Teleport
Database Labels Reference
Version preview- Older Versions
Teleport assigns system-defined labels to protected databases. This guide describes the system-defined labels and how Teleport uses them.
Origin
All registered databases have a predefined teleport.dev/origin
label with one
of the following values:
Label Value | Description |
---|---|
cloud | database resources created by auto-discovery. |
config | database resources manually defined in the database_service.databases section of teleport.yaml . |
dynamic | database resources created through dynamic registration like tcl create command. |
Auto-discovery
The labels of auto-discovered databases primarily come from the tags that are assigned to the original cloud resources, such as the resources tags of an Amazon RDS instance.
The following tags will override Teleport's default behavior if assigned to the original cloud resources:
Tag name | Description |
---|---|
TeleportDatabaseName | Overrides the name of the discovered database. |
teleport.dev/database_name | (AWS only, legacy) Overrides the name of the discovered database. TeleportDatabaseName is preferred. |
teleport.dev/db-admin | (AWS only) Specifies the name of the admin user for Automatic User Provisioning. |
teleport.dev/db-admin-default-database | (AWS only) Overrides the default database the admin user logs into for Automatic User Provisioning. |
Additionally, Teleport will generate certain labels derived from the cloud resource attributes:
Label name | Description |
---|---|
account-id | ID of the AWS account the resource resides in. |
endpoint-type | Type of the endpoint. See section below for more details. |
engine | Amazon RDS: engine type of the RDS instance or Aurora cluster. Amazon RDS Proxy: engine family of the proxy. Azure-hosted databases: resource type of the resource ID. |
engine-version | Database engine version, if available. |
namespace | Amazon Redshift Serverless namespace name. |
region | AWS region or Azure location. |
replication-role | The replication role of an Azure DB Flexible server. |
source-server | The source server of an Azure DB Flexible server replica. |
vpc-id | ID of the Amazon VPC the resource resides in, if available. |
workgroup | Amazon Redshift Serverless workgroup name. |
teleport.dev/discovery-type | Specifies the type of resource matched by the Teleport Discovery Service, e.g. "rds", "redshift", etc. |
endpoint-type
The following values are used to indicate the type of the database endpoint:
Database Type | Values |
---|---|
Amazon RDS instance | instance |
Amazon RDS Aurora cluster | one of primary , reader , custom |
Amazon RDS Proxy | one of READ_WRITE , READ_ONLY (custom endpoints only) |
Amazon Redshift Serverless | one of workgroup , vpc-endpoint |
Amazon ElastiCache | one of configuration , primary , reader , node |
Amazon MemoryDB | one of cluster , node |
Amazon OpenSearch | one of default , custom , vpc |
Azure Redis Enterprise | one of EnterpriseCluster , OSSCluster |
Manual and dynamic registration
Static labels and dynamic labels can be specified in labels
and
dynamic_labels
fields respectively in database definition. See
Configuration for reference.
Database Service on Amazon EC2
All registered databases can inherit the labels converted from the tags of the
EC2 instance running the Teleport Database Service. Labels created this way
will have the aws/
prefix. See Sync EC2
Tags for more details.