# Resource Access Requests With Teleport Resource Access Requests, users can request access to specific resources without needing to know anything about the roles or RBAC controls used under the hood. Unlike [Role Access Requests](https://goteleport.com/docs/identity-governance/access-requests/role-requests.md), where users request elevated roles directly, Resource Access Requests let users identify the individual resources they need, and Teleport determines which roles to grant in order to provide access. The Access Request API makes it easy to dynamically approve or deny these requests. Resource Access Requests can be created through the Teleport Web UI, Teleport Connect, or the `tsh` CLI. Just-in-time Access Requests are a feature of Teleport Enterprise. Teleport Community Edition users can get a preview of how Access Requests work by requesting a role via the Teleport CLI. Full Access Request functionality, including Resource Access Requests and an intuitive and searchable UI are available in Teleport Enterprise. ## Prerequisites - A running Teleport Enterprise cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/get-started/deploy-community.md). - The `tctl` and `tsh` clients. Installing `tctl` and `tsh` clients 1. Determine the version of your Teleport cluster. The `tctl` and `tsh` clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: ``` $ TELEPORT_DOMAIN=teleport.example.com:443 $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" ``` 2. Follow the instructions for your platform to install `tctl` and `tsh` clients: **Mac** Download the signed macOS .pkg installer for Teleport, which includes the `tctl` and `tsh` clients: ``` $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg ``` In Finder double-click the `pkg` file to begin installation. --- DANGER Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. --- **Windows - Powershell** ``` $ curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip Unzip the archive and move the `tctl` and `tsh` clients to your %PATH% NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP. Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\) instead. ``` **Linux** All of the Teleport binaries in Linux installations include the `tctl` and `tsh` clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/installation.md). ``` $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ cd teleport $ sudo ./install Teleport binaries have been copied to /usr/local/bin ``` * To check that you can connect to your Teleport cluster, sign in with `tsh login`, then verify that you can run `tctl` commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and email\@example.com to your Teleport username: ``` $ tsh login --proxy=teleport.example.com --user=email@example.com $ tctl status Cluster teleport.example.com Version 19.0.0-dev CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678 ``` If you can connect to the cluster and run the `tctl status` command, you can use your current credentials to run subsequent `tctl` commands from your workstation. If you host your own Teleport cluster, you can also run `tctl` commands on the computer that hosts the Teleport Auth Service for full permissions. ## Resource Constraints Resource Access Requests can optionally include **Resource Constraints**, which narrow which principals — such as AWS Role ARNs, SSH logins, or database users — a user can assume on a resource when using an approved Access Request. The requester selects the specific principals they need when they create a request using the Web UI or Teleport Connect, and these constraints are encoded in the resulting short-lived certificates and enforced at authorization time, independent of any subsequent role changes. Resource Constraints are distinct from the role-based restrictions described in [Restricting the resources a user can request access to](#restricting-the-resources-a-user-can-request-access-to) below. Those controls govern *which resources* are searchable and requestable. Resource Constraints govern which principals the user is authorized to use on a specific resource once the request is approved. For example, consider a role `aws-full-access` that grants access to an AWS Console application with multiple ARNs: ``` kind: role version: v7 metadata: name: aws-full-access spec: allow: app_labels: env: production aws_role_arns: - 'arn:aws:iam::123456789012:role/ReadOnly' - 'arn:aws:iam::123456789012:role/Admin' ``` Without Resource Constraints, a user who requests and is approved for access to an AWS Console application via this role receives both ARNs. With Resource Constraints, the user can select only `ReadOnly` at request creation, and the approved certificate is scoped to that single ARN. Resource Constraints are currently supported for AWS Console application resources. Support for additional resource types (SSH, Windows Desktop, database, Kubernetes, and others) is planned. ### Availability Constrained resource requests can only be created through the Teleport Web UI and Teleport Connect. The Teleport CLI (`tsh`) supports reviewing and assuming these requests, but not yet creating them. All Teleport components in the request path (Auth Service, Proxy Service, and relevant application servers) must support Resource Constraints. In mixed-version clusters, components that do not recognize constraints will prevent the creation of constrained resource requests and deny any access to constrained resources on existing Resource Access Requests. ## Step 1/6. Grant roles to users The built-in `requester` and `reviewer` roles have permissions to, respectively, open and review Access Requests. Grant the `requester` and `reviewer` roles to existing users, or create new users to test this feature. Make sure the requester has a valid `login` so that they can view and access SSH nodes. For the rest of the guide we will assume that the `requester` role has been granted to a user named `alice` and the `reviewer` role has been granted to a user named `bob`. 