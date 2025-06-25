Version: 16.x

On this page

Resource Access Requests Report an issue with this page

With Teleport Resource Access Requests, users can request access to specific resources without needing to know anything about the roles or RBAC controls used under the hood. The Access Request API makes it easy to dynamically approve or deny these requests.

Just-in-time Access Requests are a feature of Teleport Enterprise. Teleport Community Edition users can get a preview of how Access Requests work by requesting a role via the Teleport CLI. Full Access Request functionality, including Resource Access Requests and an intuitive and searchable UI are available in Teleport Enterprise.

A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial.

The tctl admin tool and tsh client tool. Visit Installation for instructions on downloading tctl and tsh .

To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example: teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

The built-in requester and reviewer roles have permissions to, respectively, open and review Access Requests. Grant the requester and reviewer roles to existing users, or create new users to test this feature. Make sure the requester has a valid login so that they can view and access SSH nodes.

tctl users add alice --roles requester --logins alice tctl users add bob --roles reviewer

For the rest of the guide we will assume that the requester role has been granted to a user named alice and the reviewer role has been granted to a user named bob .

tip Consider defining custom roles to limit the scope of a requester or reviewer's permissions. Read the Access Request Configuration guide for available options.

First, log in as alice .

tsh login --proxy teleport.example.com --user alice

Notice that tsh ls returns an empty list, because alice does not have access to any resources by default.

tsh ls Node Name Address Labels --------- ------- ------

Then try searching for all available ssh nodes.

tsh request search --kind node Name Hostname Labels Resource ID ------------------------------------ ----------- ------------ ------------------------------------------------------ b1168402-9340-421a-a344-af66a6675738 iot test=test /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738 bbb56211-7b54-4f9e-bee9-b68ea156be5f node test=test /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f

To request access to these resources, run > tsh request create --resource /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738 --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \ --reason <request reason>

You can search for resources of kind node , kube_cluster , db , app , and windows_desktop . Teleport also supports searching and requesting access to resources within Kubernetes clusters.

List of supported Kubernetes resources Teleport supports searching and requesting access to the following Kubernetes resources: Resource Access Requests to Kubernetes Namespaces Requesting access to a Kubernetes namespace allows you to access all resources in that namespace, including the supported Kubernetes resources listed below. However, it prevents you from access any resources belonging to another namespace. pod

secret

configmap

namespace

service

serviceaccount

kube_node

persistentvolume

persistentvolumeclaim

deployment

replicaset

statefulset

daemonset

clusterrole

kube_role

clusterrolebinding

rolebinding

cronjob

job

certificatesigningrequest

ingress

Advanced filters and queries are supported. See our filtering reference for more information.

Try narrowing your search to a specific resource you want to access.

tsh request search --kind node --search iot Name Hostname Labels Resource ID ------------------------------------ ----------- ------------ ------------------------------------------------------ b1168402-9340-421a-a344-af66a6675738 iot test=test /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738

To request access to these resources, run > tsh request create --resource /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738 \ --reason <request reason>

Copy the command output by tsh request search in the previous step, optionally filling in a request reason.

tsh request create --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \ --reason "responding to incident 123" Creating request... Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddab Username: alice Roles: access Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"] Reason: "responding to incident 123" Reviewers: [none] (suggested) Status: PENDING

hint: use 'tsh login --request-id=<request-id>' to login with an approved request

Waiting for request approval...



The command will automatically wait until the request is approved.

