Version: 19.x (unreleased)

Creating an Access List for Just-in-Time Access

Is this page helpful?

The Just-in-Time Access Guide creates an Access List whose members are required to request access to a defined set of resources, rather than being granted that access automatically. The list's members submit an Access Request; the list's owners review and approve or deny it. Once approved, the member receives temporary access bounded by the request's TTL, capped by the member's remaining Teleport session.

This guide will help you:

Decide when a Just-in-Time Access List is the right fit
Create one using the guided flow
Verify the request-and-approval experience as a member

When to use this flow

Use a Just-in-Time Access List when:

The resources are sensitive enough that members should justify each access event.
You want a clear audit trail of who requested what, when, and who approved it.
You want a single list to govern who can request the access, with periodic reviews so the membership is reaffirmed rather than left to drift.
You'd rather configure access through a guided UI than write role specs by hand.

If members instead need access immediately on login for the duration of their session, use the Standing Access Guide instead.

Prerequisites

A running Teleport Enterprise (v18.8.0 or higher) cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
The tctl and tsh clients, required only if deploying with Terraform.
Installing tctl and tsh clients
1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:
  - Mac/Linux
  - Windows - Powershell
  TELEPORT_DOMAIN=teleport.example.com:443
  TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"
2. Follow the instructions for your platform to install tctl and tsh clients:
  - Mac
  - Windows - Powershell
  - Linux
  Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients:
  curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg
  In Finder double-click the pkg file to begin installation.
  danger
  Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

At least one user who will be a member of the list, preferably a user with no access to resources to verify the access flow later.
At least one resource enrolled in the cluster for the Access List to grant access to.

Permissions to create Access Lists, users, and roles. These are included in the preset editor role, or you can copy and paste the following into your own role:

allow:
  rules:
  - resources:
    - access_list
    - user
    - role
    verbs:
    - read
    - list
    - create
    - update
    - delete

Step 1/3. Start the guide

In the Teleport Web UI, hover over Add New from the sidebar menu then click Access List.

Enter a name and optional description for the list.

Click Just-in-Time Access Guide and click Start Guide.

Step 2/3. Walk through the guide

The guide steps you through:

Define Access to Resources — for each resource type, specify the matching criteria. Most resource types are matched by labels; others may ask you to select the resource itself. Members can request access to anything that matches.

Previewing Resources
After defining access for a resource type, the UI shows a preview of matching resources. The preview is limited by your own role permissions — members may be granted access to additional resources that aren't visible to you.
Define Resource Identities or Principals — for resource types that need them (e.g. SSH logins, database users, Kubernetes users/groups, etc.), specify which principals members can use to connect once their request is approved.
Basic Information — confirm the name and description of the Access List, and select the next review date. Periodic reviews are how list owners reaffirm that the right members are still on the list.

Note: Access Lists deployed through Terraform are "static" lists and do not support periodic auditing — the review date is ignored.
Define Membership — add the users who should be eligible to request access through this list.
Define Ownership — add the users responsible for managing the list, reviewing membership, and reviewing Access Requests submitted through this list.

Deploy the Access List

At the final Deployment step, choose how to apply the list:

Manage in Teleport
Manage via Terraform

Click Create Access List Now. The list is created directly via the Teleport API and is immediately active.

Click Continue via Terraform. Follow the in-UI instructions or below to deploy with Terraform:

Add the Terraform module to your configuration.

Click the Copy Terraform Module button, then paste it into a Terraform configuration file.
Log in to your cluster, assigning [email protected] to your Teleport username:
```
tsh login --proxy=teleport.example.com:443 --user=[email protected]
```
Generate a temporary bot:
```
eval "$(tctl terraform env)"
```
Initialize Terraform:
```
terraform init
```
Preview the changes:
```
terraform plan
```
Apply the changes:
```
terraform apply
```

The Access List is created once terraform apply completes.

note

The steps above use tctl terraform env to issue short-lived credentials, which is convenient for trying things out locally. For remote environments such as CI/CD pipelines or cloud VMs, see the Terraform provider documentation for guidance on setting up the provider.

Example Terraform configuration

Below is an example of the Terraform module the UI generates for a JIT Access List. The example grants list members the ability to request access to SSH servers matching the env: test label and log in as ubuntu (see the standard role definition below).

