search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.69k stars 1.77k forks source link

Azure SQL Server connections via `teleport-kube-agent` running on AKS #33912

Open philip-teleport opened 1 year ago

philip-teleport commented 1 year ago

Applies To

Database Access with SQL Server on Azure

Details

The guide and integration focuses on using an Azure Compute VM to host the Teleport Database Service and requires that two managed identities (System-assigned and User-assigned) are assigned to the Azure Compute VM; see here.

The teleport-kube-agent running on Azure Kubernetes Service (AKS) can also host the database_service but it is unclear if this option is supported for Azure SQL Server as AKS services do not use “virtual machines” instead they use “virtual machine Scale-Sets” and attempts to assign the managed identities to the Azure AKS scale-set have been unsuccessful.

How will we know this is resolved?

Documentation is updated to either:

  1. Confirm how to set up this integration with the database_service hosted by the teleport-kube-agent running on Azure Kubernetes Service (AKS); OR
  2. Confirm that this integration is limited to using an Azure Compute VM to host the database_service.

Related Issues

N/A

elythh commented 4 days ago

The Helm chart specifications implie that it is possible https://goteleport.com/docs/reference/helm-reference/teleport-kube-agent/#azuredatabases However, it does not explain how to use a Managed Identity rather than an App Registration when the latter isn't recommended for production environment

Registering the Database Service as Azure AD application is suitable for test and development scenarios, or if your Database Service does not run on an Azure VM. For production scenarios prefer to use the managed identity approach.