DynamoDB database access requires region and dummy credentials

[Tener]

Expected behavior:

When following https://goteleport.com/docs/database-access/guides/aws-dynamodb/, accessing dynamodb should work without extra configuration. For example to list tables:

1. tsh proxy db --tunnel --port 8000 mydynamo --db-user=MyRole
2. aws --endpoint-url http://localhost:8000/ dynamodb list-tables

Current behavior:

Dummy credentials and a real region must be configured.

• Without credentials the user will see:

aws --endpoint-url http://localhost:8000/ dynamodb list-tables

Unable to locate credentials. You can configure credentials by running "aws configure".

Dummy credentials satisfy the check and are not checked by the proxy.

• Without region the user will see:

aws --endpoint-url http://localhost:8000/ dynamodb list-tables

You must specify a region. You can also configure your region by running "aws configure".

At a minimum, we should update the guide with instructions: https://goteleport.com/docs/database-access/guides/aws-dynamodb/.

Ideally, we would secure the proxy with custom credentials, the same as in app access:

> tsh proxy aws -p 23456
Started AWS proxy on http://127.0.0.1:23456.

Use the following credentials and HTTPS proxy setting to connect to the proxy:
  AWS_ACCESS_KEY_ID=abcd1234-this-is-an-example
  AWS_SECRET_ACCESS_KEY=zyxw9876-this-is-an-example
  AWS_CA_BUNDLE=<ca-bundle-path>
  HTTPS_PROXY=http://127.0.0.1:23456

Related issues:

• https://github.com/gravitational/teleport/pull/18843
• https://github.com/gravitational/teleport/issues/19600

[Tener]

cc @smallinsky @GavinFrazar

[smallinsky]

@Tener Thanks for finding this.

I think that this is not per se test plan regression but rather a bug because the scenario where a user doesn't have any default AWS local profile configured in this env.

[GavinFrazar]

A workaround for this is to use --no-sign-request. We could support a credential check, but that will take some extra work since the db local proxy is plain tcp currently