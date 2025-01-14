Version: 16.x

Run Teleport Policy on Self-Hosted Clusters

Teleport Policy's Access Graph with a self-hosted Teleport cluster requires setting up Access Graph, a dedicated service which uses PostgreSQL as its backing storage and communicates with Auth Service and Proxy Service to collect information about resources and access.

This guide will help you set up the service and enable Access Graph in your Teleport cluster.

A running Teleport Enterprise cluster v14.3.6 or later.

An updated license.pem with Teleport Policy enabled.

with Teleport Policy enabled. Docker version v20.10.7 or later.

A PostgreSQL database server v14 or later. Access Graph needs a dedicated database to store its data. The user that Access Graph connects to the database with needs to be the owner of this database, or have similar broad permissions: at least the CREATE TABLE privilege on the public schema, and the CREATE SCHEMA privilege. Amazon RDS for PostgreSQL is supported.

A TLS certificate for the Access Graph service The TLS certificate must be issued for "server authentication" key usage, and must list the IP or DNS name of the Access Graph service in an X.509 v3 subjectAltName extension. Starting from version 1.20.4 of the Access Graph service, the container runs as a non-root user by default. Make sure the certificate files are readable by the user running the container. You can set correct permissions with the following command: sudo chown 65532 /etc/access_graph/tls.key

The node running the Access Graph service must be reachable from Teleport Auth Service and Proxy Service.

warning The deployment with Docker is suitable for testing and development purposes. For production deployments, consider using the Access Graph Helm chart to deploy this service on Kubernetes. Refer to Helm chart for Access Graph for instructions.

You will need a copy of your Teleport cluster's host certificate authority (CA) on the machine that hosts the Access Graph service. The service requires incoming connections to be authenticated via host certificates that the host CA issues to the Auth Service and Proxy Service.

The host CA can be retrieved and saved into a file in one of the following ways:

Via curl

Via tctl sudo mkdir /etc/access_graph curl -s 'https:// teleport.example.com /webapi/auth/export?type=tls-host' | sudo tee /etc/access_graph/teleport_host_ca.pem sudo mkdir /etc/access_graph tsh login --proxy= teleport.example.com tctl get cert_authorities --format=json \ | jq -r '.[] | select(.spec.type == "host") | .spec.active_keys.tls[].cert' \ | base64 -d | sudo tee /etc/access_graph/teleport_host_ca.pem

Then, on the same machine, create a configuration file for the Access Graph service, similar to this:

Finally, start the Access Graph service using Docker as follows:

$ docker run -p 50051:50051 -v <path-to-config>:/app/config.yaml -v /etc/access_graph:/etc/access_graph public.ecr.aws/gravitational/access-graph:1.24.4

In the YAML config for the Auth Service, add a new top-level section for Access Graph configuration.

access_graph: enabled: true endpoint: access-graph.example.com:50051 ca: /etc/access_graph_ca.pem

Then, restart Auth Service instances, followed by Proxy Service instances.

You can find Access Graph in the "Access Management" tab in the Web UI.

To access the interface, your user must have a role that allows list and read verbs on the access_graph resource, e.g.:

kind: role version: v7 metadata: name: my-role spec: allow: rules: - resources: - access_graph verbs: - list - read