Fork me on GitHub

Teleport

Teleport Resource Access Requests

Improve

Just-in-time Access Requests are a feature of Teleport Enterprise.

Open-source Teleport users can get a preview of how Access Requests work by requesting a role via the Teleport CLI. Full Access Request functionality, including Resource Access Requests and an intuitive and searchable UI are available in Teleport Enterprise.

RBAC Setup

Teleport's role-based access control (RBAC) allows you to configure what roles users can request access to. In this example, we will define two roles:

  1. contractor: users with this role can request elevated access to the dba role
  2. dba: this role grants access to databases

There is no role for request approvers, because request approval rules can only be configured for Teleport Enterprise. In Open Source Teleport, approvals must be performed by running tctl on the Auth Server.

Contractor Role

Users with this role can request access to the dba role.

kind: role
version: v5
metadata:
  name: contractor
spec:
  allow:
    request:
      roles: ['dba']

Define this role in the file contractor-role.yaml and create it with tctl:

tctl create contractor-role.yaml

Use tctl to assign this role to a user (alice in this example):

tctl users update --set-roles \ $(tctl get users/alice --format=json | jq -r '.[].spec.roles | join(",")'),contractor alice

DBA Role

This role grants access to databases.

kind: role
version: v5
metadata:
  name: dba
spec:
  allow:
    db_labels:
      '*': '*'
  options:
    # Only allows the contractor to use this role for 1 hour from time of request.
    max_session_ttl: 1h

Define this role in the file dba-role.yaml and create it with tctl:

tctl create dba-role.yaml

Requesting Access

In OSS Teleport, requests are made from the tsh CLI. To create an access request, use the tsh request create command.

tsh request create \ --roles=dba \ --reviewers=bob \ --reason="performing DB migration tonight"

By default, this command will block until the request is approved. To submit the request without waiting for approval, add the --nowait flag.

Alternatively, tsh can automatically create an access request during the login process. To activate this behavior, specify the --request-roles flag:

tsh login --user=alice --request-roles=dba

Seeking request approval... (id: bc8ca931-fec9-4b15-9a6f-20c13c5641a9)

This will wait for the request to be approved, and then issue credentials with the dba role automatically when the request is approved.

To log in and submit the request without waiting for approval, add the --request-nowait flag. In this scenario, you will receive your regular roles upon login, and can elevate your access after the request is approved.

log in with an approved access request

tsh login --request-id=bc8ca931-fec9-4b15-9a6f-20c13c5641a9

You can list requests using tsh request ls.

tsh request ls

Token Requestor Metadata Created At (UTC) Status

------------------------------------ --------- -------------- ------------------- -------

bc8ca931-fec9-4b15-9a6f-20c13c5641a9 alice roles=dba 07 Nov 19 19:38 UTC PENDING

Reviewing requests

In OSS Teleport, Access Requests must be reviewed by a cluster administrator with the ability to run tctl on the Auth Server.

Administrators can list requests with tctl requests ls, and view the details of a particular request with tctl requests get <id>.

To approve or deny a request, use tctl request approve or tctl request deny. For example, to deny a request:

tctl request deny \ --reason="today's migration has been canceled" \ bc8ca931-fec9-4b15-9a6f-20c13c5641a9
Warning

Granting access to a role with the ability to edit other roles could allow a user to permanently upgrade their privileges. When reviewing requests, it's important to carefully consider the role(s) being requested and what permissions will be applied to the user if the request is approved.

Reviewers can approve the request while also overriding the set of roles in the request:

tctl request approve \ --roles="db-support" \ --reason="approved access to db-support, dba is not necessary" \ bc8ca931-fec9-4b15-9a6f-20c13c5641a9

Next Steps