First, log in as bob .

tsh login --proxy teleport.example.com --user bob

Then list, review, and approve the Access Request.

tsh request ls ID User Roles Resources Created At (UTC) Status ------------------------------------ ----- ------ --------------------------- ------------------- ------- f406f5d8-3c2a-428f-8547-a1d091a4ddab alice access ["/teleport.example.... [+] 23 Jun 22 18:25 UTC PENDING

[+] Requested resources truncated, use `tsh request show <request-id>` to view the full list

hint: use 'tsh request show <request-id>' for additional details use 'tsh login --request-id=<request-id>' to login with an approved request tsh request show f406f5d8-3c2a-428f-8547-a1d091a4ddab Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddab Username: alice Roles: access Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"] Reason: "responding to incident 123" Reviewers: [none] (suggested) Status: PENDING

hint: use 'tsh login --request-id=<request-id>' to login with an approved request tsh request review --approve f406f5d8-3c2a-428f-8547-a1d091a4ddab Successfully submitted review. Request state: APPROVED

tip Check out our Access Request Integrations to notify the right people about new Access Requests.

alice 's tsh request create command should resolve now that the request has been approved.

tsh request create --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \ --reason "responding to incident 123" Creating request... Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddab Username: alice Roles: access Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"] Reason: "responding to incident 123" Reviewers: [none] (suggested) Status: PENDING

hint: use 'tsh login --request-id=<request-id>' to login with an approved request

Waiting for request approval...

Approval received, getting updated certificates...

> Profile URL: https://teleport.example.com Logged in as: alice Active requests: f406f5d8-3c2a-428f-8547-a1d091a4ddab Cluster: teleport.example.com Roles: access, requester Logins: alice Kubernetes: disabled Allowed Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"] Valid until: 2022-06-23 22:46:22 -0700 PDT [valid for 11h16m0s] Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty

alice can now view and access the node.

tsh ls Node Name Address Labels --------- --------- --------- iot [::]:3022 test=test

tsh ssh alice@iot iot:~ alice$

While logged in with a Resource Access Request, users will be blocked from access to any other resources. This is necessary because their certificate now contains an elevated role, so it is restricted to only allow access to the resources they were specifically approved for. Use the tsh request drop command to "drop" the request and resume regular access.

tsh request drop

When you drop an Access Request, Teleport issues a new user certificate. The new certificate retains the expiration of the previous certificate. Once your session expires and you reauthenticate to Teleport, you receive a user certificate with your user's originally configured time to live.

Once you have configured Resource Access Requests, tsh ssh is able to automatically create a Resource Access Request for you when access is denied, allowing you to skip the tsh request search and tsh request create steps.

tsh ssh alice@iot ERROR: access denied to alice connecting to iot on cluster teleport.example.com

You do not currently have access to alice@iot, attempting to request access.

Enter request reason: please Creating request... Request ID: ab43fc70-e893-471b-872e-ae65eb24fd76 Username: alice Roles: access Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"] Reason: "please" Reviewers: [none] (suggested) Status: PENDING

hint: use 'tsh login --request-id=<request-id>' to login with an approved request

Waiting for request approval...

Approval received, reason="okay" Getting updated certificates...

iot:~ alice$

In this guide, we showed you how to enable a user to search for resources to request access to. To do so, we assigned the user a Teleport role with the search_as_roles field set to the preset access role.

You can impose further restrictions on the resources a user is allowed to search by assigning search_as_roles to a more limited role. Below, we will show you which permissions you must set to restrict a user's ability to search for different resources.

To restrict access to a particular resource using a role similar to the ones below, edit one of the user's roles so the search_as_roles field includes the role you have created.

For full details on how to use Teleport roles to configure RBAC, see the Access Controls Reference.

You can restrict access to searching node resources by assigning values to the node_labels field in the spec.allow or spec.deny fields. The following role allows access to SSH Service instances with the env:staging label.

kind: role version: v5 metadata: name: staging-access spec: allow: node_labels: env: staging logins: - " {{internal.logins}} " options: max_session_ttl: 1h

You can restrict access to searching kube_cluster resources by assigning values to the kubernetes_labels field in the spec.allow or spec.deny fields.

The following role allows access to Kubernetes clusters with the env:staging label:

kind: role metadata: name: kube-access version: v7 spec: allow: kubernetes_labels: 'env': 'staging' kubernetes_resources: - kind: '*' namespace: '*' name: '*' deny: {}

You can restrict access to Kubernetes resources by assigning values to the kubernetes_resources field in the spec.allow or spec.deny fields.

