diff --git a/docs/pages/database-access/guides/mysql-self-hosted.mdx b/docs/pages/database-access/guides/mysql-self-hosted.mdx
index d4a9788beb88b..63b4eda176abe 100644
--- a/docs/pages/database-access/guides/mysql-self-hosted.mdx
+++ b/docs/pages/database-access/guides/mysql-self-hosted.mdx
@@ -131,48 +131,17 @@ tunnel.
### Start Database Service with Config File
-Below is an example of a database service configuration file that proxies
-a single self-hosted MySQL database:
-
-```yaml
-teleport:
- # The data_dir should be a different location if running on the same
- # machine as Teleport auth and proxy.
- data_dir: /var/lib/teleport-db
- nodename: teleport-db-instance
- # Teleport invitation token used to join a cluster.
- # can also be passed on start using --token flag
- auth_token: /tmp/token
- # Proxy address to connect to. Note that it has to be the proxy address
- # because database service always connects to the cluster over reverse
- # tunnel.
- auth_servers:
- - teleport.example.com:3080
-db_service:
- enabled: "yes"
- # This section contains definitions of all databases proxied by this
- # service, can contain multiple items.
- databases:
- # Name of the database proxy instance, used to reference in CLI.
- - name: "example"
- # Free-form description of the database proxy instance.
- description: "Example MySQL"
- # Database protocol.
- protocol: "mysql"
- # Database address, MySQL/MariaDB server endpoint in this case.
- #
- # Note: this URI's hostname must match the host name specified via --host
- # flag to tctl auth sign command.
- uri: "mysql.example.com:3306"
- # Labels to assign to the database, used in RBAC.
- static_labels:
- env: dev
-auth_service:
- enabled: "no"
-ssh_service:
- enabled: "no"
-proxy_service:
- enabled: "no"
+Generate a configuration file at `/etc/teleport.yaml` for the Database Service:
+
+```code
+$ teleport db configure create \
+ -o file \
+ --token=/tmp/token \
+ --proxy=teleport.example.com:3080 \
+ --name=test \
+ --protocol=mysql \
+ --uri=mysql.example.com:3306 \
+ --labels=env=dev
```
-
- Use this policy if your Teleport database agent runs as an IAM user (for
- example, uses AWS credentials file).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "redshift:DescribeClusters",
- "iam:GetUserPolicy",
- "iam:PutUserPolicy",
- "iam:DeleteUserPolicy"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
- Use this policy if your Teleport database agent runs as an IAM role (for
- example, on an EC2 instance with attached IAM role).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "redshift:DescribeClusters",
- "iam:GetRolePolicy",
- "iam:PutRolePolicy",
- "iam:DeleteRolePolicy"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
-
-### Create an IAM permission boundary for Teleport
-Since Teleport will be managing its own IAM policies for access to Redshift
-databases, you need to create a permission boundary to limit its effective
-range of permissions.
-
-Create another managed policy that will serve as a permission boundary on the
-same [Policies](https://console.aws.amazon.com/iamv2/home#/policies) page of
-the AWS Management Console.
-
-In addition to the set of permissions you created above, the boundary should
-also include `redshift:GetClusterCredentials`, which will grant your Teleport
-agent the permission to generate temporary credentials to authenticate with
-Redshift databases.
-
-Similar to the permission polices you created above, the exact set of required
-permissions for the permission boundary depends on the IAM identity your
-Teleport database agent will be using (IAM user or IAM role).
-
-
-
- Use this permission boundary if your Teleport database agent runs as an IAM
- user (for example, uses AWS credentials file).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "redshift:DescribeClusters",
- "redshift:GetClusterCredentials",
- "iam:GetUserPolicy",
- "iam:PutUserPolicy",
- "iam:DeleteUserPolicy"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
- Use this permission boundary if your Teleport database agent runs as an IAM
- role (for example, on an EC2 instance with attached IAM role).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "redshift:DescribeClusters",
- "redshift:GetClusterCredentials",
- "iam:GetRolePolicy",
- "iam:PutRolePolicy",
- "iam:DeleteRolePolicy"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
-
-### Attach the policy and boundary to an IAM identity
-(!docs/pages/includes/database-access/attach-iam-policies.mdx!)
-
-
- If you prefer to self-manage IAM for your Redshift databases, see [AWS
- reference](../reference/aws.mdx) for details.
