Teleport Approval Workflows

Approving Workflow using an External Integration

Approval Workflows Setup

Teleport 4.2 introduced the ability for users to request additional roles. The workflow API makes it easy to dynamically approve or deny these requests.

Setup

Contractor Role This role allows the contractor to request the role DBA.

kind: role
metadata:
  name: contractor
spec:
  options:
    # ...
  allow:
    request:
      roles: ['dba']
    # ...
  deny:
    # ...

DBA Role This role allows the contractor to request the role DBA.

kind: role
metadata:
  name: dba
spec:
  options:
    # ...
    # Only allows the contractor to use this role for 1 hour from time of request.
    max_session_ttl: 1h
  allow:
    # ...
  deny:
    # ...

Admin Role This role allows the admin to approve the contractor's request.

kind: role
metadata:
  name: admin
spec:
  options:
    # ...
  allow:
    # ...
  deny:
    # ...
# list of allow-rules, see
# https://gravitational.com/teleport/docs/enterprise/ssh-rbac/
rules:
    # Access Request is part of Approval Workflows introduced in 4.2
    # `access_request` should only be given to Teleport Admins.
    - resources: [access_request]
      verbs: [list, read, update, delete]

$ tsh login teleport-cluster --request-roles=dba
Seeking request approval... (id: bc8ca931-fec9-4b15-9a6f-20c13c5641a9)

As a Teleport Administrator:

$ tctl request ls
Token                                Requestor Metadata       Created At (UTC)    Status
------------------------------------ --------- -------------- ------------------- -------
bc8ca931-fec9-4b15-9a6f-20c13c5641a9 alice     roles=dba      07 Nov 19 19:38 UTC PENDING
$ tctl request approve bc8ca931-fec9-4b15-9a6f-20c13c5641a9

Assuming approval, tsh will automatically manage a certificate re-issued with the newly requested roles applied. In this case contractor will now have have the permission of the dba.

Warning

Granting a role with administrative abilities could allow a user to permanently upgrade their privileges (e.g. if contractor was granted admin for some reason). We recommend only escalating to the next role of least privilege vs jumping directly to "Super Admin" role.

The deny.request block can help mitigate the risk of doing this by accident. See Example Below.

# Example role that explicitly denies a contractor from requesting the admin
# role.
kind: role
metadata:
name: contractor
spec:
options:
    # ...
allow:
    # ...
deny:
    request:
    roles: ['admin']

Other features of Approval Workflows.

Integrating with an External Tool

Integration Feature Type Setup Instructions
Slack Chatbot Setup Slack
Mattermost Chatbot Setup Mattermost
Jira Server Project Board Setup Jira Server
Jira Cloud Project Board Setup Jira Cloud
PagerDuty Schedule Setup PagerDuty

apartmentTeleport Enterprise

Teleport Enterprise is built around the open-source core, with premium support and additional, enterprise-grade features. It is for organizations that need to secure critical production infrastructure and meet compliance and audit requirements.

Demo Teleport Enterprise

get_appTeleport Community

Teleport Community provides modern SSH best practices out of the box for managing elastic infrastructure. Teleport Community is open-source software that anyone can download and install for free.

Star

Download Teleport Community