Customize the placeholders below to fit your setup — each one is reused throughout the config wherever it appears:

teleport.example.com:443 — your Teleport proxy address.
unique-access-list-id — a unique identifier for the Access List (alphanumerics only). It ties the roles, list, and member resources together.
Example Access List — the display title for the Access List.
example-owner — the Teleport user to add as an owner.
example-member — the Teleport user to add as a member.

terraform {
  required_providers {
    teleport = {
      source  = "terraform.releases.teleport.dev/gravitational/teleport"
      version = "~> 19.0"
    }
  }
}

provider "teleport" {
  addr = "teleport.example.com:443"
}

# A role that defines access to standard resources.
resource "teleport_role" "access-standard-acl-preset-acl-id" {
  version = "v8"

  metadata = {
    name = "access-standard-acl-preset-acl-id"
    labels = {
      "teleport.dev/iac-tool"                = "terraform"
      "teleport.internal/access-list-preset" = "acl-id"
    }
  }

  spec = {
    allow = {
      logins = ["ubuntu"]
      node_labels = {
        env = ["test"]
      }
    }
  }
}

# A role that allows requesting access to resources (assigned to members).
resource "teleport_role" "requester-acl-preset-acl-id" {
  version = "v8"

  metadata = {
    name = "requester-acl-preset-acl-id"
    labels = {
      "teleport.dev/iac-tool"                = "terraform"
      "teleport.internal/access-list-preset" = "acl-id"
    }
  }

  spec = {
    allow = {
      request = {
        search_as_roles = ["access-standard-acl-preset-acl-id"]
      }
    }
  }
}

# A role that allows reviewing access requests (assigned to owners).
resource "teleport_role" "reviewer-acl-preset-acl-id" {
  version = "v8"

  metadata = {
    name = "reviewer-acl-preset-acl-id"
    labels = {
      "teleport.dev/iac-tool"                = "terraform"
      "teleport.internal/access-list-preset" = "acl-id"
    }
  }

  spec = {
    allow = {
      review_requests = {
        roles            = ["access-standard-acl-preset-acl-id"]
        preview_as_roles = ["access-standard-acl-preset-acl-id"]
      }
    }
  }
}

resource "teleport_access_list" "acl-acl-id" {
  header = {
    kind    = "access_list"
    version = "v1"
    metadata = {
      name = "acl-id"
      labels = {
        "teleport.dev/iac-tool"                      = "terraform"
        "teleport.internal/access-list-preset"       = "short-term"
        "teleport.internal/access-list-preset-roles" = "reviewer-acl-preset-acl-id,requester-acl-preset-acl-id,access-standard-acl-preset-acl-id"
      }
    }
  }

  spec = {
    type = "static"
    title = "acl-title"
    grants = {
      roles = ["requester-acl-preset-acl-id"]
    }
    owner_grants = {
      roles = ["reviewer-acl-preset-acl-id"]
    }
    owners = [{
      membership_kind = "1"
      name            = "example-owner"
    }]
  }
}

resource "teleport_access_list_member" "acl-member-example-member" {
  depends_on = [teleport_access_list.acl-acl-id]

  header = {
    kind    = "access_list_member"
    version = "v1"
    metadata = {
      name = "example-member"
    }
  }

  spec = {
    access_list     = "acl-id"
    name            = "example-member"
    membership_kind = "1"
  }
}

Editing the generated roles

Avoid directly modifying the roles the guided flow creates for this Access List. Keep their names and their teleport.internal/access-list-preset* labels unchanged — the Web UI relies on both to recognize them as the roles generated for this Access List. To change what the list grants, update it through the Web UI Access List editor:

From the sidebar menu, click Identity Governance > Access Lists.
Click on the target Access List.
Click the Access Definition tab.
Click Edit Access.

If you created the list with Terraform produced by the Web UI editor, you can still use the web editor to update the Access List and copy the updated Terraform it generates.

Editing the roles directly (via Terraform, tctl, or the role editor) may make the Access List editor in the Web UI unable to parse them (only a limited subset of role fields is supported by the editor) — at which point you can no longer use the Web UI editor to change the list's grants, and must update the roles directly for the rest of the Access List's life.

Step 3/3. Verify the request flow

Log in as one of the members you added. The resources you defined in Define Access to Resources should appear in the resource list with a Request Access button rather than a direct connect button.

Submit a request for one of the resources, optionally providing a reason.
Log in as one of the owners and approve the request. (The JIT preset grants owners a reviewer role automatically, which is what lets them approve.)
Back as the member, assume the approved request. You now have temporary access to the resource; once the request expires or your session ends, the access is gone.

Next steps

Create an Access List whose members get access on login with the Standing Access Guide.
Create an Access List by assigning existing roles directly with the Custom Form.
Learn more about how members request and reviewers approve access in Access Requests.
Auto-approve low-risk requests with automatic reviews.
Route request notifications with notification routing rules.
Group members by inheriting access from other lists with nested Access Lists.
Learn more about managing Access Lists as code with the Terraform provider and Kubernetes operator.

Was this page helpful?

When to use this flow​

Prerequisites​

Step 1/3. Start the guide​

Step 2/3. Walk through the guide​

Deploy the Access List​

Example Terraform configuration​

Step 3/3. Verify the request flow​

Next steps​