-
-
-## Step 4/5. Start the database agent
-(!docs/pages/includes/database-access/token.mdx!)
-
-Create the database agent configuration e.g. in `/etc/teleport.yaml`:
-
-```yaml
-teleport:
- data_dir: /var/lib/teleport
- auth_token: /tmp/token
- auth_servers:
- - teleport.example.com:443 # Teleport proxy address to connect to
-auth_service:
- enabled: "no"
-proxy_service:
- enabled: "no"
-db_service:
- enabled: "yes"
- aws: # Matchers for registering AWS-hosted databases.
- - types: ["redshift"]
- regions: ["us-west-1"] # AWS regions to fetch databases from
- tags: # AWS database resource tags to match
- "*": "*"
-```
+(!docs/pages/includes/database-access/aws-bootstrap.mdx!)
-Start the database agent:
+## Step 5/6. Start the database agent
```code
$ teleport start --config=/etc/teleport.yaml
@@ -195,7 +64,7 @@ may not propagate immediately and can take a few minutes to come into effect.
for more information.
-## Step 5/5. Connect
+## Step 6/6. Connect
Once the database agent has started and joined the cluster, log in to see the
registered databases. Replace `--proxy` with the address of your Teleport Proxy Service,
diff --git a/docs/pages/database-access/guides/postgres-self-hosted.mdx b/docs/pages/database-access/guides/postgres-self-hosted.mdx
index 162873d4190aa..dc50e9669424c 100644
--- a/docs/pages/database-access/guides/postgres-self-hosted.mdx
+++ b/docs/pages/database-access/guides/postgres-self-hosted.mdx
@@ -111,43 +111,17 @@ tunnel.
### Start Database service with config file
-Below is an example of a database service configuration file that proxies
-a single self-hosted PostgreSQL database:
-
-```yaml
-teleport:
- data_dir: /var/lib/teleport-db
- nodename: test
- # Proxy address to connect to. Note that it has to be the proxy address
- # because database service always connects to the cluster over reverse
- # tunnel.
- auth_servers:
- - teleport.example.com:3080
-db_service:
- enabled: "yes"
- # This section contains definitions of all databases proxied by this
- # service, can contain multiple items.
- databases:
- # Name of the database proxy instance, used to reference in CLI.
- - name: "example"
- # Free-form description of the database proxy instance.
- description: "Example PostgreSQL"
- # Database protocol.
- protocol: "postgres"
- # Database address, PostgreSQL server endpoint in this case.
- #
- # Note: this URI's hostname must match the host name specified via --host
- # flag to tctl auth sign command.
- uri: "postgres.example.com:5432"
- # Labels to assign to the database, used in RBAC.
- static_labels:
- env: dev
-auth_service:
- enabled: "no"
-ssh_service:
- enabled: "no"
-proxy_service:
- enabled: "no"
+Generate a configuration file at `/etc/teleport.yaml` for the Database Service:
+
+```code
+$ teleport db configure create \
+ -o file \
+ --token=/tmp/token \
+ --proxy=teleport.example.com:3080 \
+ --name=test \
+ --protocol=postgres \
+ --uri=postgres.example.com:5432 \
+ --labels=env=dev
```
-
- Use this policy if you're connecting to RDS instances and your Teleport
- database agent runs as IAM user (for example, uses AWS credentials file).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "rds:DescribeDBInstances",
- "rds:ModifyDBInstance",
- "iam:GetUserPolicy",
- "iam:PutUserPolicy",
- "iam:DeleteUserPolicy"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
- Use this policy if you're connecting to RDS instances and your Teleport
- database agent runs as IAM role (for example, on an EC2 instance with
- attached IAM role).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "rds:DescribeDBInstances",
- "rds:ModifyDBInstance",
- "iam:GetRolePolicy",
- "iam:PutRolePolicy",
- "iam:DeleteRolePolicy"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
- Use this policy if you're connecting to Aurora clusters and your Teleport
- database agent runs as IAM user (for example, uses AWS credentials file).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "rds:DescribeDBClusters",
- "rds:ModifyDBCluster",
- "iam:GetUserPolicy",
- "iam:PutUserPolicy",
- "iam:DeleteUserPolicy"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
- Use this policy if you're connecting to Aurora clusters and your Teleport
- database agent runs as IAM role (for example, on an EC2 instance with
- attached IAM role).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "rds:DescribeDBClusters",
- "rds:ModifyDBCluster",
- "iam:GetRolePolicy",
- "iam:PutRolePolicy",
- "iam:DeleteRolePolicy"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
-
-### Create IAM permission boundary for Teleport
-
-Since Teleport will be managing its own IAM policies for access to RDS and
-Aurora databases, you need to create a permission boundary to limit its
-effective range of permissions.
