Getting Started with Access Lists
- Version 15.x
- Version 14.x
- Version 13.x
- Version 12.x
- Older Versions
- Available for:
This guide will help you:
- Create an access list
- Assign a member to it
- Verify permissions granted through the list membership
A running Teleport Enterprise cluster. For details on how to set this up, see the Enterprise Getting Started guide.
tctladmin tool and
tshclient tool version >= 14.2.0. You can download these tools by visiting your Teleport account. You can verify the tools you have installed by running the following commands:tctl version
Teleport Enterprise v14.2.0 go1.21tsh version
Teleport v14.2.0 go1.21
A Teleport Enterprise Cloud account. If you do not have one, visit the signup page to begin a free trial of Teleport Team and upgrade to Teleport Enterprise Cloud.
tctladmin tool and
tshclient tool version >= 14.1.3. To download these tools, visit the Downloads page.tctl version
Teleport Enterprise v14.1.3 go1.21tsh version
Teleport v14.1.3 go1.21
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials.
tctlis supported on macOS and Linux machines. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
- A running Teleport cluster.
- A user with the preset
editorrole, which will have permissions to create Access Lists.
One of the easiest ways to get resources on the cluster for testing is to set up a Teleport Application Service
instance with the debugging application enabled. To do this, add the following config to your
app_service: enabled: yes debug_app: true
And restart Teleport. The "dumper" app should show up in the resource list.
We need to create a simple test user that has only the
requester role, which has no default access
to anything within a cluster. This user will only be used for the purposes of this guide, so you may use
another user if you so choose. If you would rather use your own user, skip to the next step.
Navigate to the management pane and select "Users." Click on "Create New User" and fill in
the name and select
requester as the role.
Click "Save," and then navigate to the provided URL in order to set up the credentials for your test user. Try logging into the cluster with the test user to verify that no resources show up in the resources page.
Next, we'll create a simple access list that will grant the
access role to its members.
Login as the administrative user mentioned in the prerequisites. Navigate to the management pane and
click on access lists. Click on "Create an Access List."
Here, fill in a title, description, and grant the
access role. Select a date in the future for the next
Under "List Owners" select
editor as a required role, then add your administrative user under "Add
Eligible List Owners." By selecting
editor as a required role, this will ensure that any owner of the list
must have the
editor role in order to actually manage the list. If the user loses this role later, they will
not be able to manage the list, though they will still be reflected as an owner.
Under "Members" select
requester as a required role, then add your test user to the access list. Similar to
the owner requirements, this will ensure that any member of the list must have the
requester role in order to
be granted the access described in this list. If the user loses this role later, they will no be granted the
roles or traits described in the access list.
Finally, click "Create Access List" at the bottom of the page.
Again, login as the test user. When logging in now, you should now see the dumper application contained within the cluster, and should be able to interact with it as expected.
- Familiarize yourself with the CLI tooling available for managing access lists in the reference.