Meet us at KubeCon + CloudNativeCon: Paris, France - March 19
Book Demo
Teleport logoTry For Free
Access Platform

Just-in-time Access Requests

Teleport Just-in-time Access Requests allows any developer to request access to a resource or role depending on need. The request can then be approved or denied via Slack, PagerDuty, or other ChatOps tools based on a configurable number of approvers.
clicking approve for access
Background image
# Role Based Access Request
$ tsh request create --roles=dba \
  [email protected],[email protected] --reason="ticket #123"

# Just-in-Time Access Request
$ tsh ssh root@db-1
ERROR: access denied to root connecting to db-1 on cluster cluster-one

You do not currently have access to root@db-1, attempting to request access.

Enter request reason: responding to incident 123
Creating request...

# Alice
$ tsh request list

# Output
ID                                   User             Roles   Created (UTC)       Status
------------------------------------ ---------------  ------- ------------------- -------
9c721e54-b049-4ef8-a7f6-c777aa066764 [email protected]  dba 03 Apr 21 03:58 UTC PENDING

$ tsh request review --approve --reason="proceed with caution" 9c721e54-b049-4ef8-a7f6-c777aa066764

$ tsh request create --roles=dba \
  [email protected],[email protected] --reason="ticket #123"

# Alice
$ tsh request review --approve --reason="proceed with caution"

# Ivan
$ tsh request review --approve --reason="granted."
# use your favorite programming language
def process_request(req):
  #  grant admin only on registered computers
  if req.roles.contains("admin") and registered_computer(req.user):
      raise AccessDenied("use registered computer for privileged access")
  # contractors should provide a valid ticket
  if req.traits['team'] == "contractor" && not jira.get_ticket(req.note):
      raise AccessDenied("provide an active JIRA ticket")

Access Requests using Existing Tools

Approve access requests using the tools you already have, such as Slack, PagerDuty, and others. This allows security teams to approve or deny requests quickly and avoids frustration for engineers who need to get the job done.

Approvals do not have to be done manually. Implement your own access approval logic with Teleport API using your favorite programming language.

Approve access requests
Background image
Access Requests Flow
To learn more about access requests, take a look at Teleport Documentation .
request role access screen

Bob can select the resources he needs to access or request the dbadmin role in the Web UI or CLI.

Teleport Slackbot notification

Chatbot will notify both Alice and Ivan.

approved access request screen

Alice and Ivan can review and approve request using Web UI or CLI.

Background image
Background image

Access Requests Demo Video

Watch our demo highlighting how team members can request access to new and elevated roles. This feature is available from the CLI or the browser. Users can add reasons to requests and get these requests sent to Slack. This video features using access requests for Kubernetes and all requests are captured using the Teleport Audit log.
Background image

Try Teleport today

In the cloud, self-hosted, or open source
Get StartedView developer docs