.

Starting from 6.2.1 release, the command allows generating these certificates remotely as well, by leveraging Teleport's impersonation capabilities.

To generate these certs, user invoking the command must have permissions to impersonate the built-in Db user/role representing a database node.

Example allow rule:

allow:
  impersonate:
    users: ["Db"]
    roles: ["Db"]

Replies: 1 comment

Comment options

r0mant
May 27, 2021
Maintainer Author

You must be logged in to vote
0 replies
Answer selected by r0mant
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
rbac Issues related to Role Based Access Control database-access Database access related issues and PRs
1 participant