The following role allows access to Kubernetes pods with the name nginx in any namespace, and all pods in the dev namespace:

kind: role metadata: name: kube-access version: v7 spec: allow: kubernetes_labels: '*' :'*' kubernetes_resources: - kind: pod namespace: "*" name: "nginx*" - kind: pod namespace: "dev" name: "*" kubernetes_groups: - viewers deny: {}

If you are setting up a Teleport role to enable just-in-time access to a specific Kubernetes resources, you should set the role's kubernetes_groups and kubernetes_users to a role that has no access to Kubernetes resource beside the Kubernetes resources that Teleport is able to restrict access for.

This is because, if a user requests access to a Kubernetes pod, and the request is approved, the Teleport Kubernetes Service will use the kubernetes_groups and kubernetes_users fields in the role to add impersonation headers to the user's requests to a Kubernetes API server. Under these conditions, Teleport will be able to restrict access to all Kubernetes resources kinds mentioned above except for the desired pod . Teleport is also able to restrict access to namespaced-scoped custom resources but not cluster-scoped custom resources - CRDs resources that are cluster-scoped will be accessible to the user if the principals in the kubernetes_users and kubernetes_groups fields have access to them.

Requesting access to a Kubernetes Namespace allows you to access all resources in that namespace but you won't be able to access any other supported resources in the cluster.

note The request.kubernetes_resources field was released in Teleport 16.4.7. All Auth Service instances must be on version 16.4.7+ before the Kubernetes resource restrictions will be enforced.

The request.kubernetes_resources field allows you to restrict what kinds of Kubernetes resources a user can request access to. Configuring this field to any value will disallow requesting access to the entire Kubernetes cluster.

If the request.kubernetes_resources field is not configured, then a user can request access to any Kubernetes resources, including the entire Kubernetes cluster.

The following role allows users to request access to Kubernetes namespaces. Requests for Kubernetes resources other than namespace will not be allowed.

kind: role metadata: name: requester-kube-access version: v7 spec: allow: request: search_as_roles: - "kube-access" kubernetes_resources: - kind: "namespace"

The following role allows users to request access only to Kubernetes namespaces and/or pods.

kind: role metadata: name: requester-kube-access version: v7 spec: allow: request: search_as_roles: - "kube-access" kubernetes_resources: - kind: "namespace" - kind: "pod"

The following role allows users to request access to any specific Kubernetes resources.

kind: role metadata: name: requester-kube-access version: v7 spec: allow: request: search_as_roles: - "kube-access" kubernetes_resources: - kind: "*"

See related section about Kubernetes Resources to see a list of supported kind values.

The request.kubernetes_resources field only restricts what kinds of Kubernetes resource requests are allowed. To control Kubernetes access to these resources see Preventing unintended access to Kubernetes resources section for more details.

You can restrict access to searching db resources by assigning values to the db_labels field in the spec.allow or spec.deny fields.

The following role allows access to databases with the environment:dev or environment:stage labels:

kind: role version: v5 metadata: name: developer spec: allow: db_labels: environment: [ "dev" , "stage" ] db_users: [ "viewer" , "editor" ] db_names: [ "*" ]

You can restrict access to searching app resources by assigning values to the app_labels field in the spec.allow or spec.deny fields.

The following role allows access to all applications except for those in env:prod :

kind: role version: v5 metadata: name: dev spec: allow: app_labels: "*": "*" deny: app_labels: env: "prod"

You can restrict access to searching windows_desktop resources by assigning values to the windows_desktop_labels field in the spec.allow or spec.deny fields.

