Machine ID: Database Access host certificates

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.

https://goteleport.com

GNU Affero General Public License v3.0

17.44k stars 1.74k forks source link

Machine ID: Database Access host certificates #20056

Open timothyb89 opened 1 year ago

timothyb89 commented 1 year ago

What would you like Teleport to do?

Machine ID should be able to automate tctl auth sign --format=db ...

What problem does this solve?

Machine ID can already issue host certs with the ssh_host_cert config template. It would be useful if bots could issue these certs to avoid the need for long-lived certificates.

If a workaround exists, please include it.

The traditional tctl auth sign --format=db ... still works, but in practice requires users to set a long TTL.

timothyb89 commented 1 year ago

Unfortunately this hits a different RPC than regular host certs: https://github.com/gravitational/teleport/blob/14640c80de7a1ab26db0d70de31dc2bb27ff3d66/lib/client/db/database_certificates.go#L99

We can probably still leverage some of the host cert RBAC infrastructure, though.

pschisa commented 1 year ago

Would other database host certificate formats also be considered in this change? Example tctl auth sign --format=cassandra and tctl auth sign --format=scylla

strideynet commented 1 year ago

What

We currently require users to export host CA to connect Databases and complete set up. https://goteleport.com/docs/database-access/guides/redis/#step-45-set-up-mutual-tls
# Redis Example
tctl auth sign --format=redis --host=redis.example.com --out=server --ttl=2190h
# MySQL Example
tctl auth sign --format=db --host=db.example.com --out=server --ttl=2190h
It would be good if MachineID could be used to retrieve these certs

Copied from duplicate https://github.com/gravitational/teleport/issues/11358