README ¶
DynamoDB backend implementation for Teleport.
Introduction
This package enables Teleport auth server to store secrets in DynamoDB on AWS.
WARNING: Using DynamoDB involves reccuring charge from AWS.
The table created by the backend will provision 5/5 R/W capacity. It should be covered by the free tier.
Building
DynamoDB backend is not enabled by default. To enable it you have to
compile Teleport with dynamo
build flag.
To build Teleport with DynamoDB enabled, run:
ADDFLAGS='-tags dynamodb' make teleport
Quick Start
Add this storage configuration in teleport
section of the config file (by default it's /etc/teleport.yaml
):
teleport:
storage:
type: dynamodb
region: eu-west-1
table_name: teleport.state
access_key: XXXXXXXXXXXXXXXXXXXXX
secret_key: YYYYYYYYYYYYYYYYYYYYY
Replace region
and table_name
with your own settings. Teleport will create the table automatically.
AWS IAM Role
You can use IAM role instead of hard coded access and secret key (IAM role is recommended). You must apply correct policy in order to the auth to create/get/update K/V in DynamoDB.
Example of a typical policy (change region and account ID):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllAPIActionsOnTeleportAuth",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:eu-west-1:123456789012:table/prod.teleport.auth"
}
]
}
Get Help
This backend has been contributed by https://github.com/apestel
Documentation ¶
Overview ¶
Package dynamodbDynamoDBBackend implements DynamoDB storage backend for Teleport auth service, similar to etcd backend.
dynamo package implements the DynamoDB storage back-end for the auth server. Originally contributed by https://github.com/apestel
limitations:
- Paging is not implemented, hence all range operations are limited to 1MB result set
Copyright 2015 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- func GetName() string
- func New(params backend.Params) (backend.Backend, error)
- type DynamoConfig
- type DynamoDBBackend
- func (b *DynamoDBBackend) AcquireLock(token string, ttl time.Duration) error
- func (b *DynamoDBBackend) Clock() clockwork.Clock
- func (b *DynamoDBBackend) Close() error
- func (b *DynamoDBBackend) CompareAndSwapVal(path []string, key string, val []byte, prevVal []byte, ttl time.Duration) error
- func (b *DynamoDBBackend) CreateVal(path []string, key string, val []byte, ttl time.Duration) error
- func (b *DynamoDBBackend) DeleteBucket(path []string, key string) error
- func (b *DynamoDBBackend) DeleteKey(path []string, key string) error
- func (b *DynamoDBBackend) GetItems(path []string) ([]backend.Item, error)
- func (b *DynamoDBBackend) GetKeys(path []string) ([]string, error)
- func (b *DynamoDBBackend) GetVal(path []string, key string) ([]byte, error)
- func (b *DynamoDBBackend) ReleaseLock(token string) error
- func (b *DynamoDBBackend) UpsertItems(bucket []string, items []backend.Item) error
- func (b *DynamoDBBackend) UpsertVal(path []string, key string, val []byte, ttl time.Duration) error
Constants ¶
const ( // BackendName is the name of this backend BackendName = "dynamodb" // DefaultReadCapacityUnits specifies default value for read capacity units DefaultReadCapacityUnits = 10 // DefaultWriteCapacityUnits specifies default value for write capacity units DefaultWriteCapacityUnits = 10 )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type DynamoConfig ¶
type DynamoConfig struct { // Region is where DynamoDB Table will be used to store k/v Region string `json:"region,omitempty"` // AWS AccessKey used to authenticate DynamoDB queries (prefer IAM role instead of hardcoded value) AccessKey string `json:"access_key,omitempty"` // AWS SecretKey used to authenticate DynamoDB queries (prefer IAM role instead of hardcoded value) SecretKey string `json:"secret_key,omitempty"` // Tablename where to store K/V in DynamoDB Tablename string `json:"table_name,omitempty"` // ReadCapacityUnits is Dynamodb read capacity units ReadCapacityUnits int64 `json:"read_capacity_units"` // WriteCapacityUnits is Dynamodb write capacity units WriteCapacityUnits int64 `json:"write_capacity_units"` }
DynamoConfig structure represents DynamoDB confniguration as appears in `storage` section of Teleport YAML
func (*DynamoConfig) CheckAndSetDefaults ¶
func (cfg *DynamoConfig) CheckAndSetDefaults() error
CheckAndSetDefaults is a helper returns an error if the supplied configuration is not enough to connect to DynamoDB
type DynamoDBBackend ¶
type DynamoDBBackend struct { *log.Entry DynamoConfig // contains filtered or unexported fields }
DynamoDBBackend struct
func (*DynamoDBBackend) AcquireLock ¶
func (b *DynamoDBBackend) AcquireLock(token string, ttl time.Duration) error
AcquireLock for a token
func (*DynamoDBBackend) Clock ¶
func (b *DynamoDBBackend) Clock() clockwork.Clock
Clock returns wall clock
func (*DynamoDBBackend) CompareAndSwapVal ¶
func (b *DynamoDBBackend) CompareAndSwapVal(path []string, key string, val []byte, prevVal []byte, ttl time.Duration) error
CompareAndSwapVal compares and swap values in atomic operation
func (*DynamoDBBackend) DeleteBucket ¶
func (b *DynamoDBBackend) DeleteBucket(path []string, key string) error
DeleteBucket remove all prefixed keys WARNING: there is no bucket feature, deleting "bucket" mean a deletion one by one
func (*DynamoDBBackend) DeleteKey ¶
func (b *DynamoDBBackend) DeleteKey(path []string, key string) error
DeleteKey remove a key
func (*DynamoDBBackend) GetItems ¶
func (b *DynamoDBBackend) GetItems(path []string) ([]backend.Item, error)
GetItems is a function that retuns keys in batch
func (*DynamoDBBackend) GetKeys ¶
func (b *DynamoDBBackend) GetKeys(path []string) ([]string, error)
GetKeys retrieve all keys matching specific path
func (*DynamoDBBackend) GetVal ¶
func (b *DynamoDBBackend) GetVal(path []string, key string) ([]byte, error)
GetVal retrieve a value from a key
func (*DynamoDBBackend) ReleaseLock ¶
func (b *DynamoDBBackend) ReleaseLock(token string) error
ReleaseLock for a token
func (*DynamoDBBackend) UpsertItems ¶
func (b *DynamoDBBackend) UpsertItems(bucket []string, items []backend.Item) error