Teleport Approval Workflows
Approving Workflow using an External Integration
- Integrating Teleport with Slack
- Integrating Teleport with Mattermost
- Integrating Teleport with Jira Cloud
- Integrating Teleport with Jira Server
- Integrating Teleport with PagerDuty
Approval Workflows Setup
Teleport 4.2 introduced the ability for users to request additional roles. The workflow API makes it easy to dynamically approve or deny these requests.
Contractor Role This role allows the contractor to request the role DBA.
kind: role metadata: name: contractor spec: options: # ... allow: request: roles: ['dba'] # ... deny: # ...
DBA Role This role allows the contractor to request the role DBA.
kind: role metadata: name: dba spec: options: # ... # Only allows the contractor to use this role for 1 hour from time of request. max_session_ttl: 1h allow: # ... deny: # ...
Admin Role This role allows the admin to approve the contractor's request.
kind: role metadata: name: admin spec: options: # ... allow: # ... deny: # ... # list of allow-rules, see # https://gravitational.com/teleport/docs/enterprise/ssh-rbac/ rules: # Access Request is part of Approval Workflows introduced in 4.2 # `access_request` should only be given to Teleport Admins. - resources: [access_request] verbs: [list, read, update, delete]
$ tsh login teleport-cluster --request-roles=dba Seeking request approval... (id: bc8ca931-fec9-4b15-9a6f-20c13c5641a9)
As a Teleport Administrator:
$ tctl request ls Token Requestor Metadata Created At (UTC) Status ------------------------------------ --------- -------------- ------------------- ------- bc8ca931-fec9-4b15-9a6f-20c13c5641a9 alice roles=dba 07 Nov 19 19:38 UTC PENDING
$ tctl request approve bc8ca931-fec9-4b15-9a6f-20c13c5641a9
tsh will automatically manage a certificate re-issued with
the newly requested roles applied. In this case
contractor will now have have
the permission of the
Granting a role with administrative abilities could allow a user to permanently upgrade their privileges (e.g. if contractor was granted admin for some reason). We recommend only escalating to the next role of least privilege vs jumping directly to "Super Admin" role.
deny.request block can help mitigate the risk of doing this by accident. See
# Example role that explicitly denies a contractor from requesting the admin # role. kind: role metadata: name: contractor spec: options: # ... allow: # ... deny: request: roles: ['admin']
Other features of Approval Workflows.
- Users can request multiple roles at one time. e.g
- Approved requests have no effect on Teleport's behavior outside of allowing additional roles on re-issue. This has the nice effect of making requests "compatible" with older versions of Teleport, since only the issuing Auth Server needs any particular knowledge of the feature.
Integrating with an External Tool
|Jira Server||Project Board||Setup Jira Server|
|Jira Cloud||Project Board||Setup Jira Cloud|