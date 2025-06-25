Version: 17.x

On this page

Access Requests with Opsgenie Report an issue with this page

With Teleport's Opsgenie integration, engineers can access the infrastructure they need to resolve alerts quickly, without longstanding admin permissions that can become a vector for attacks.

Teleport's Opsgenie integration allows you to treat Teleport Role Access Requests as Opsgenie alerts, notify the appropriate on-call team, and approve or deny the requests via Teleport. You can also configure the plugin to approve Role Access Requests automatically if the user making the request is on the on-call team for a service affected by an alert.

This guide will explain how to set up Teleport's Access Request plugin for Opsgenie.

A Teleport Enterprise Cloud account.

The tctl admin tool and tsh client tool version >= 17.5.1. You can verify the tools you have installed by running the following commands: tctl version

tsh version You can download these tools by following the appropriate Installation instructions for your environment and Teleport edition.

An Opsgenie account with the ability to create API keys with the 'read' and 'create and update' access rights.

To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] to your Teleport username: teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Create an Opsgenie team named teleport-access-request-notifications .

We will configure the Opsgenie plugin to create an alert for the teleport-access-request-notifications team when certain users create an Access Request.

The Teleport Opsgenie plugin works by receiving Access Request events from the Teleport Auth Service and, based on these events, interacting with the Opsgenie API.

To create a user, first navigate to Access -> Roles. Then select Create New Role and create the requester role.

kind: role version: v5 metadata: name: requester spec: allow: request: roles: ['editor'] thresholds: - approve: 1 deny: 1 annotations: teleport.dev/notify-services: ['teleport-access-request-notifications'] teleport.dev/teams: ['teleport-team'] teleport.dev/schedules: ['teleport-access-alert-schedules']

The teleport.dev/notify-services annotation specifies the schedules the alert will be created for. The teleport.dev/teams annotation specifies the teams the alert will be created for. This is useful when you have multiple schedules with escalations or an Opsgenie integration that only works with teams. The teleport.dev/schedules annotation specifies the schedules the alert will check, and auto approve the Access Request if the requesting user is on-call.

Create a user called myuser who has the requester role. Later in this guide, you will create an Access Request as this user to test the Opsgenie plugin:

To create a user first navigate to Management -> Access -> Users

Then select 'Create New User' and create a user with the requester role.

Generate an API key that the Opsgenie plugin will use to create and modify alerts as well as list users, services, and on-call policies.

In your Opsgenie dashboard, go to SETTINGS → INTEGRATIONS

See https://support.atlassian.com/opsgenie/docs/create-a-default-api-integration/ for more details.

At this point, you have generated credentials that the Opsgenie plugin will use to connect to the Opsgenie API. To configure the plugin to use this API key navigate to Management -> Integrations -> Enroll New Integration.

As the Teleport user myuser , create an Access Request for the editor role:

As an Admin

As a User

From the Web UI A Teleport admin can create an Access Request for another user with tctl : tctl request create myuser --roles=editor Users can use tsh to create an Access Request and log in with approved roles: tsh request create --roles=editor Seeking request approval... (id: 8f77d2d1-2bbf-4031-a300-58926237a807) Users can request access using the Web UI by visiting "Identity", clicking "Access Requests" and then "New Request":

In Opsgenie, you will see a new alert containing information about the Access Request in either the default schedule specified when enrolling the plugin, or in the schedules specified by teleport.dev/notify-services annotation in the requester's role.

Once you receive an Access Request message, click the link to visit Teleport and approve or deny the request:

Details Reviewing from the command line You can also review an Access Request from the command line: As an Admin

As a User tctl request approve REQUEST_ID tctl request deny REQUEST_ID tsh request review --approve REQUEST_ID tsh request review --deny REQUEST_ID