Skip to content

[v18] [doc] database "multi-session" MFA #55729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zmb3 merged 2 commits into from
Jul 3, 2025
Merged

[v18] [doc] database "multi-session" MFA #55729

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b5e0dca
[doc] database "multi-session" MFA
greedy52 May 22, 2025
513480c
address feedback
greedy52 Jun 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,32 @@ $ tsh db connect prod-mysql-instance
# mysql>
```

Jerry can also execute a query against multiple databases with a single MFA check
using the `tsh db exec` command:
```code
$ tsh db exec "select 1" --labels env=prod --db-user teleport-user --output-dir=logs
Searching databases ...
Found 2 database(s):

Name Description Protocol Labels
--------------------- ----------- -------- --------
prod-mysql-instance-1 mysql env=prod
prod-mysql-instance-2 mysql env=prod

Do you want to proceed with 2 database(s)? [y/N]: y
Executing command for "prod-mysql-instance-1". Output will be saved at "logs/prod-mysql-instance-1.output".
MFA is required to access Database "prod-mysql-instance-1"
Tap any security key
Detected security key tap
Executing command for "prod-mysql-instance-2". Output will be saved at "logs/prod-mysql-instance-2.output".

Summary: 2 of 2 succeeded.
Summary is saved at "logs/summary.json".
```

Note that each MFA check remains valid for up to 5 minutes. After the 5-minutes
window, a new MFA check will be requested for new connections.

</Admonition>

## Limitations
Expand All @@ -213,6 +239,7 @@ Current limitations for this feature are:
[multi-port](../../../enroll-resources/application-access/guides/tcp.mdx#configuring-access-to-multiple-ports)
TCP application through [VNet](../../../connect-your-client/vnet.mdx), the first connection over
each port triggers an MFA check.
- For the `tsh db exec` command, only WebAuthn devices are supported.

## Next steps

Expand Down
49 changes: 47 additions & 2 deletions docs/pages/reference/agent-services/database-access-reference/cli.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -295,13 +295,28 @@ Removes database resource called `database-resource-name`.

## tsh db ls

Lists available databases and their connection information.
Lists the databases available to the user based on
[RBAC](../../../enroll-resources/database-access/rbac.mdx) and their connection
information.

```code
# List all databases.
$ tsh db ls
# Search databases with keywords.
$ tsh db ls --search foo,bar
# Filter databases with labels.
$ tsh db ls key1=value1,key2=value2
# List databases from all clusters with extra fields.
$ tsh db ls --all -v
# Get database names using "jq".
$ tsh db ls --format json | jq -r '.[].metadata.name'
```

Displays only the databases a user has access to (see [RBAC](../../../enroll-resources/database-access/rbac.mdx)).
| Flag | Description |
| - | - |
| `--search` | List of comma separated search keywords or phrases enclosed in quotations (e.g. `--search=foo,bar,"some phrase"`). |
| `--query` | Query by predicate language enclosed in single quotes. (e.g. `--query='labels["key1"] == "value1" && labels["key2"] != "value2"')`. |
| `--format` | Format output (`text`, `json`, `yaml`). |

## tsh db login

Expand Down Expand Up @@ -357,6 +372,36 @@ $ tsh db connect --db-user=alice --db-name=db --db-roles reader example

(!docs/pages/includes/db-user-name-flags.mdx!)

## tsh db exec

Execute database commands on target database services.
```code
# Search databases with labels.
$ tsh db exec "source my_script.sql" --db-user mysql --labels key1=value1,key2=value2
# Search databases with keywords.
$ tsh db exec "select 1" --db-user mysql --db-name mysql --search foo,bar
# Execute a command on specified target databases without confirmation.
$ tsh db exec "select @@hostname" --db-user mysql --dbs mydb1,mydb2,mydb3 --no-confirm
# Run commands in parallel, and save outputs to files.
$ tsh db exec "select 1" --db-user mysql --labels env=dev --parallel=5 --output-dir=exec-outputs
```

<Admonition type="note" title="Note">
Currently only PostgreSQL and MySQL databases are supported. Respective
database CLI clients (`psql`, `mysql`) should be available in PATH.
</Admonition>

| Flag | Description |
| - | - |
| `--db-user` | The database user to log in as. |
| `--db-name` | The database name to log in to. |
| `--db-roles` | List of comma separate database roles to use for auto-provisioned user. |
| `--dbs` | List of comma separated target database services. Mutually exclusive with `--search` or `--labels`. |
| `--search` | List of comma separated search keywords or phrases enclosed in quotations (e.g. `--search=foo,bar,"some phrase"`). |
| `--labels` | List of comma separated labels to filter by labels (e.g. `key1=value1,key2=value2`). |
| `--output-dir` | Directory to store command output per target database service. A summary is saved as "summary.json". |
| `--[no-]confirm` | Confirm selected database services before executing command. |

## tsh db env

Outputs environment variables for a particular database.
Expand Down
Loading