The following role allows access to all Windows desktops with the environment:dev or environment:stage labels.

kind: role version: v4 metadata: name: developer spec: allow: windows_desktop_labels: environment: [ "dev" , "stage" ] windows_desktop_logins: [ " {{internal.windows_logins}} " ]

Teleport users can request access to a Kubernetes resources by running the following command:

tsh request create resource-id

For Kubernetes namespaced resources, the resource-id is in the following format:

/TELEPORT_CLUSTER/NAMESPACED_KIND/KUBE_CLUSTER/NAMESPACE/RESOURCE_NAME

Teleport supports the following namespaced resources: pod , secret , configmap , service , serviceaccount , persistentvolumeclaim , deployment , replicaset , statefulset , daemonset , kube_role , rolebinding , cronjob , job , ingress .

For example, to request access to a pod called nginx-1 in the development namespace, run the following command:

tsh request create --resources /teleport.example.com/pod/mycluster/development/nginx-1

For the NAMESPACE and RESOURCE_NAME values, you can match ranges of characters by supplying a wildcard ( * ) or regular expression. Regular expressions must begin with ^ and end with $ .

For example, to create a request to access all pods in all namespaces that match the regular expression /^nginx-[a-z0-9-]+$/ , run the following command:

tsh request create --resources /teleport.example.com/pod/mycluster/*/^nginx-[a-z0-9-]+$

For Kubernetes cluster-scoped resources, the resource-id is in the following format:

/TELEPORT_CLUSTER/CLUSTER_WIDE_KIND/KUBE_CLUSTER/RESOURCE_NAME

Teleport supports the following cluster-wide resources: namespace , kube_node , clusterrole , clusterrolebinding , persistentvolume , certificatesigningrequest .

For example, to request access to a namespace called prod , run the following command:

tsh request create --resources /teleport.example.com/namespace/mycluster/prod

For the RESOURCE_NAME value, you can match ranges of characters by supplying a wildcard ( * ) or regular expression. Regular expressions must begin with ^ and end with $ .

For example, to create a request to access all namespaces prefixed with dev match the regular expression /^dev-[a-z0-9-]+$/ , run the following command:

tsh request create --resources /teleport.example.com/namespace/mycluster/^dev-[a-z0-9-]+$

Using cluster-scoped resource requests requires the role under search_as_roles to have the correct permissions for the cluster-scoped resource. This is an example of the required permissions to request access only to the namespace prod (and all resources within it):

kind: role spec: allow: kubernetes_resources: - kind: namespace name: prod verbs: - '*'

If a user has no access to a Kubernetes cluster, they can search the list of resources in the cluster by running the following command:

tsh request search --kind=<kind> --kube-cluster= kube-cluster \ [--kube-namespace= namespace |--all-kube-namespaces] Name Namespace Labels Resource ID ----------------- --------- --------- ---------------------------------------------------------- nginx-deployment-0 default app=nginx /teleport.example.com/pod/local/default/nginx-deployment-0 nginx-deployment-1 default app=nginx /teleport.example.com/pod/local/default/nginx-deployment-1

To request access to these resources, run > tsh request create --resource /teleport.example.com/pod/local/default/nginx-deployment-0 --resource /teleport.example.com/pod/local/default/nginx-deployment-1 \ --reason <request reason>

The list returned includes the name of the resource, the namespace it is in if applicable, its labels, and the resource ID. Resources included in the list are those that match the kubernetes_resources field in the user's search_as_roles . The user can then:

Request access to the resources by running the command provided by the tsh request search command.

command. Edit the command to request access to a subset of the resources.

Use a custom request with wildcards or regular expressions.

tsh request search --kind=<kind> works even if the user has no permissions to interact with the desired Kubernetes cluster, but the user's search_as_roles values must allow access to the cluster. If the user is unsure of the name of the cluster, they can run the following command to search it:

tsh request search --kind=kube_cluster Name Hostname Labels Resource ID ----- -------- ------ ---------------------------------------- local /teleport.example.com/kube_cluster/local



With Teleport's Access Request plugins, users can manage Access Requests from within your organization's existing messaging and project management solutions.