Resource Access Requests
With Teleport Resource Access Requests, users can request access to specific resources without needing to know anything about the roles or RBAC controls used under the hood. The Access Request API makes it easy to dynamically approve or deny these requests.
Just-in-time Access Requests are a feature of Teleport Enterprise. Teleport Community Edition users can get a preview of how Access Requests work by requesting a role via the Teleport CLI. Full Access Request functionality, including Resource Access Requests and an intuitive and searchable UI are available in Teleport Enterprise.
Prerequisites
- Self-Hosted Enterprise
- Teleport Enterprise Cloud
-
A running Teleport Enterprise cluster. For details on how to set this up, see the Enterprise Getting Started guide.
-
The Enterprise
tctl
admin tool andtsh
client tool version >= 14.3.33. You can download these tools by visiting your Teleport account. You can verify the tools you have installed by running the following commands:$ tctl version
# Teleport Enterprise v14.3.33 go1.21
$ tsh version
# Teleport v14.3.33 go1.21
-
A Teleport Enterprise Cloud account. If you do not have one, visit the signup page to begin a free trial of Teleport Team and upgrade to Teleport Enterprise Cloud.
-
The
tctl
admin tool andtsh
client tool version >= 16.4.7. To download these tools, visit the Installation page.$ tctl version
# Teleport Enterprise v16.4.7 go1.21
$ tsh version
# Teleport v16.4.7 go1.21
- To check that you can connect to your Teleport cluster, sign in with
tsh login
, then verify that you can runtctl
commands using your current credentials.tctl
is supported on macOS and Linux machines. For example:If you can connect to the cluster and run the$ tsh login --proxy=teleport.example.com --user=email@example.com
$ tctl status
# Cluster teleport.example.com
# Version 14.3.33
# CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678tctl status
command, you can use your current credentials to run subsequenttctl
commands from your workstation. If you host your own Teleport cluster, you can also runtctl
commands on the computer that hosts the Teleport Auth Service for full permissions.
Step 1/8. Create the requester role
As of version 13.1.2, Teleport comes with built-in reviewer
and requester
roles that
are defined similarly to the ones presented here. If you are looking to quickly try out
Access Requests, you can skip to step 3 and use these built-in roles. However, if you are
using an earlier version of Teleport or you are looking to get general guidance for creating
roles for Access Requests, steps 1 and 2 are still useful.
This role allows the requester to search for resources accessible by the
access
role (all resources by default) and request access to them.
# requester.yaml
kind: role
version: v5
metadata:
name: requester
spec:
allow:
request:
search_as_roles:
- access
$ tctl create requester.yaml
Step 2/8. Create the reviewer role
This role allows the reviewer to approve all requests for the access
role.
# reviewer.yaml
kind: role
version: v5
metadata:
name: reviewer
spec:
allow:
review_requests:
roles:
- access
preview_as_roles:
- access
$ tctl create reviewer.yaml
Step 3/8. Grant the roles to users
Grant the requester
and reviewer
roles to existing users, or create new
users to test this feature.
Make sure the requester has a valid login
so that they can view and access SSH
nodes.
$ tctl users add alice --roles requester --logins alice
$ tctl users add bob --roles reviewer
For the rest of the guide we will assume that the requester
role has been
granted to a user named alice
and the reviewer
role has been granted to a
user named bob
.
Step 4/8. Search for resources
First, log in as alice
.
$ tsh login --proxy teleport.example.com --user alice
Notice that tsh ls
returns an empty list, because alice
does not have access to any resources by default.
$ tsh ls
Node Name Address Labels
--------- ------- ------
Then try searching for all available ssh nodes.
$ tsh request search --kind node
Name Hostname Labels Resource ID
------------------------------------ ----------- ------------ ------------------------------------------------------
b1168402-9340-421a-a344-af66a6675738 iot test=test /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738
bbb56211-7b54-4f9e-bee9-b68ea156be5f node test=test /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f
To request access to these resources, run
> tsh request create --resource /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738 --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \
--reason <request reason>
You can search for resources of kind node
, kube_cluster
, db
, app
, and
windows_desktop
. Teleport also supports searching and requesting access to
resources within Kubernetes clusters.
