Resource Access Requests

Report an Issue

Is this page helpful?

How can we improve this page?

With Teleport Resource Access Requests, users can request access to specific resources without needing to know anything about the roles or RBAC controls used under the hood. The Access Request API makes it easy to dynamically approve or deny these requests.

Just-in-time Access Requests are a feature of Teleport Enterprise. Teleport Community Edition users can get a preview of how Access Requests work by requesting a role via the Teleport CLI. Full Access Request functionality, including Resource Access Requests and an intuitive and searchable UI are available in Teleport Enterprise.

Prerequisites

• A running Teleport Enterprise cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

• The tctl and tsh clients.

  Installing tctl and tsh clients

  1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:

     TELEPORT_DOMAIN=teleport.example.com:443
     TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"

  2. Follow the instructions for your platform to install tctl and tsh clients:

     Mac

     Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients:

     curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg

     In Finder double-click the pkg file to begin installation.

     danger

     Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

     Windows - Powershell

     curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip
     Unzip the archive and move the `tctl` and `tsh` clients to your %PATH%
     NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
     Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.

     Linux

     All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.

     curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz
     tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz
     cd teleport
     sudo ./install
     Teleport binaries have been copied to /usr/local/bin

• To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] to your Teleport username:

  tsh login --proxy=teleport.example.com --user=[email protected]
  tctl status
  Cluster  teleport.example.com
  Version  18.6.0
  CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

  If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Step 1/6. Grant roles to users

The built-in requester and reviewer roles have permissions to, respectively, open and review Access Requests. Grant the requester and reviewer roles to existing users, or create new users to test this feature. Make sure the requester has a valid login so that they can view and access SSH nodes.

For the rest of the guide we will assume that the requester role has been granted to a user named alice and the reviewer role has been granted to a user named bob.

1. Assign the requester role to a user named alice:

   Assign the requester role to alice by running the appropriate commands for your authentication provider:

   Local User

   1. Retrieve your local user's roles as a comma-separated list:

      ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")')

   2. Edit your local user to add the new role:

      tctl users update $(tsh status -f json | jq -r '.active.username') \  --set-roles "${ROLES?},requester"

   3. Sign out of the Teleport cluster and sign in again to assume the new role.

   GitHub

   1. Open your github authentication connector in a text editor:

      tctl edit github/github

   2. Edit the github connector, adding requester to the teams_to_roles section.

      The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization.

      Here is an example:

        teams_to_roles:
          - organization: octocats
            team: admins
            roles:
              - access
      +       - requester
      

   3. Apply your changes by saving closing the file in your editor.

   4. Sign out of the Teleport cluster and sign in again to assume the new role.

   SAML

   1. Retrieve your saml configuration resource:

      tctl get --with-secrets saml/mysaml > saml.yaml

      Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the saml.yaml file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource.

   2. Edit saml.yaml, adding requester to the attributes_to_roles section.

      The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

      Here is an example:

        attributes_to_roles:
          - name: "groups"
            value: "my-group"
            roles:
              - access
      +       - requester
      

   3. Apply your changes:

      tctl create -f saml.yaml

   4. Sign out of the Teleport cluster and sign in again to assume the new role.

   OIDC

   1. Retrieve your oidc configuration resource:

      tctl get oidc/myoidc --with-secrets > oidc.yaml

      Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the oidc.yaml file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource.

   2. Edit oidc.yaml, adding requester to the claims_to_roles section.

      The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

      Here is an example:

        claims_to_roles:
          - name: "groups"
            value: "my-group"
            roles:
              - access
      +       - requester
      

   3. Apply your changes:

      tctl create -f oidc.yaml

   4. Sign out of the Teleport cluster and sign in again to assume the new role.

2. Repeat these steps to assign the reviewer role to a user named bob.

tip

Consider defining custom roles to limit the scope of a requester or reviewer's permissions. Read the Access Request Configuration guide for available options.

Step 2/6. Search for resources

First, log in as alice.

tsh login --proxy teleport.example.com --user alice

Notice that tsh ls returns an empty list, because alice does not have access to any resources by default.

tsh ls
Node Name Address Labels--------- ------- ------

Then try searching for all available ssh nodes.

tsh request search --kind node
Name                                 Hostname    Labels       Resource ID------------------------------------ ----------- ------------ ------------------------------------------------------b1168402-9340-421a-a344-af66a6675738 iot         test=test    /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738bbb56211-7b54-4f9e-bee9-b68ea156be5f node        test=test    /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f
To request access to these resources, run> tsh request create --resource /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738 --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \    --reason <request reason>

You can search for resources of kind node, kube_cluster, db, app, and windows_desktop. Teleport also supports searching and requesting access to resources within Kubernetes clusters with kind kube_resource.

