Teleport
Teleport Community Edition Role Access Requests
- Version 16.x
- Version 15.x
- Version 14.x
- Version 13.x
- Older Versions
Just-in-time Access Requests are a feature of Teleport Enterprise.
Teleport Community Edition users can get a preview of how Access Requests work by requesting a role using the Teleport CLI. Full Access Request functionality, including Resource Access Requests and an intuitive and searchable UI are available in Teleport Enterprise.
RBAC security setup
Teleport's role-based access control (RBAC) allows you to configure what roles users can request access to. In this example, we will define two roles:
contractor: users with this role can request elevated access to thedbaroledba: this role grants access to databases
There is no role for request approvers, because request approval rules can only
be configured for Teleport Enterprise. In Teleport Community Edition, approvals must
be performed by running tctl on the Auth Server.
Contractor role
Users with this role can request access to the dba role.
kind: role
version: v5
metadata:
name: contractor
spec:
allow:
request:
roles: ['dba']
Define this role in the file contractor-role.yaml and create it with tctl:
tctl create contractor-role.yaml
Use tctl to assign this role to a user (alice in this example):
tctl users update --set-roles \ $(tctl get users/alice --format=json | jq -r '.[].spec.roles | join(",")'),contractor alice
DBA role
This role grants access to databases.
kind: role
version: v5
metadata:
name: dba
spec:
allow:
db_labels:
'*': '*'
options:
# Only allows the contractor to use this role for 1 hour from time of request.
max_session_ttl: 1h
Define this role in the file dba-role.yaml and create it with tctl:
tctl create dba-role.yaml
Requesting Access
In Teleport Community Edition, requests are made from the tsh CLI. To create an access
request, use the tsh request create command.
tsh request create \ --roles=dba \ --reviewers=bob \ --reason="performing DB migration tonight"
By default, this command will block until the request is approved. To submit the
request without waiting for approval, add the --nowait flag.
Alternatively, tsh can automatically create an access request during the login
process. To activate this behavior, specify the --request-roles flag:
tsh login --user=alice --request-roles=dbaSeeking request approval... (id: bc8ca931-fec9-4b15-9a6f-20c13c5641a9)
This will wait for the request to be approved, and then issue credentials with
the dba role automatically when the request is approved.
To log in and submit the request without waiting for approval, add the
--request-nowait flag. In this scenario, you will receive your regular roles
upon login, and can elevate your access after the request is approved.
log in with an approved access request
tsh login --request-id=bc8ca931-fec9-4b15-9a6f-20c13c5641a9
You can list requests using tsh request ls.
tsh request lsToken Requestor Metadata Created At (UTC) Status
------------------------------------ --------- -------------- ------------------- -------
bc8ca931-fec9-4b15-9a6f-20c13c5641a9 alice roles=dba 07 Nov 19 19:38 UTC PENDING
Reviewing requests
In Teleport Community Edition, Access Requests must be reviewed by a cluster administrator
with the ability to run tctl on the Auth Server.
Administrators can list requests with tctl requests ls, and view the details
of a particular request with tctl requests get <id>.
To approve or deny a request, use tctl request approve or tctl request deny.
For example, to deny a request:
tctl request deny \ --reason="today's migration has been canceled" \ bc8ca931-fec9-4b15-9a6f-20c13c5641a9
Granting access to a role with the ability to edit other roles could allow a user to permanently upgrade their privileges. When reviewing requests, it's important to carefully consider the role(s) being requested and what permissions will be applied to the user if the request is approved.
Reviewers can approve the request while also overriding the set of roles in the request:
tctl request approve \ --roles="db-support" \ --reason="approved access to db-support, dba is not necessary" \ bc8ca931-fec9-4b15-9a6f-20c13c5641a9
Next Steps
- Learn more about Access Requests
- See what additional features are available for role requests in Teleport Enterprise
- Request access to specific resources with Teleport Enterprise