Fork me on GitHub
Teleport

Application Access Role-Based Access Control

Application Access Role-Based Access Control

This article describes Access Control concepts particularly relevant to Teleport Application Access.

Assigning labels to applications

Teleport Application Access uses labels to control access to the proxied web applications.

Teleport administrators can assign static and dynamic labels to apps using configuration:

apps:
- name: "grafana"
  uri: "http://localhost:3000"
  # Static labels.
  labels:
    env: "prod"
    group: "metrics"
  # Teleport periodically executes commands in dynamic labels and uses the
  # commands output in label values.
  commands:
  - name: "arch"
    command: ["uname", "-p"]
    period: 1m0s

Configuring application labels in roles

Teleport administrators can configure roles to allow or deny users' access to applications with specific labels using app_labels property.

For example, this role will grant access to all applications from the group "metrics", except for the production ones:

kind: role
version: v4
metadata:
  name: dev
spec:
  allow:
    app_labels:
      group: "metrics"
  deny:
    app_labels:
      env: "prod"

Integrating with identity providers

You can configure roles to populate app labels dynamically based on the user's claims and attributes received from identity providers. This is done by using template variables with external prefix.

For example, this role will have its env and group label values set after the Okta user's attributes with the same names:

allow:
  app_labels:
    env: "{{external.env}}"
    group: "{{external.group}}"

Next steps

Have a suggestion or can’t find something?
IMPROVE THE DOCS