Advanced filters and queries are supported. See our filtering reference for more information.

Try narrowing your search to a specific resource you want to access.

tsh request search --kind node --search iot
Name                                 Hostname    Labels       Resource ID------------------------------------ ----------- ------------ ------------------------------------------------------b1168402-9340-421a-a344-af66a6675738 iot         test=test    /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738
To request access to these resources, run> tsh request create --resource /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738 \    --reason <request reason>

Step 3/6. Request access to a resource

Copy the command output by tsh request search in the previous step, optionally filling in a request reason.

tsh request create --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \    --reason "responding to incident 123"
Creating request...Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddabUsername:   aliceRoles:      accessResources:  ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"]Reason:     "responding to incident 123"Reviewers:  [none] (suggested)Status:     PENDING
hint: use 'tsh login --request-id=<request-id>' to login with an approved request
Waiting for request approval...

The command will automatically wait until the request is approved.

Step 4/6. Approve the Access Request

First, log in as bob.

tsh login --proxy teleport.example.com --user bob

Then list, review, and approve the Access Request.

tsh request ls
ID                                   User  Roles  Resources                   Created At (UTC)    Status------------------------------------ ----- ------ --------------------------- ------------------- -------f406f5d8-3c2a-428f-8547-a1d091a4ddab alice access ["/teleport.example.... [+] 23 Jun 22 18:25 UTC PENDING
[+] Requested resources truncated, use `tsh request show <request-id>` to view the full list
hint: use 'tsh request show <request-id>' for additional details      use 'tsh login --request-id=<request-id>' to login with an approved request
tsh request show f406f5d8-3c2a-428f-8547-a1d091a4ddab
Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddabUsername:   aliceRoles:      accessResources:  ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"]Reason:     "responding to incident 123"Reviewers:  [none] (suggested)Status:     PENDING
hint: use 'tsh login --request-id=<request-id>' to login with an approved request
tsh request review --approve f406f5d8-3c2a-428f-8547-a1d091a4ddab
Successfully submitted review.  Request state: APPROVED

tip

Check out our Access Request integrations to notify the right people about new Access Requests.

Step 5/6. Access the requested resource

alice's tsh request create command should resolve now that the request has been approved.

tsh request create --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \    --reason "responding to incident 123"
Creating request...Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddabUsername:   aliceRoles:      accessResources:  ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"]Reason:     "responding to incident 123"Reviewers:  [none] (suggested)Status:     PENDING
hint: use 'tsh login --request-id=<request-id>' to login with an approved request
Waiting for request approval...
Approval received, getting updated certificates...
> Profile URL:        https://teleport.example.com  Logged in as:       alice  Active requests:    f406f5d8-3c2a-428f-8547-a1d091a4ddab  Cluster:            teleport.example.com  Roles:              access, requester  Logins:             alice  Kubernetes:         disabled  Allowed Resources:  ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"]  Valid until:        2022-06-23 22:46:22 -0700 PDT [valid for 11h16m0s]  Extensions:         permit-agent-forwarding, permit-port-forwarding, permit-pty

alice can now view and access the node.

tsh ls
Node Name Address   Labels--------- --------- ---------iot       [::]:3022 test=test
tsh ssh alice@iot
iot:~ alice$

Step 6/6. Resume regular access

While logged in with a Resource Access Request, users will be blocked from access to any other resources. This is necessary because their certificate now contains an elevated role, so it is restricted to only allow access to the resources they were specifically approved for. Use the tsh request drop command to "drop" the request and resume regular access.

tsh request drop

Once you have configured Resource Access Requests, tsh ssh is able to automatically create a Resource Access Request for you when access is denied, allowing you to skip the tsh request search and tsh request create steps.

tsh ssh alice@iot
ERROR: access denied to alice connecting to iot on cluster teleport.example.com
You do not currently have access to alice@iot, attempting to request access.
Enter request reason: pleaseCreating request...Request ID: ab43fc70-e893-471b-872e-ae65eb24fd76Username:   aliceRoles:      accessResources:  ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"]Reason:     "please"Reviewers:  [none] (suggested)Status:     PENDING
hint: use 'tsh login --request-id=<request-id>' to login with an approved request
Waiting for request approval...
Approval received, reason="okay"Getting updated certificates...
iot:~ alice$

Restricting the resources a user can request access to

In this guide, we showed you how to enable a user to search for resources to request access to. To do so, we assigned the user a Teleport role with the search_as_roles field set to the preset access role.

You can impose further restrictions on the resources a user is allowed to search by assigning search_as_roles to a more limited role. Below, we will show you which permissions you must set to restrict a user's ability to search for different resources.

To restrict access to a particular resource using a role similar to the ones below, edit one of the user's roles so the search_as_roles field includes the role you have created.

