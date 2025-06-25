Access Requests with Opsgenie
With Teleport's Opsgenie integration, engineers can access the infrastructure they need to resolve alerts quickly, without longstanding admin permissions that can become a vector for attacks.
Teleport's Opsgenie integration allows you to treat Teleport Role Access Requests as Opsgenie alerts, notify the appropriate on-call team, and approve or deny the requests via Teleport. You can also configure the plugin to approve Role Access Requests automatically if the user making the request is on the on-call team for a service affected by an alert.
This guide will explain how to set up Teleport's Access Request plugin for Opsgenie.
Prerequisites
-
A Teleport Enterprise Cloud account.
-
The Enterprise
tctladmin tool and
tshclient tool version >= 15.5.2.
You can verify the tools you have installed by running the following commands:tctl version
Teleport Enterprise v15.5.2 go1.23.9tsh version
Teleport v15.5.2 go1.23.9
You can download these tools by following the appropriate Installation instructions for your environment and Teleport edition.
-
An Opsgenie account with the ability to create API keys with the 'read' and 'create and update' access rights.
-
To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials.
tctlis supported on macOS and Linux machines.
For example:tsh login --proxy=teleport.example.com --user=[email protected]tctl status
Cluster teleport.example.com
Version 15.5.2
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
If you can connect to the cluster and run the
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
Step 1/5. Create services
Create an Opsgenie team named
teleport-access-request-notifications.
We will configure the Opsgenie plugin to create an alert for the
teleport-access-request-notifications team when certain users
create an Access Request.
Step 2/5. Define RBAC resources
The Teleport Opsgenie plugin works by receiving Access Request events from the Teleport Auth Service and, based on these events, interacting with the Opsgenie API.
Create a requester role
To create a user first navigate to Management -> Access -> Roles
Then select 'Create New Role' and create the requester role.
kind: role
version: v5
metadata:
name: requester
spec:
allow:
request:
roles: ['editor']
thresholds:
- approve: 1
deny: 1
annotations:
teleport.dev/notify-services: ['teleport-access-request-notifications']
teleport.dev/teams: ['teleport-team']
teleport.dev/schedules: ['teleport-access-alert-schedules']
The
teleport.dev/notify-services annotation specifies the schedules the alert will be created for.
The
teleport.dev/teams annotation specifies the teams the alert will be created for. This is useful when you
have multiple schedules with escalations or an Opsgenie integration that only works with teams.
The
teleport.dev/schedules annotation specifies the schedules the alert will check, and auto approve the
Access Request if the requesting user is on-call.
Create a user who will request access
Create a user called
myuser who has the
requester role. Later in this
guide, you will create an Access Request as this user to test the Opsgenie
plugin:
To create a user first navigate to Management -> Access -> Users
Then select 'Create New User' and create a user with the requester role.
Step 3/5. Set up an Opsgenie API key
Generate an API key that the Opsgenie plugin will use to create and modify alerts as well as list users, services, and on-call policies.
In your Opsgenie dashboard, go to SETTINGS → INTEGRATIONS
See https://support.atlassian.com/opsgenie/docs/create-a-default-api-integration/ for more details.
Step 4/5. Configure the Opsgenie plugin
At this point, you have generated credentials that the Opsgenie plugin will use to connect to the Opsgenie API. To configure the plugin to use this API key navigate to Management -> Integrations -> Enroll New Integration.
Step 5/5. Test the Opsgenie plugin
Create an Access Request
As the Teleport user
myuser, create an Access Request for the
editor role:
- As an Admin
- As a User
- From the Web UI
A Teleport admin can create an Access Request for another user with
tctl:
tctl request create myuser --roles=editor
Users can use
tsh to create an Access Request and log in with approved roles:
tsh request create --roles=editorSeeking request approval... (id: 8f77d2d1-2bbf-4031-a300-58926237a807)
Users can request access using the Web UI by visiting the "Access Requests" tab and clicking "New Request":
In Opsgenie, you will see a new alert containing information about the
Access Request in either the default schedule specified when enrolling the plugin,
or in the schedules specified by
teleport.dev/notify-services annotation in the requester's role.
Resolve the request
Once you receive an Access Request message, click the link to visit Teleport and approve or deny the request:
Details
Reviewing from the command line
You can also review an Access Request from the command line:
- As an Admin
- As a User
Replace REQUEST_ID with the id of the requesttctl request approve REQUEST_IDtctl request deny REQUEST_ID
Replace REQUEST_ID with the id of the requesttsh request review --approve REQUEST_IDtsh request review --deny REQUEST_ID
When the Opsgenie plugin sends a notification, anyone who receives the notification can follow the enclosed link to an Access Request URL. While users must be authorized via their Teleport roles to review Access Request, you should still check the Teleport audit log to ensure that the right users are reviewing the right requests.
When auditing Access Request reviews, check for events with the type
Access Request Reviewed in the Teleport Web UI.