Teleport and MinIO

[russjones]

Quickstart

If you want to quickly try Teleport with MinIO, you can run the following command to run MinIO using docker:

$ docker run -p 9000:9000 -p 9001:9001 \
     quay.io/minio/minio server /data --console-address ":9001"

This will launch MinIO and make port 9000 (API) and 9001 (Console) available to the host.

Next, connect to MinIO Web UI at http://localhost:9001 using the default credentials and create an API key by first clicking on "Access Keys" then "Create Access Key +".

Copy these over to ~/.aws/credentials so it looks something like the following.

$ cat ~/.aws/credentials
[default]
AWS_ACCESS_KEY_ID=0000000000000000
AWS_SECRET_ACCESS_KEY=11111111111111111111111111111111

Lastly, update the storage section of Teleport configuration like below and restart Teleport.

storage:
  # Use MinIO to store session recordings.
  audit_sessions_uri: "s3://teleport?endpoint=http://localhost:9000&insecure=true&disablesse=true&region=foo"

Teleport should now be using MinIO to store session recordings.

Using an existing MinIO installation

If you already have a MinIO installation, using Teleport is a one line configuration change. Specifically under the storage section look for the audit_sessions_uri field update the URL and query parameters accordingly.

storage:
  # Use MinIO to store session recordings.
  audit_sessions_uri: "s3://teleport?endpoint=https://minio.example.com:9000&insecure=false&disablesse=false&region=foo"

In the above example MinIO is available at https://minio.example.com on port 9000. Recordings will be stored in a bucket called teleport. The following query parameters are specified.

• insecure: Controls network connection security. This is false because MinIO is being being used over HTTPS. If you are accessing MinIO over plain HTTP, set this to true.
• disablesse: Control is Server-side Encryption (SSE) is enabled. This is false if you have configured MinIO to support server side encryption. If you do not want to use Server-side Encryption, set this to true.
• region: The region your bucket is in. This value can be anything.

Debugging

If something is not working, look at both Teleport and MinIO logs.

When inspecting Teleport logs, make sure to start Teleport with the --debug flag to capture as much information as possible for us to help support you.

When inspecting MinIO logs, use the mc admin trace {TARGET} command to turn on request tracing. This will help us understand what requests MinIO may be rejecting and why.

[gramunno]

A couple of comments using teleport v16.4.16 community edition and minio RELEASE.2024-10-13T13-34-11Z AGPLv3

1. I would make explicit that teleport runs under the root account, therefore instead of ~/.aws/credentials I would write in the above procedure /root/.aws/credentials

2. following the above procedure in the teleport log I've found the error
   ERRO [S3] "Failed to ensure that bucket \"teleport\" exists (NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors). S3 session uploads may fail. If you've set up the bucket already and gave Teleport write-only access, feel free to ignore this error." s3sessions/s3handler.go:394
   I fixed it following the second answer from here:
   https://serverfault.com/questions/973933/how-to-fix-nocredentialproviders-no-valid-providers-in-chain-deprecated,
   i.e. making all small letters in the credential file