+(!docs/pages/includes/database-access/token.mdx!)
-Create another managed policy that will serve as a permission boundary on the
-same [Policies](https://console.aws.amazon.com/iamv2/home#/policies) page.
+Create the Database Service configuration:
-The boundary should have the same set of permissions as the IAM policy you
-created above, plus `rds-db:connect`.
+```code
+$ teleport db configure create \
+ -o file \
+ --proxy=teleport.example.com:3080 \
+ --token=/tmp/token \
+ --rds-discovery=us-west-1
+```
-
-
- Use this permission boundary policy if you're connecting to RDS instances and
- your Teleport database agent runs as IAM user (for example, uses AWS
- credentials file).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "rds:DescribeDBInstances",
- "rds:ModifyDBInstance",
- "iam:GetUserPolicy",
- "iam:PutUserPolicy",
- "iam:DeleteUserPolicy",
- "rds-db:connect"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
- Use this permission boundary policy if you're connecting to RDS instances and
- your Teleport database agent runs as IAM role (for example, on an EC2 instance
- with attached IAM role).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "rds:DescribeDBInstances",
- "rds:ModifyDBInstance",
- "iam:GetRolePolicy",
- "iam:PutRolePolicy",
- "iam:DeleteRolePolicy",
- "rds-db:connect"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
- Use this permission boundary policy if you're connecting to Aurora clusters
- and your Teleport database agent runs as IAM user (for example, uses AWS
- credentials file).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "rds:DescribeDBClusters",
- "rds:ModifyDBCluster",
- "iam:GetUserPolicy",
- "iam:PutUserPolicy",
- "iam:DeleteUserPolicy",
- "rds-db:connect"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
- Use this permission boundary policy if you're connecting to Aurora clusters
- and your Teleport database agent runs as IAM role (for example, on an EC2
- instance with attached IAM role).
- ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "rds:DescribeDBClusters",
- "rds:ModifyDBCluster",
- "iam:GetRolePolicy",
- "iam:PutRolePolicy",
- "iam:DeleteRolePolicy",
- "rds-db:connect"
- ],
- "Resource": "*"
- }
- ]
- }
- ```
-
-
+The command will generate a database agent configuration with RDS/Aurora
+database auto-discovery enabled on the `us-west-1` region and place it at the
+`/etc/teleport.yaml` location.
-### Attach the policy and boundary to an IAM identity
-(!docs/pages/includes/database-access/attach-iam-policies.mdx!)
+## Step 4/7. Create an IAM policy for Teleport
-
- If you prefer to self-manage IAM for your RDS databases, take a look at
- [AWS reference](../reference/aws.mdx) for details.
-
+Teleport needs AWS IAM permissions to be able to:
-## Step 4/6. Start the database agent
+- Discover and register RDS instances and Aurora clusters.
+- Configure IAM authentication for them.
-(!docs/pages/includes/database-access/token.mdx!)
+(!docs/pages/includes/database-access/aws-bootstrap.mdx!)
-Create the database agent configuration e.g. in `/etc/teleport.yaml`:
-
-```yaml
-teleport:
- data_dir: /var/lib/teleport
- auth_token: /tmp/token
- auth_servers:
- # Teleport proxy address to connect to.
- # For Teleport Cloud users, this will resemble mytenant.teleport.sh
- - teleport.example.com:3080
-auth_service:
- enabled: "no"
-proxy_service:
- enabled: "no"
-db_service:
- enabled: "yes"
- aws:
- - types: ["rds"]
- regions: ["us-west-1"] # AWS regions to fetch databases from
- tags: # AWS database resource tags to match
- "*": "*"
-```
+## Step 5/7. Start the database agent
Start the database agent:
@@ -301,12 +75,11 @@ policies for the discovered databases. Keep in mind that AWS IAM changes may
not propagate immediately and can take a few minutes to come into effect.
- The Teleport database agent uses the default credential provider chain to find AWS
- credentials. See [Specifying Credentials](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials)
- for more information.