List of supported Kubernetes resources
Teleport supports searching and requesting access to the following Kubernetes resources:
Requesting access to a Kubernetes namespace allows you to access all resources in that namespace, including the supported Kubernetes resources listed below. However, it prevents you from access any resources belonging to another namespace.
pod
secret
configmap
namespace
service
serviceaccount
kube_node
persistentvolume
persistentvolumeclaim
deployment
replicaset
statefulset
daemonset
clusterrole
kube_role
clusterrolebinding
rolebinding
cronjob
job
certificatesigningrequest
ingress
Advanced filters and queries are supported. See our filtering reference for more information.
Try narrowing your search to a specific resource you want to access.
$ tsh request search --kind node --search iot
Name Hostname Labels Resource ID
------------------------------------ ----------- ------------ ------------------------------------------------------
b1168402-9340-421a-a344-af66a6675738 iot test=test /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738
To request access to these resources, run
> tsh request create --resource /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738 \
--reason <request reason>
Step 5/8. Request access to a resource
Copy the command output by tsh request search
in the previous step, optionally filling in a request reason.
$ tsh request create --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \
--reason "responding to incident 123"
Creating request...
Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddab
Username: alice
Roles: access
Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"]
Reason: "responding to incident 123"
Reviewers: [none] (suggested)
Status: PENDING
hint: use 'tsh login --request-id=<request-id>' to login with an approved request
Waiting for request approval...
The command will automatically wait until the request is approved.
Step 6/8. Approve the Access Request
First, log in as bob
.
$ tsh login --proxy teleport.example.com --user bob
Then list, review, and approve the Access Request.
$ tsh request ls
ID User Roles Resources Created At (UTC) Status
------------------------------------ ----- ------ --------------------------- ------------------- -------
f406f5d8-3c2a-428f-8547-a1d091a4ddab alice access ["/teleport.example.... [+] 23 Jun 22 18:25 UTC PENDING
[+] Requested resources truncated, use `tsh request show <request-id>` to view the full list
hint: use 'tsh request show <request-id>' for additional details
use 'tsh login --request-id=<request-id>' to login with an approved request
$ tsh request show f406f5d8-3c2a-428f-8547-a1d091a4ddab
Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddab
Username: alice
Roles: access
Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"]
Reason: "responding to incident 123"
Reviewers: [none] (suggested)
Status: PENDING
hint: use 'tsh login --request-id=<request-id>' to login with an approved request
$ tsh request review --approve f406f5d8-3c2a-428f-8547-a1d091a4ddab
Successfully submitted review. Request state: APPROVED
Check out our Access Request Integrations to notify the right people about new Access Requests.
Step 7/8. Access the requested resource
alice
's tsh request create
command should resolve now that the request has been approved.
$ tsh request create --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \
--reason "responding to incident 123"
Creating request...
Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddab
Username: alice
Roles: access
Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"]
Reason: "responding to incident 123"
Reviewers: [none] (suggested)
Status: PENDING
hint: use 'tsh login --request-id=<request-id>' to login with an approved request
Waiting for request approval...
Approval received, getting updated certificates...
> Profile URL: https://teleport.example.com
Logged in as: alice
Active requests: f406f5d8-3c2a-428f-8547-a1d091a4ddab
Cluster: teleport.example.com
Roles: access, requester
Logins: alice
Kubernetes: disabled
Allowed Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"]
Valid until: 2022-06-23 22:46:22 -0700 PDT [valid for 11h16m0s]
Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty
alice
can now view and access the node.
$ tsh ls
Node Name Address Labels
--------- --------- ---------
iot [::]:3022 test=test
$ tsh ssh alice@iot
iot:~ alice$
Step 8/8. Resume regular access
While logged in with a Resource Access Request, users will be blocked from access to any other resources.
This is necessary because their certificate now contains an elevated role,
so it is restricted to only allow access to the resources they were specifically approved for.
Use the tsh request drop
command to "drop" the request and resume regular access.
$ tsh request drop
Next Steps
Automatically request access for SSH
Once you have configured Resource Access Requests,
tsh ssh
is able to automatically create a Resource Access Request for you when access is denied,
allowing you to skip the tsh request search
and tsh request create
steps.
$ tsh ssh alice@iot
ERROR: access denied to alice connecting to iot on cluster teleport.example.com
You do not currently have access to alice@iot, attempting to request access.
Enter request reason: please
Creating request...
Request ID: ab43fc70-e893-471b-872e-ae65eb24fd76
Username: alice
Roles: access
Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"]
Reason: "please"
Reviewers: [none] (suggested)
Status: PENDING
hint: use 'tsh login --request-id=<request-id>' to login with an approved request
Waiting for request approval...
