# Configure RBAC with Teleport The Teleport integration provides secure and certificate-based access to SingleStore via the Teleport Database Service. This integration enables you to control access to SingleStore databases using role-based access control (RBAC) through the Teleport RBAC system. ## How the Teleport Integration Works Teleport uses a proxy service that routes traffic from database clients to the SingleStore database using mutual TLS (mTLS). Teleport maintains a certificate authority (CA) for database clients that issues short-lived certificates for user sessions. The Teleport Database Service presents certificates signed by this CA when proxying connections to the SingleStore database, which is configured to trust the Teleport database client CA. The Teleport Database Service verifies the identity of the SingleStore databases by checking their TLS certificates against either the Teleport database CA or a custom CA configured for the database. Teleport authenticates using mutual TLS (mTLS). When a user initiates a database session, the Teleport Database Service presents a Teleport-signed certificate to SingleStore. To verify the connection, SingleStore presents its own certificate signed by either Teleport CA or a custom CA. After successful mutual authentication, the Teleport Database Service routes client traffic to the SingleStore database using the same protocol and tools used to connect to MySQL Server. ## Prerequisites * Install the [tctl](https://goteleport.com/docs/reference/cli/tctl/) and [tsh](https://goteleport.com/docs/connect-your-client/tsh/) clients. * [SingleStore Toolbox](https://docs.singlestore.com/db/v9.1/user-and-cluster-administration/cluster-management-with-tools/singlestore-toolbox.md). * An active Teleport cluster. Verify connectivity to the Teleport cluster. To test connectivity: * Run `tsh login` to sign in. For example: ```shell tsh login --proxy= --user= ``` * Run `tctl status`. Typically, if this command runs successfully, other `tctl` commands will run as expected. * An active SingleStore deployment running SingleStore database version 9.0.12 or later. * A host to run the Teleport Database Service. * Install the `mariadb` or `mysql` command-line client. * (Optional) A certificate authority. * (Optional) [Install Helm](https://helm.sh/docs/intro/install/) to install the Teleport Database Service on a Kubernetes cluster. ## Configure the Teleport Connection Perform the following tasks to configure the connection between Teleport and SingleStore: 1. Create a Teleport database token. 2. Create a certificate/key pair. 3. Configure SingleStore. 4. Create a local Teleport User. 5. Configure and start Teleport Database Service. 6. Connect to SingleStore. Once the connection is successfully configured, use Teleport to manage access to the SingleStore databases. ## Create a Teleport Database Token The Teleport Database Service requires a token to connect to the Teleport cluster. Run the following command to generate a valid token: ```shell tctl tokens add --type=db --format=text ``` Copy and store the generated token in `/tmp/token` on the server that will run the Teleport Database Service. ## Create a Certificate/Key Pair Configure the SingleStore database to trust the Teleport CA. Alternatively, you can configure the Teleport Database Service to trust a custom CA. ## Use Teleport CA To configure the SingleStore database to trust the Teleport CA and issue a certificate for the database, perform the following tasks: 1. To use the `tctl` command-line tool, a Teleport user must be able to assume the `Db` system role. Add the following `allow` rule to the Teleport user's role: ```yaml allow: impersonate: users: ["Db"] roles: ["Db"] ``` 2. Run the following command to export Teleport's CA and generate a certificate/key pair. Update the hostname where the Teleport Database Service can access the SingleStore database server and the certificate validity period before running the command. ```shell tctl auth sign --format=db --host= --out=server --ttl= ``` This command creates 3 files: * `server.cas` * `server.crt` * `server.key` 3. Export the Teleport Database CA public certificate and merge it with `server.cas` to generate a bundled certificate to be used by the SingleStore database. ```shell tctl auth export --type=db > teleport-db-ca.pem cat server.cas teleport-db-ca.pem > teleport-bundle.pem ``` ## Configure SingleStore ## Enable TLS Connections Run the following commands to enable TLS connections for SingleStore. Update the path to the respective file before running each command. ```shell sdb-admin update-config --key ssl_cert --value /path/to/server.crt --all --yes sdb-admin update-config --key ssl_key --value /path/to/server.key --all --yes sdb-admin update-config --key ssl_ca --value /path/to/teleport-bundle.pem --all --yes sdb-admin update-config --key ssl_ca_for_client_cert --value /path/to/teleport-bundle.pem --all --yes # Restart the database to apply updates sdb-admin restart-node --all --yes ``` ## Create/Update a Database User Teleport uses a certificate to authenticate database users. Either create a new user or update an existing user to authenticate via a certificate. For example: * To create a new SingleStore database user: ```sql CREATE USER 'jane'@'%' REQUIRE SUBJECT '/CN=jane'; ``` Provide the necessary privileges to the new database user. For example: ```sql GRANT ALL PRIVILEGES ON dbTest.* TO 'jane'; ``` * Update an existing user: ```sql ALTER USER 'jane'@'%' REQUIRE SUBJECT '/CN=jane'; -- Remove the password for the user SET PASSWORD FOR 'jane'@'%' = PASSWORD(""); ``` ## Create a Local Teleport User Use the `tctl users add` command to create a local Teleport user. For example: ```shell tctl users add \ --roles=access \ --db-users="*" \ --db-names="*" \ jane ``` This command creates a local Teleport user named `jane` with the built-in `access` role and access to all the databases and database user names. Follow the instructions in the output to complete user setup. ## Configure and Start Teleport Database Service Install and configure Teleport on the host where Teleport Database Service will run, using either of the following: * Linux server * Kubernetes cluster ## Install on a Linux Server 1. To install a Teleport Agent on a Linux server, run the Teleport cluster's install script. The script selects the correct version, edition, and installation mode for the cluster. For example: ```shell curl "https://:/scripts/install.sh" | sudo bash ``` Update the Teleport cluster hostname and port before running the command. 2. Generate a configuration file at `/etc/teleport.yaml` for the Teleport Database Service. Update `example.teleport.sh:443` in the command to use the host and port of the Teleport Proxy Service. Specify the endpoint (`host:port`) of the SingleStore deployment in the `--uri` option. For example: > **📝 Note**: This command configures Teleport Database Service to use the Teleport CA.Also, a single Teleport process can run multiple services. The following command overwrites any existing configuration file. If you're running multiple services, add `--output=stdout` to print the configuration in the terminal, and then manually adjust `/etc/teleport.yaml`. ```shell sudo teleport db configure create \ -o file \ --token=/tmp/token \ --proxy=example.teleport.sh:443 \ --name=example-singlestore \ --protocol=mysql \ --uri=s2.example.com:3306 \ --labels=env=dev ``` 3. Configure the Teleport Database Service to automatically start when the system starts. * If Teleport is installed using a package manager, run the following commands: ```shell sudo systemctl enable teleport sudo systemctl start teleport ``` * If Teleport is installed using a tar archive, run the following command: ```shell sudo teleport install systemd -o /etc/systemd/system/teleport.service sudo systemctl enable teleport sudo systemctl start teleport ``` Run the `systemctl status teleport` command to view the status of the Teleport Database Service. ## Install on a Kubernetes Cluster Teleport provides Helm charts to install the Teleport Database Service on a Kubernetes cluster. 1. Configure Helm to fetch the Teleport charts from the Teleport Helm repository. Run the following command: ```shell helm repo add teleport https://charts.releases.teleport.dev ``` 2. Run the following command to refresh the local Helm cache: ```shell helm repo update ``` 3. Install a Teleport Agent in the Kubernetes cluster with the Teleport Database Service configuration. Create a `values.yaml` file with the required configuration. The following configures the Teleport Database Service to use the Teleport CA. Update the host and port of the Teleport Proxy Service and the endpoint of the SingleStore deployment. Replace `JOIN_TOKEN` with the [Teleport Database Token](https://docs.singlestore.com/#section-id235257310603409.md) created earlier. ```yaml roles: db proxyAddr: example.teleport.sh # Set to false if using Teleport Community Edition enterprise: true authToken: "JOIN_TOKEN" databases: - name: example-mysql uri: s2.example.com:3306 protocol: mysql static_labels: env: dev ``` 4. Install the chart. ```shell helm install teleport-kube-agent teleport/teleport-kube-agent \ --create-namespace \ --namespace teleport-agent \ --version 18.2.10 \ -f values.yaml ``` 5. Run the following command to verify that the Teleport Agent is running: ```shell kubectl -n teleport-agent get pods ``` ```output NAME READY STATUS RESTARTS AGE teleport-kube-agent-0 1/1 Running 0 32s ``` ## Connect to SingleStore Once the Teleport Database Service is added to the cluster, run the following commands to log in to Teleport and view the databases accessible to the current user. For example: ```shell tsh login --proxy=teleport.example.com --user=jane tsh db ls ``` ```output Name Description Labels ------------------- ------------------- ------- example-singlestore Example SingleStore env=dev ``` To connect to a database, run the `tsh db connect` command. For example: ```shell tsh db connect --db-user=jane --db-name= example-singlestore ``` This command retrieves the credentials for a database and connects to it. Additionally, you can connect to the database using the Web UI. > **📝 Note**: The `mysql` or `mariadb` command-line client must be available in the system `PATH` to establish a connection. `mariadb` is the default command-line client for SingleStore. To log out of a database and remove the credentials, run the following command: ```shell # Remove credentials for a specific database instance. tsh db logout # Remove credentials for all database instances. tsh db logout ``` *** Modified at: November 11, 2025 Source: [/db/v9.1/load-data/integrate-with-singlestore/configure-rbac-with-teleport/](https://docs.singlestore.com/db/v9.1/load-data/integrate-with-singlestore/configure-rbac-with-teleport/) (An index of the documentation is available at /llms.txt)