+ The Teleport Database Service uses the default
+ credential provider chain to find AWS credentials. See [Specifying Credentials](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials) for more information.
-## Step 5/6. Create database IAM user
+## Step 6/7. Create a database IAM user
Database users must allow IAM authentication in order to be used with Database
Access for RDS. See below how to enable it for your database engine.
@@ -339,7 +112,7 @@ Access for RDS. See below how to enable it for your database engine.
See [Creating a database account using IAM authentication](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html)
for more information.
-## Step 6/6. Connect
+## Step 7/7. Connect
Once the database agent has started and joined the cluster, login to see the
registered databases:
diff --git a/docs/pages/database-access/reference/aws.mdx b/docs/pages/database-access/reference/aws.mdx
index 6d862d2774300..9bf906be356eb 100644
--- a/docs/pages/database-access/reference/aws.mdx
+++ b/docs/pages/database-access/reference/aws.mdx
@@ -3,17 +3,224 @@ title: Database Access AWS IAM Reference
description: AWS IAM policies for Teleport database access.
---
-Teleport automatically discovers and configures IAM for RDS and Redshift given
-proper IAM permissions as described in the [AWS RDS & Aurora
-guide](../guides/rds.mdx) and the [AWS Redshift
-guide](../guides/postgres-redshift.mdx).
+## Auto-discovery
+With the appropriate IAM permissions, Teleport automatically discovers and
+configures IAM policies for Amazon RDS and Redshift.
+Teleport also requires permission to update database configurations, for example, to
+enable IAM authentication on RDS databases.
+
+You can generate and manage the permissions with the [`teleport db configure
+bootstrap`](../../database-access/reference/cli.mdx#teleport-db-configure-bootstrap)
+command. For example, the following command would generate and print the
+IAM policies:
+
+```code
+$ teleport db configure bootstrap --manual
+```
+
+Or if you prefer, you manage the IAM permissions yourself. Examples of policies
+for each discovery type are shown below.
+
+### Aurora/RDS
+
+
+
+ Use this policy if you're connecting to RDS instances and your Teleport
+ database agent runs as an IAM user (for example, uses an AWS credentials file).
+
+ Replace `{account-id}` with your AWS Account ID.
+ ```json
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "rds:DescribeDBInstances",
+ "rds:ModifyDBInstance"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "iam:GetUserPolicy",
+ "iam:PutUserPolicy",
+ "iam:DeleteUserPolicy"
+ ],
+ "Resource": "arn:aws:iam::{account-id}:user/sample-user"
+ }
+ ]
+ }
+ ```
+
+
+ Use this policy if you're connecting to RDS instances and your Teleport
+ database agent runs as an IAM role (for example, on an EC2 instance with
+ an attached IAM role).
+
+ Replace `{account-id}` with your AWS Account ID.
+ ```json
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "rds:DescribeDBInstances",
+ "rds:ModifyDBInstance"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "iam:GetRolePolicy",
+ "iam:PutRolePolicy",
+ "iam:DeleteRolePolicy"
+ ],
+ "Resource": "arn:aws:iam::{account-id}:role/sample-role"
+ }
+ ]
+ }
+ ```
+
+
+ Use this policy if you're connecting to Aurora clusters and your Teleport
+ database agent runs as an IAM user (for example, uses an AWS credentials file).
+
+ Replace `{account-id}` with your AWS Account ID.
+ ```json
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "rds:DescribeDBClusters",
+ "rds:ModifyDBCluster"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "iam:GetUserPolicy",
+ "iam:PutUserPolicy",
+ "iam:DeleteUserPolicy"
+ ],
+ "Resource": "arn:aws:iam::{account-id}:user/sample-user"
+ }
+ ]
+ }
+ ```
+
+
+ Use this policy if you're connecting to Aurora clusters and your Teleport
+ database agent runs as an IAM role (for example, on an EC2 instance with
+ an attached IAM role).
+
+ Replace `{account-id}` with your AWS Account ID.
+ ```json
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "rds:DescribeDBClusters",
+ "rds:ModifyDBCluster"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "iam:GetRolePolicy",
+ "iam:PutRolePolicy",
+ "iam:DeleteRolePolicy"
+ ],
+ "Resource": "arn:aws:iam::{account-id}:role/sample-role"
+ }
+ ]
+ }
+ ```
+
+
+
+### Redshift
+
+
+
+ Use this permission boundary if your Teleport database agent runs as an IAM
+ user (for example, it uses an AWS credentials file).
