diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx index 2fb8c7c1aac83..46f44bf3306ca 100644 --- a/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx +++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx @@ -41,6 +41,19 @@ Note that the RDS database must have IAM authentication enabled. Refer to the [AWS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html) to make sure you are using the `rds_iam` role correctly. for more information. + +If the admin user needs to grant the `rds_superuser` role to auto-provisioned +users, the admin user must also be a `rds_superuser`: +```sql +GRANT rds_superuser TO "teleport-admin"; +``` + +For PostgreSQL 16+, you must grant the `ADMIN` option to the admin user for each +PostgreSQL role that Teleport will assign to your Teleport user. For example, to +allow the admin user to grant and revoke role `reader`: +```sql +GRANT reader TO "teleport-admin" WITH ADMIN OPTION; +``` The self-hosted PostgreSQL admin user must have X.509 authentication configured. @@ -49,6 +62,13 @@ The self-hosted PostgreSQL admin user must have X.509 authentication configured. CREATE USER "teleport-admin" login createrole; ``` +For PostgreSQL 16+, you must grant the `ADMIN` option to the admin user for each +PostgreSQL role that Teleport will assign to your Teleport user. For example, to +allow the admin user to grant and revoke role `reader`: +```sql +GRANT reader TO "teleport-admin" WITH ADMIN OPTION; +``` + Note that the database must be configured to accept client certificate auth for the admin user by having the following entries in `pg_hba.conf`: @@ -63,7 +83,13 @@ to ensure that your configuration is correct. -When [Database Access Controls](../rbac.mdx) feature is in use, the `teleport-admin` should have permissions to relevant database objects. For example: +When [Database Access Controls](../rbac.mdx) feature is in use, the +`teleport-admin` should have permissions to relevant database objects. You can +grant `teleport-admin` the `SUPERUSER` option for self-hosted databases, or the +`rds_superuser` role for RDS databases. + +For improved security through the principle of least privilege, you can also +assign permissions directly to specific database objects. For example: ```sql GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin"; @@ -75,10 +101,6 @@ the database, which will be created automatically if it doesn't exist. (!docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx protocol="postgres" uri="localhost:5432" default="the same database that the user is accessing" !) - -(!docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx!) - - ## Step 2/3. Configure a Teleport role Database permissions are associated with a Teleport role, which can either allocate predefined database roles (configured in each database) or define specific database object permissions directly. Teleport grants these permissions for the duration of the connection. @@ -169,10 +191,6 @@ Users created within the database will: ## Troubleshooting -### Permission denied for schema public error - -(!docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx!) - ### User does not have CONNECT privilege error You may encounter the following error when the admin user or the roles assigned diff --git a/docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx b/docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx deleted file mode 100644 index 012fe0e585848..0000000000000 --- a/docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx +++ /dev/null @@ -1,11 +0,0 @@ -PostgreSQL 15 revokes the `CREATE` permission from all users except a database -owner from the public (or default) schema. - -Grant the admin user `CREATE` privilege so the admin user can create procedures: -```sql -GRANT CREATE ON SCHEMA public TO "teleport-admin"; -``` - -If `admin_user.default_database` is specified, the `CREATE` privilege is only -required for the database specified in the `default_database`. Otherwise, you -have to repeat the privilege grant for every database Teleport will access.