Sign inTry Free

Configure RBAC with Teleport

On this page

The Teleport integration provides secure and certificate-based access to SingleStore via the Teleport Database Service. This integration enables you to control access to SingleStore databases using role-based access control (RBAC) through the Teleport RBAC system.

How the Teleport Integration Works

Teleport uses a proxy service that routes traffic from database clients to the SingleStore database using mutual TLS (mTLS). Teleport maintains a certificate authority (CA) for database clients that issues short-lived certificates for user sessions. The Teleport Database Service presents certificates signed by this CA when proxying connections to the SingleStore database, which is configured to trust the Teleport database client CA.

The Teleport Database Service verifies the identity of the SingleStore databases by checking their TLS certificates against either the Teleport database CA or a custom CA configured for the database.

Teleport authenticates using mutual TLS (mTLS). When a user initiates a database session, the Teleport Database Service presents a Teleport-signed certificate to SingleStore. To verify the connection, SingleStore presents its own certificate signed by either Teleport CA or a custom CA. After successful mutual authentication, the Teleport Database Service routes client traffic to the SingleStore database using the same protocol and tools used to connect to MySQL Server.

Prerequisites

  • Install the tctl and tsh clients.

  • An active Teleport cluster. Verify connectivity to the Teleport cluster. To test connectivity:

    • Run tsh login to sign in. For example:

      tsh login --proxy=<Teleport_cluster_endpoint> --user=<Teleport_username>

    • Run tctl status. Typically, if this command runs successfully, other tctl commands will run as expected.

  • An active SingleStore deployment with "Upload a CA Bundle" feature enabled.

  • A host to run the Teleport Database Service.

  • Install the mariadb or mysql command-line client.

Configure the Teleport Connection

Perform the following tasks to configure the connection between Teleport and SingleStore:

  1. Create a Teleport database token.

  2. Export Teleport CA.

  3. Configure SingleStore.

  4. Create a local Teleport User.

  5. Configure and start Teleport Database Service.

  6. Connect to SingleStore.

Once the connection is successfully configured, use Teleport to manage access to the SingleStore databases.

Create a Teleport Database Token

The Teleport Database Service requires a token to connect to the Teleport cluster. Run the following command to generate a valid token:

tctl tokens add --type=db --format=text

Copy and store the generated token in /tmp/token on the server that will run the Teleport Database Service.

Export Teleport CA

To enable SingleStore to accept and validate client certificates issued by Teleport, export the Teleport CA and configure SingleStore to use it for client certificate verification.

Run the following command to export the Teleport CA bundle to a file, say teleport-db-client.pem:

tctl auth export --type=db-client > teleport-db-client.pem

Configure SingleStore

Upload the Teleport CA Bundle

Upload the exported Teleport CA bundle to SingleStore to enable client verification for MTLS/X509. Perform the following tasks:

  1. Log in to the Cloud Portal and select your deployment.

  2. On the Security tab, select Upload CA Bundle.

  3. Upload the teleport-db-client.pem file exported earlier.

Upon successful upload, the CA Bundle uploaded message is displayed. Additionally, you can view, replace, or delete a CA bundle.

Create/Update a Database User

Teleport uses a certificate to authenticate database users. Either create a new user or update an existing user to authenticate via a certificate. For example:

  • To create a new SingleStore database user:

    CREATE USER 'jane'@'%' REQUIRE SUBJECT '/CN=jane';

    Provide the necessary privileges to the new database user. For example:

    GRANT ALL PRIVILEGES ON dbTest.* TO 'jane';

  • Update an existing user:

    ALTER USER 'jane'@'%' REQUIRE SUBJECT '/CN=jane';
    

    -- Remove the password for the user
    SET PASSWORD FOR 'jane'@'%' = PASSWORD("");

Create a Local Teleport User

Use the tctl users add command to create a local Teleport user. For example:

tctl users add \
 --roles=access \
 --db-users="*" \
 --db-names="*" \
jane

This command creates a local Teleport user named jane with the built-in access role and access to all the databases and database user names. Follow the instructions in the output to complete user setup.

Configure and Start Teleport Database Service

Install and configure Teleport on the Linux server where Teleport Database Service will run.

Install on a Linux Server

  1. To install a Teleport Agent on a Linux server, run the Teleport cluster's install script. The script selects the correct version, edition, and installation mode for the cluster. For example:

    curl "https://<Teleport_cluster_hostname>:<port>/scripts/install.sh" | sudo bash

    Update the Teleport cluster hostname and port before running the command.

  2. Generate a configuration file at /etc/teleport.yaml for the Teleport Database Service.

    1. Download the SingleStore CA from https://portal.singlestore.com/static/ca/singlestore_bundle.pem.

    2. Run the following command to generate the configuration file. Specify the SingleStore CA file in the --ca-cert-file option.

      Note

      A single Teleport process can run multiple services. The following command overwrites any existing configuration file. If you're running multiple services, add --output=stdout to print the configuration in the terminal, and then manually adjust /etc/teleport.yaml.

      sudo teleport db configure create \
         -o file \
         --token=/tmp/token \
         --proxy=example.teleport.sh:443 \
         --name=example-singlestore \
         --protocol=mysql \
         --uri=<singlestore_endpoint>:3306 \
         --ca-cert-file="/path/to/singlestore_bundle.pem" \
         --labels=env=dev

      where,

      • --proxy: Host and port of the Teleport Proxy Service.

      • --uri: Endpoint of the SingleStore deployment.

        Refer to SingleStore Helios Endpoints to determine the endpoint (host:port) of your deployment.

  3. Configure the Teleport Database Service to automatically start when the system starts.

    • If Teleport is installed using a package manager, run the following commands:

      sudo systemctl enable teleport
      sudo systemctl start teleport

    • If Teleport is installed using a tar archive, run the following command:

      sudo teleport install systemd -o /etc/systemd/system/teleport.service
      sudo systemctl enable teleport
      sudo systemctl start teleport

    Run the systemctl status teleport command to view the status of the Teleport Database Service.

Connect to SingleStore

Once the Teleport Database Service is added to the cluster, run the following commands to log in to Teleport and view the databases accessible to the current user. For example:

tsh login --proxy=teleport.example.com --user=jane


tsh db ls
Name                Description         Labels
------------------- ------------------- -------
example-singlestore Example SingleStore env=dev

To connect to a database, run the tsh db connect command. For example:

tsh db connect --db-user=jane --db-name=<database> example-singlestore

This command retrieves the credentials for a database and connects to it. Additionally, you can connect to the database using the Web UI.

Note

The mysql or mariadb command-line client must be available in the system PATH to establish a connection. mariadb is the default command-line client for SingleStore.

To log out of a database and remove the credentials, run the following command:

# Remove credentials for a specific database instance.
tsh db logout <database-name>


# Remove credentials for all database instances.
tsh db logout

Last modified: December 11, 2025

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK

Try Out This Notebook to See What’s Possible in SingleStore

Get access to other groundbreaking datasets and engage with our community for expert advice.

Sign UpLog In