Approval received, reason="okay"
Getting updated certificates...
iot:~ alice$
Restrict the resources a user can request access to
In this guide, we showed you how to enable a user to search for resources to
request access to. To do so, we assigned the user a Teleport role with the
search_as_roles
field set to the preset access
role.
You can impose further restrictions on the resources a user is allowed to
search by assigning search_as_roles
to a more limited role. Below, we will
show you which permissions you must set to restrict a user's ability to search
for different resources.
To restrict access to a particular resource using a role similar to the ones
below, edit one of the user's roles so the search_as_roles
field includes the
role you have created.
For full details on how to use Teleport roles to configure RBAC, see the Teleport Access Controls Reference.
node
You can restrict access to searching node
resources by assigning values to the
node_labels
field in the spec.allow
or spec.deny
fields. The following
role allows access to SSH Service instances with the env:staging
label.
kind: role
version: v5
metadata:
name: staging-access
spec:
allow:
node_labels:
env: staging
logins:
- "{{internal.logins}}"
options:
# Only allows the requester to use this role for 1 hour from time of request.
max_session_ttl: 1h
kube_cluster
You can restrict access to searching kube_cluster
resources by assigning
values to the kubernetes_labels
field in the spec.allow
or spec.deny
fields.
The following role allows access to Kubernetes clusters with the env:staging
label:
kind: role
metadata:
name: kube-access
version: v6
spec:
allow:
kubernetes_labels:
'env': 'staging'
kubernetes_resources:
- kind: 'pod'
namespace: '*'
name: '*'
deny: {}
Kubernetes resources
You can restrict access to Kubernetes resources by assigning values to the
kubernetes_resources
field in the spec.allow
or spec.deny
fields.
The following role allows access to Kubernetes pods with the name nginx
in any
namespace, and all pods in the dev
namespace:
kind: role
metadata:
name: kube-access
version: v6
spec:
allow:
kubernetes_labels:
'*':'*'
kubernetes_resources:
- kind: pod
namespace: "*"
name: "nginx*"
- kind: pod
namespace: "dev"
name: "*"
kubernetes_groups:
- viewers
deny: {}
Preventing unintended access to Kubernetes resources
If you are setting up a Teleport role to enable just-in-time access to a
specific Kubernetes resources, you should set the role's kubernetes_groups
and
kubernetes_users
to a role that has no access to Kubernetes resource beside
the Kubernetes resources that Teleport is able to restrict access for.
This is because, if a user requests access to a Kubernetes pod, and the request
is approved, the Teleport Kubernetes Service will use the kubernetes_groups
and kubernetes_users
fields in the role to add impersonation headers to the user's
requests to a Kubernetes API server. Under these conditions, Teleport will be able
to restrict access to all Kubernetes resources kinds mentioned above except for
the desired pod
. Teleport is also able to restrict access to namespaced-scoped
custom resources but not cluster-scoped custom resources - CRDs resources that
are cluster-scoped will be accessible to the user if the principals in the
kubernetes_users
and kubernetes_groups
fields have access to them.
Requesting access to a Kubernetes Namespace allows you to access all resources in that namespace but you won't be able to access any other supported resources in the cluster.
db
You can restrict access to searching db
resources by assigning values to the
db_labels
field in the spec.allow
or spec.deny
fields.
The following role allows access to databases with the environment:dev
or
environment:stage
labels:
kind: role
version: v5
metadata:
name: developer
spec:
allow:
db_labels:
environment: ["dev", "stage"]
# Database account names this role can connect as.
db_users: ["viewer", "editor"]
db_names: ["*"]
app
You can restrict access to searching app
resources by assigning values to the
app_labels
field in the spec.allow
or spec.deny
fields.
The following role allows access to all applications except for those in
env:prod
:
kind: role
version: v5
metadata:
name: dev
spec:
allow:
app_labels:
"*": "*"
deny:
app_labels:
env: "prod"
windows_desktop
You can restrict access to searching windows_desktop
resources by assigning
values to the windows_desktop_labels
field in the spec.allow
or spec.deny
fields.
