Is User Auto Provisioning Unsupported on Aurora RDS? #50566

computerphilosopher · 2024-12-24T02:50:40Z

computerphilosopher
Dec 24, 2024

Hello,

I’m trying to enable the auto provisioning feature for Aurora RDS.

According to the documentation, the db_roles field must be specified for the role assigned to Teleport users. The FAQ mentions that if a role is not assigned, an error will occur. When I attempted auto provisioning, I encountered the exact error described in the documentation:

Access Denied to Database Error: https://goteleport.com/docs/enroll-resources/database-access/auto-user-provisioning/mysql/#access-denied-to-database-error

However, unlike MySQL, Aurora RDS doesn’t support the concept of roles—only users exist, as noted in the AWS documentation:

Users and Roles in Aurora MySQL: https://docs.aws.amazon.com/ko_kr/dms/latest/sql-server-to-aurora-mysql-migration-playbook/chap-sql-server-aurora-mysql.security.usersroles.html#chap-sql-server-aurora-mysql.security.usersroles.mysql

Does this mean that auto provisioning cannot be used with Aurora RDS? If anyone has insights or workarounds, I would greatly appreciate your guidance.

Thank you!

Answered by greedy52

Jan 9, 2025

@computerphilosopher Aurora MySQL should work fine.

for example, here are the things that I run to provision my teleport-admin user on Aurora MySQL:

CREATE DATABASE IF NOT EXISTS teleport;
CREATE USER 'teleport-admin' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
GRANT SELECT ON mysql.role_edges TO 'teleport-admin' ;
GRANT PROCESS, ROLE_ADMIN, CREATE USER ON *.* TO 'teleport-admin' ;
GRANT ALTER ROUTINE, CREATE ROUTINE, EXECUTE, CREATE ON teleport.* TO 'teleport-admin' ;
FLUSH PRIVILEGES;
CREATE ROLE 'role1';
CREATE DATABASE 'test';
GRANT SELECT ON test.* TO 'role1';

Of course this part is done using master user with password auth without Teleport. After this initial setup, I can use …

View full answer

webvictim · 2025-01-09T19:54:46Z

webvictim
Jan 9, 2025
Collaborator

@greedy52 can hopefully confirm here, but I don't believe that we do support automatic user provisioning for Aurora RDS MySQL currently.

1 reply

greedy52 Jan 9, 2025
Maintainer

@computerphilosopher Aurora MySQL should work fine.

for example, here are the things that I run to provision my teleport-admin user on Aurora MySQL:

CREATE DATABASE IF NOT EXISTS teleport;
CREATE USER 'teleport-admin' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
GRANT SELECT ON mysql.role_edges TO 'teleport-admin' ;
GRANT PROCESS, ROLE_ADMIN, CREATE USER ON *.* TO 'teleport-admin' ;
GRANT ALTER ROUTINE, CREATE ROUTINE, EXECUTE, CREATE ON teleport.* TO 'teleport-admin' ;
FLUSH PRIVILEGES;
CREATE ROLE 'role1';
CREATE DATABASE 'test';
GRANT SELECT ON test.* TO 'role1';

Of course this part is done using master user with password auth without Teleport. After this initial setup, I can use Teleport for db auto-user provisioning by setting role1 in db_roles.

That error in troubleshooting guide should be resolved once GRANT SELECT ON test.* TO 'role1'. Without any actual db permission granted to role1, you might see that error.

Answer selected by computerphilosopher

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Is User Auto Provisioning Unsupported on Aurora RDS? #50566

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Is User Auto Provisioning Unsupported on Aurora RDS? #50566

computerphilosopher Dec 24, 2024

Replies: 1 comment · 1 reply

webvictim Jan 9, 2025 Collaborator

greedy52 Jan 9, 2025 Maintainer

computerphilosopher
Dec 24, 2024

Replies: 1 comment 1 reply

webvictim
Jan 9, 2025
Collaborator

greedy52 Jan 9, 2025
Maintainer