+
+ Replace `{account-id}` with your AWS Account ID.
+ ```json
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "redshift:DescribeClusters",
+ "redshift:GetClusterCredentials"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "iam:GetUserPolicy",
+ "iam:PutUserPolicy",
+ "iam:DeleteUserPolicy"
+ ],
+ "Resource": "arn:aws:iam::{account-id}:user/sample-user"
+ }
+ ]
+ }
+ ```
+
+
+ Use this permission boundary if your Teleport database agent runs as an IAM
+ role (for example, on an EC2 instance with an attached IAM role).
+
+ Replace `{account-id}` with your AWS Account ID.
+ ```json
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "redshift:DescribeClusters",
+ "redshift:GetClusterCredentials",
+ ],
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "iam:GetRolePolicy",
+ "iam:PutRolePolicy",
+ "iam:DeleteRolePolicy"
+ ],
+ "Resource": "arn:aws:iam::{account-id}:role/sample-role"
+ }
+ ]
+ }
+ ```
+
+
+
+## Manual registration
If you prefer to register RDS or Redshift databases manually using a [static
configuration](./configuration.mdx) or
[`tctl`](../guides/dynamic-registration.mdx) and manage IAM yourself, example
IAM policies with the required permissions are shown below.
-## RDS or Aurora policy
+### RDS or Aurora policy
To connect to an RDS database, the database agent's IAM identity needs to have
`rds-db:connect` permissions for it:
@@ -56,7 +263,7 @@ arn:aws:rds-db:::dbuser:/
See [Creating and using an IAM policy for IAM database access](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html)
for more information.
-## Redshift policy
+### Redshift policy
Teleport uses temporary credentials generated by AWS to authenticate with
Redshift databases.
diff --git a/docs/pages/database-access/reference/cli.mdx b/docs/pages/database-access/reference/cli.mdx
index dc77a23ce3721..d66839001b05a 100644
--- a/docs/pages/database-access/reference/cli.mdx
+++ b/docs/pages/database-access/reference/cli.mdx
@@ -38,6 +38,53 @@ $ teleport db start \
| `--gcp-project-id` | (Only for Cloud SQL) GCP Cloud SQL project identifier. |
| `--gcp-instance-id` | (Only for Cloud SQL) GCP Cloud SQL instance identifier.|
+## teleport db configure create
+
+Creates a sample Database Service configuration.
+
+```code
+$ teleport db configure create --rds-discovery=us-west-1 --rds-discovery=us-west-2
+$ teleport db configure create \
+ --token=/tmp/token \
+ --proxy=proxy.example.com:3080 \
+ --name=example \
+ --protocol=postgres \
+ --uri=postgres://postgres.example.com:5432 \
+ --labels=env=prod
+```
+
+| Flag | Description |
+| - | - |
+| `--proxy` | Teleport Proxy Service address to connect to. Default: `0.0.0.0:3080`. |
+| `--token` | Invitation token to register with the Auth Service. Default: none. |
+| `--rds-discovery` | List of AWS regions the agent will discover for RDS/Aurora instances. |
+| `--redshift-discovery` | List of AWS regions the agent will discover for Redshift instances. |
+| `--ca-pin` | CA pin to validate the Auth Service (can be repeated for multiple pins). |
+| `--name` | Name of the proxied database. |
+| `--protocol` | Proxied database protocol. Supported are: [postgres mysql mongodb cockroachdb redis sqlserver]. |
+| `--uri` | Address the proxied database is reachable at. |
+| `--labels` | Comma-separated list of labels for the database, for example env=dev,dept=it |
+| `-o/--output` | Write to stdout with `-o=stdout`, the default config file with `-o=file`, or a custom path with `-o=file:///path` |
+
+## teleport db configure bootstrap
+
+Bootstrap the necessary configuration for the database agent. It reads the provided agent configuration to determine what will be bootstrapped.