For full details on how to use Teleport roles to configure RBAC, see the Access Controls Reference.

node

You can restrict access to searching node resources by assigning values to the node_labels field in the spec.allow or spec.deny fields. The following role allows access to SSH Service instances with the env:staging label.

kind: role
version: v5
metadata:
  name: staging-access
spec:
  allow:
    node_labels:
      env: staging
    logins:
      - '{{internal.logins}}'
  options:
    # Only allows the requester to use this role for 1 hour from time of request.
    max_session_ttl: 1h

kube_cluster

You can restrict access to searching kube_cluster resources by assigning values to the kubernetes_labels field in the spec.allow or spec.deny fields.

The following role allows access to Kubernetes clusters with the env:staging label:

kind: role
metadata:
  name: kube-access
version: v8
spec:
  allow:
    kubernetes_labels:
      env: staging
    kubernetes_resources:
      - kind: '*'
        namespace: '*'
        name: '*'
        api_group: '*'
  deny: {}

Kubernetes resources

You can restrict access to Kubernetes resources by assigning values to the kubernetes_resources field in the spec.allow or spec.deny fields.

The following role allows access to Kubernetes pods with the name nginx in any namespace, and all pods in the dev namespace:

kind: role
metadata:
  name: kube-access
version: v8
spec:
  allow:
    kubernetes_labels:
      '*': '*'
    kubernetes_resources:
      - kind: pods
        namespace: '*'
        name: 'nginx*'
        api_group: ''
      - kind: pods
        namespace: dev
        name: '*'
        api_group: ''
    kubernetes_groups:
      - viewers
  deny: {}

The request.kubernetes_resources field allows you to restrict what kinds of Kubernetes resources a user can request access to. Configuring this field to any value will disallow requesting access to the entire Kubernetes cluster.

If the request.kubernetes_resources field is not configured, then a user can request access to any Kubernetes resources, including the entire Kubernetes cluster.

The following role allows users to request access to Kubernetes namespaces. Requests for Kubernetes resources other than pods will not be allowed.

kind: role
metadata:
  name: requester-kube-access
version: v8
spec:
  allow:
    request:
      search_as_roles:
        - kube-access
      kubernetes_resources:
        - kind: pods
          api_group: ''

The following role allows users to request access only to Kubernetes deployments and/or pods.

kind: role
metadata:
  name: requester-kube-access
version: v8
spec:
  allow:
    request:
      search_as_roles:
        - kube-access
      kubernetes_resources:
        - kind: deployments
          api_group: apps
        - kind: pods
          api_group: ''

The following role allows users to request access to any specific Kubernetes resources.

kind: role
metadata:
  name: requester-kube-access
version: v8
spec:
  allow:
    request:
      search_as_roles:
        - kube-access
      kubernetes_resources:
        - kind: '*'
          api_group: '*'

The request.kubernetes_resources field only restricts what kind / api_group of Kubernetes resource requests are allowed. To control Kubernetes access to these resources see Kubernetes Resources section for more details.

db

You can restrict access to searching db resources by assigning values to the db_labels field in the spec.allow or spec.deny fields.

The following role allows access to databases with the env:dev or env:staging labels:

kind: role
version: v5
metadata:
  name: developer
spec:
  allow:
    db_labels:
      env: ["dev", "staging"]

    # Database account names this role can connect as.
    db_users: ["viewer", "editor"]
    db_names: ["*"]

app

You can restrict access to searching app resources by assigning values to the app_labels field in the spec.allow or spec.deny fields.

The following role allows access to all applications except for those in env:prod:

kind: role
version: v5
metadata:
  name: dev
spec:
  allow:
    app_labels:
      "*": "*"
  deny:
    app_labels:
      env: "prod"

windows_desktop

You can restrict access to searching windows_desktop resources by assigning values to the windows_desktop_labels field in the spec.allow or spec.deny fields.

The following role allows access to all Windows desktops with the env:dev or env:staging labels.

kind: role
version: v4
metadata:
  name: developer
spec:
  allow:
    windows_desktop_labels:
      env: ["dev", "staging"]

    windows_desktop_logins: ["{{internal.windows_logins}}"]

Next steps

• Read about all of the ways you can configure Access Requests in the Access Request Configuration Guide. For example, you can configure the search_as_roles fields in a user's role to restrict the resources the user has access to list in order to request access.
• With Teleport's Access Request plugins, users can manage Access Requests from within your organization's existing messaging and project management solutions. Read the documentation on Access Request plugins.
• For more information about creating and managing Access Requests as an end user, read Request Access to Roles and Resources.
• Learn about Access Lists, which allow you to assign elevated privileges to a list of Teleport users for a limited time.

Was this page helpful?

How can we improve this page?