The following role allows access to all Windows desktops with the
environment:dev
or environment:stage
labels.
kind: role
version: v4
metadata:
name: developer
spec:
allow:
windows_desktop_labels:
environment: ["dev", "stage"]
windows_desktop_logins: ["{{internal.windows_logins}}"]
Request access to Kubernetes resources
Teleport users can request access to a Kubernetes resources by running the following command:
$ tsh request create resource-id
Namespace-scoped resources
For Kubernetes namespaced resources, the resource-id
is in the following format:
/TELEPORT_CLUSTER/NAMESPACED_KIND/KUBE_CLUSTER/NAMESPACE/RESOURCE_NAME
Teleport supports the following namespaced resources: pod
, secret
, configmap
,
service
, serviceaccount
, persistentvolumeclaim
, deployment
, replicaset
,
statefulset
, daemonset
, kube_role
, rolebinding
, cronjob
, job
,
ingress
.
For example, to request access to a pod called nginx-1
in the development
namespace, run the following command:
$ tsh request create --resources /teleport.example.com/pod/mycluster/development/nginx-1
For the NAMESPACE
and RESOURCE_NAME
values, you can match ranges of characters by
supplying a wildcard (*
) or regular expression. Regular expressions must begin
with ^
and end with $
.
For example, to create a request to access all pods in all namespaces that match
the regular expression /^nginx-[a-z0-9-]+$/
, run the following command:
$ tsh request create --resources /teleport.example.com/pod/mycluster/*/^nginx-[a-z0-9-]+$
Cluster-scoped resources
For Kubernetes cluster-scoped resources, the resource-id
is in the following format:
/TELEPORT_CLUSTER/CLUSTER_WIDE_KIND/KUBE_CLUSTER/RESOURCE_NAME
Teleport supports the following cluster-wide resources: namespace
, kube_node
,
clusterrole
, clusterrolebinding
, persistentvolume
, certificatesigningrequest
.
For example, to request access to a namespace called prod
, run the following command:
$ tsh request create --resources /teleport.example.com/namespace/mycluster/prod
For the RESOURCE_NAME
value, you can match ranges of characters by
supplying a wildcard (*
) or regular expression. Regular expressions must begin
with ^
and end with $
.
For example, to create a request to access all namespaces prefixed with dev
match
the regular expression /^dev-[a-z0-9-]+$/
, run the following command:
$ tsh request create --resources /teleport.example.com/namespace/mycluster/^dev-[a-z0-9-]+$
Search for Kubernetes resources
If a user has no access to a Kubernetes cluster, they can search the list of resources in the cluster by running the following command:
$ tsh request search --kind=<kind> --kube-cluster=kube-cluster \
[--kube-namespace=namespace|--all-kube-namespaces]
Name Namespace Labels Resource ID
----------------- --------- --------- ----------------------------------------------------------
nginx-deployment-0 default app=nginx /teleport.example.com/pod/local/default/nginx-deployment-0
nginx-deployment-1 default app=nginx /teleport.example.com/pod/local/default/nginx-deployment-1
To request access to these resources, run
> tsh request create --resource /teleport.example.com/pod/local/default/nginx-deployment-0 --resource /teleport.example.com/pod/local/default/nginx-deployment-1 \
--reason <request reason>
The list returned includes the name of the resource, the namespace it is in if
applicable, its labels, and the resource ID.
Resources included in the list are those that match the kubernetes_resources
field in the user's search_as_roles
. The user can then:
- Request access to the resources by running the command provided by the
tsh request search
command. - Edit the command to request access to a subset of the resources.
- Use a custom request with wildcards or regular expressions.
tsh request search --kind=<kind>
works even if the user has no permissions to interact
with the desired Kubernetes cluster, but the user's search_as_roles
values
must allow access to the cluster. If the user is unsure of the name of the cluster,
they can run the following command to search it:
$ tsh request search --kind=kube_cluster
Name Hostname Labels Resource ID
----- -------- ------ ----------------------------------------
local /teleport.example.com/kube_cluster/local
Integrating with an external tool
With Teleport's Access Request plugins, users can manage Access Requests from within your organization's existing messaging and project management solutions.
Integration | Type | Setup Instructions |
---|---|---|
Slack | Messaging | Set up Slack |
Mattermost | Messaging | Set up Mattermost |
Microsoft Teams | Messaging | Set up Microsoft Teams |
Jira | Project Board | Set up Jira |
PagerDuty | Schedule | Set up PagerDuty |
Messaging | Set up email | |
Discord | Messaging | Set up Discord |
OpsGenie | Incident Management | Set up OpsGenie |
ServiceNow | Workflow | Set up ServiceNow |
Next Steps
- Learn more about Access Lists