+
+```code
+$ teleport db configure bootstrap -c /etc/teleport.yaml --attach-to-user TeleportUser
+$ teleport db configure bootstrap -c /etc/teleport.yaml --attach-to-role TeleportRole
+$ teleport db configure bootstrap -c /etc/teleport.yaml --manual
+```
+
+| Flag | Description |
+| - | - |
+| `-c/--config` | Path to a configuration file. Default: `/etc/teleport.yaml`. |
+| `--manual` | When executed in "manual" mode, this command will print the instructions to complete the configuration instead of applying them directly. |
+| `--policy-name` | Name of the Teleport Database Service policy. Default: "DatabaseAccess" |
+| `--confirm` | Do not prompt the user and auto-confirm all actions. |
+| `--attach-to-role` | Role name to attach the policy to. Mutually exclusive with `--attach-to-user`. If none of the attach-to flags is provided, the command will try to attach the policy to the current user/role based on the credentials. |
+| `--attach-to-user` | User name to attach the policy to. Mutually exclusive with `--attach-to-role`. If none of the attach-to flags is provided, the command will try to attach the policy to the current user/role based on the credentials. |
+
## tctl auth sign
When invoked with a `--format=db` (or `--format=mongodb` for MongoDB) flag,
diff --git a/docs/pages/includes/database-access/aws-bootstrap.mdx b/docs/pages/includes/database-access/aws-bootstrap.mdx
new file mode 100644
index 0000000000000..d055f3abc1648
--- /dev/null
+++ b/docs/pages/includes/database-access/aws-bootstrap.mdx
@@ -0,0 +1,47 @@
+Teleport can bootstrap IAM permissions for the Database Service based on its
+configuration using the `teleport db configure bootstrap` command. You can use
+this command in automatic or manual mode:
+- In automatic mode, Teleport will attempt to create appropriate IAM policies
+ and attach them to the specified IAM identity (user or role). This requires
+ IAM permissions to create and attach IAM policies.
+- In manual mode, Teleport will print required IAM policies. You can then create
+ and attach them manually using the AWS management console.
+
+
+ AWS Credentials are only required if you’re running the command in "automatic"
+ mode. The command uses the default credential provider chain to find AWS
+ credentials. See [Specifying Credentials](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials) for more information.
+
+
+
+
+ Use this command to bootstrap the permissions automatically when
+ your Teleport database agent runs as an IAM user (for example, uses an AWS
+ credentials file).
+
+ ```code
+ $ teleport db configure bootstrap -c /etc/teleport.yaml --attach-to-user TeleportUser
+ ```
+
+
+
+ Use this command to bootstrap the permissions automatically when
+ your Teleport database agent runs as an IAM role (for example, on an EC2
+ instance with an attached IAM role).
+
+ ```code
+ $ teleport db configure bootstrap -c /etc/teleport.yaml --attach-to-role TeleportRole
+ ```
+
+
+
+ Use this command to display required IAM policies which you will then create in your AWS console:
+
+ ```code
+ $ teleport db configure bootstrap -c /etc/teleport.yaml --manual
+ ```
+
+
+
+See the full `bootstrap` command
+[reference](../../database-access/reference/cli.mdx#teleport-db-configure-bootstrap).
diff --git a/docs/pages/includes/database-access/guides-next-steps.mdx b/docs/pages/includes/database-access/guides-next-steps.mdx
index 08a15db2a8e8a..d6c61171bb83b 100644
--- a/docs/pages/includes/database-access/guides-next-steps.mdx
+++ b/docs/pages/includes/database-access/guides-next-steps.mdx
@@ -1,3 +1,4 @@
- Learn how to [restrict access](../../database-access/rbac.mdx) to certain users and databases.
- View [High Availability (HA)](../../database-access/guides/ha.mdx) guide.
- Take a look at YAML configuration [reference](../../database-access/reference/configuration.mdx).
+- See the full CLI [reference](../../database-access/reference/cli.mdx).
diff --git a/docs/pages/kubernetes-access/helm/reference.mdx b/docs/pages/kubernetes-access/helm/reference.mdx
index bd695b85f7459..232b5717ad94c 100644
--- a/docs/pages/kubernetes-access/helm/reference.mdx
+++ b/docs/pages/kubernetes-access/helm/reference.mdx
@@ -1487,7 +1487,7 @@ You can specify multiple apps by adding additional list elements.
- For AWS database auto-discovery to work, your agent pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../database-access/guides/rds.mdx#step-36-configure-iam).
+ For AWS database auto-discovery to work, your agent pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../database-access/guides/rds.mdx#step-47-create-an-iam-policy-for-teleport).
After configuring a role, you can use an `eks.amazonaws.com/role-arn` annotation with the `annotations.serviceAccount` value to associate it with the service account and grant permissions: