Skip to content

Fixed "user is not managed" error when accessing ElastiCache and MemoryDB#30304

Merged
greedy52 merged 2 commits intomasterfrom
STeve/30297_fix_managed_user
Aug 11, 2023
Merged

Fixed "user is not managed" error when accessing ElastiCache and MemoryDB#30304
greedy52 merged 2 commits intomasterfrom
STeve/30297_fix_managed_user

Conversation

@greedy52
Copy link
Copy Markdown
Contributor

@greedy52 greedy52 commented Aug 10, 2023
edited
Loading

Fixes #30297

$ tsh db connect --db-user teleport-readonly steve-cluster-redis
localhost:55328> acl whoami
(error) ERR Teleport: Could not connect to database: failed to get password for teleport-readonly: database user teleport-readonly is not managed. Make sure that IAM auth is enabled for ElastiCache user "teleport-readonly" and Teleport database agent's IAM policy has "elasticache:Connect" permissions (note that IAM changes may take a few minutes to propagate): { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "elasticache:Connect", "Resource": [ "arn:aws:elasticache:ca-central-1:<account>:replicationgroup:steve-cluster-redis", "arn:aws:elasticache:ca-central-1:<account>:user:*" ] } ] }
localhost:55328>

We had a few recent changes (#29215, #29864) to make copies of database objects in Database Access. This broke ElastiCache/MemoryDB managed users as the internal tracking was relying on comparing database objects by pointer instead of by name.

Changed the internal tracking to cache by database.GetName() and adds some extra handling when a database name is reused for a new database.

@greedy52 greedy52 added bug aws Used for AWS Related Issues. db/redis backport/branch/v11 labels Aug 10, 2023
@greedy52 greedy52 self-assigned this Aug 10, 2023
@github-actions github-actions Bot added database-access Database access related issues and PRs size/sm labels Aug 10, 2023
codingllama
codingllama approved these changes Aug 10, 2023
View reviewed changes
Comment thread lib/srv/db/cloud/users/helpers.go Outdated
Comment thread lib/srv/db/cloud/users/users_test.go Outdated
Comment thread lib/srv/db/cloud/users/users_test.go Outdated
@greedy52 greedy52 added this pull request to the merge queue Aug 11, 2023
@greedy52 greedy52 changed the title Fix "user is not managed" error for ElastiCache and MemoryDB Fixed "user is not managed" error when accessing ElastiCache and MemoryDB Aug 11, 2023
Merged via the queue into master with commit 121f40f Aug 11, 2023
@greedy52 greedy52 deleted the STeve/30297_fix_managed_user branch August 11, 2023 13:52
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Aug 11, 2023

@greedy52 See the table below for backport results.

Branch Result
branch/v11 Create PR
branch/v12 Create PR
branch/v13 Create PR

This was referenced Aug 11, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codingllama codingllama codingllama approved these changes

@GavinFrazar GavinFrazar GavinFrazar approved these changes

Assignees

@greedy52 greedy52

Labels

aws Used for AWS Related Issues. bug database-access Database access related issues and PRs db/redis size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

tsh db connect fails with ElastiCache managed user "is not manged" error

3 participants

@greedy52 @codingllama @GavinFrazar