1. Assign the `requester` role to a user named `alice`: Assign the `requester` role to `alice` by running the appropriate commands for your authentication provider: **Local User** 1. Retrieve your local user's roles as a comma-separated list: ``` $ ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")') ``` 2. Edit your local user to add the new role: ``` $ tctl users update $(tsh status -f json | jq -r '.active.username') \ --set-roles "${ROLES?},requester" ``` 3. Sign out of the Teleport cluster and sign in again to assume the new role. **GitHub** 1. Open your `github` authentication connector in a text editor: ``` $ tctl edit github/github ``` 2. Edit the `github` connector, adding `requester` to the `teams_to_roles` section. The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization. Here is an example: ``` teams_to_roles: - organization: octocats team: admins roles: - access + - requester ``` 3. Apply your changes by saving and closing the file in your editor. 4. Sign out of the Teleport cluster and sign in again to assume the new role. **SAML** 1. Retrieve your `saml` configuration resource: ``` $ tctl get --with-secrets saml/mysaml > saml.yaml ``` Note that the `--with-secrets` flag adds the value of `spec.signing_key_pair.private_key` to the `saml.yaml` file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource. 2. Edit `saml.yaml`, adding `requester` to the `attributes_to_roles` section. The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization. Here is an example: ``` attributes_to_roles: - name: "groups" value: "my-group" roles: - access + - requester ``` 3. Apply your changes: ``` $ tctl create -f saml.yaml ``` 4. Sign out of the Teleport cluster and sign in again to assume the new role. **OIDC** 1. Retrieve your `oidc` configuration resource: ``` $ tctl get oidc/myoidc --with-secrets > oidc.yaml ``` Note that the `--with-secrets` flag adds the value of `spec.signing_key_pair.private_key` to the `oidc.yaml` file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource. 2. Edit `oidc.yaml`, adding `requester` to the `claims_to_roles` section. The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization. Here is an example: ``` claims_to_roles: - name: "groups" value: "my-group" roles: - access + - requester ``` 3. Apply your changes: ``` $ tctl create -f oidc.yaml ``` 4. Sign out of the Teleport cluster and sign in again to assume the new role. 2. Repeat these steps to assign the `reviewer` role to a user named `bob`. --- TIP Consider defining custom roles to limit the scope of a requester or reviewer's permissions. Read the [Access Request Configuration](https://goteleport.com/docs/identity-governance/access-requests/access-request-configuration.md) guide for available options. --- ## Step 2/6. Search for resources First, log in as `alice`. ``` $ tsh login --proxy teleport.example.com --user alice ``` Notice that `tsh ls` returns an empty list, because `alice` does not have access to any resources by default. ``` $ tsh ls Node Name Address Labels --------- ------- ------ ``` Then try searching for all available ssh nodes. ``` $ tsh request search --kind node Name Hostname Labels Resource ID ------------------------------------ ----------- ------------ ------------------------------------------------------ b1168402-9340-421a-a344-af66a6675738 iot test=test /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738 bbb56211-7b54-4f9e-bee9-b68ea156be5f node test=test /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f To request access to these resources, run > tsh request create --resource /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738 --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \ --reason ``` You can search for resources of kind `node`, `kube_cluster`, `db`, `app`, and `windows_desktop`. Teleport also supports searching and requesting access to resources within Kubernetes clusters with kind `kube_resource`. Advanced filters and queries are supported. See our [filtering reference](https://goteleport.com/docs/reference/cli.md) for more information. Try narrowing your search to a specific resource you want to access. ``` $ tsh request search --kind node --search iot Name Hostname Labels Resource ID ------------------------------------ ----------- ------------ ------------------------------------------------------ b1168402-9340-421a-a344-af66a6675738 iot test=test /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738 To request access to these resources, run > tsh request create --resource /teleport.example.com/node/b1168402-9340-421a-a344-af66a6675738 \ --reason ``` ## Step 3/6. Request access to a resource Copy the command output by `tsh request search` in the previous step, optionally filling in a request reason. ``` $ tsh request create --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \ --reason "responding to incident 123" Creating request... Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddab Username: alice Roles: access Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"] Reason: "responding to incident 123" Reviewers: [none] (suggested) Status: PENDING hint: use 'tsh login --request-id=' to login with an approved request Waiting for request approval... ``` The command will automatically wait until the request is approved. ## Step 4/6. Approve the Access Request First, log in as `bob`. ``` $ tsh login --proxy teleport.example.com --user bob ``` Then list, review, and approve the Access Request. ``` $ tsh request ls ID User Roles Resources Created At (UTC) Status ------------------------------------ ----- ------ --------------------------- ------------------- ------- f406f5d8-3c2a-428f-8547-a1d091a4ddab alice access ["/teleport.example.... [+] 23 Jun 22 18:25 UTC PENDING [+] Requested resources truncated, use `tsh request show ` to view the full list hint: use 'tsh request show ' for additional details use 'tsh login --request-id=' to login with an approved request $ tsh request show f406f5d8-3c2a-428f-8547-a1d091a4ddab Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddab Username: alice Roles: access Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"] Reason: "responding to incident 123" Reviewers: [none] (suggested) Status: PENDING hint: use 'tsh login --request-id=' to login with an approved request $ tsh request review --approve f406f5d8-3c2a-428f-8547-a1d091a4ddab Successfully submitted review. Request state: APPROVED ``` --- TIP Check out our [Access Request integrations](https://goteleport.com/docs/identity-governance/access-requests/plugins.md) to notify the right people about new Access Requests. --- ## Step 5/6. Access the requested resource `alice`'s `tsh request create` command should resolve now that the request has been approved. ``` $ tsh request create --resource /teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f \ --reason "responding to incident 123" Creating request... Request ID: f406f5d8-3c2a-428f-8547-a1d091a4ddab Username: alice Roles: access Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"] Reason: "responding to incident 123" Reviewers: [none] (suggested) Status: PENDING hint: use 'tsh login --request-id=' to login with an approved request Waiting for request approval... Approval received, getting updated certificates... > Profile URL: https://teleport.example.com Logged in as: alice Active requests: f406f5d8-3c2a-428f-8547-a1d091a4ddab Cluster: teleport.example.com Roles: access, requester Logins: alice Kubernetes: disabled Allowed Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"] Valid until: 2022-06-23 22:46:22 -0700 PDT [valid for 11h16m0s] Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty ``` `alice` can now view and access the node. ``` $ tsh ls Node Name Address Labels --------- --------- --------- iot [::]:3022 test=test $ tsh ssh alice@iot iot:~ alice$ ``` ## Step 6/6. Resume regular access While logged in with a Resource Access Request, users will be blocked from access to any other resources. This is necessary because their certificate now contains an elevated role, so it is restricted to only allow access to the resources they were specifically approved for. Use the `tsh request drop` command to "drop" the request and resume regular access. ``` $ tsh request drop ``` Once you have configured Resource Access Requests, `tsh ssh` is able to automatically create a Resource Access Request for you when access is denied, allowing you to skip the `tsh request search` and `tsh request create` steps. ``` $ tsh ssh alice@iot ERROR: access denied to alice connecting to iot on cluster teleport.example.com You do not currently have access to alice@iot, attempting to request access. Enter request reason: please Creating request... Request ID: ab43fc70-e893-471b-872e-ae65eb24fd76 Username: alice Roles: access Resources: ["/teleport.example.com/node/bbb56211-7b54-4f9e-bee9-b68ea156be5f"] Reason: "please" Reviewers: [none] (suggested) Status: PENDING hint: use 'tsh login --request-id=' to login with an approved request Waiting for request approval... Approval received, reason="okay" Getting updated certificates... iot:~ alice$ ``` ## Restricting the resources a user can request access to In this guide, we showed you how to enable a user to search for resources to request access to. To do so, we assigned the user a Teleport role with the `search_as_roles` field set to the preset `access` role. You can impose further restrictions on the resources a user is allowed to search by assigning `search_as_roles` to a more limited role. Below, we will show you which permissions you must set to restrict a user's ability to search for different resources. To restrict access to a particular resource using a role similar to the ones below, edit one of the user's roles so the `search_as_roles` field includes the role you have created. For full details on how to use Teleport roles to configure RBAC, see the [Access Controls Reference](https://goteleport.com/docs/reference/access-controls/roles.md). ### `node` You can restrict access to searching `node` resources by assigning values to the `node_labels` field in the `spec.allow` or `spec.deny` fields. The following role allows access to SSH Service instances with the `env:staging` label. ``` kind: role version: v5 metadata: name: staging-access spec: allow: node_labels: env: staging logins: - '{{internal.logins}}' options: # Only allows the requester to use this role for 1 hour from time of request. max_session_ttl: 1h ``` ### `kube_cluster` You can restrict access to searching `kube_cluster` resources by assigning values to the `kubernetes_labels` field in the `spec.allow` or `spec.deny` fields. The following role allows access to Kubernetes clusters with the `env:staging` label: ``` kind: role metadata: name: kube-access version: v8 spec: allow: kubernetes_labels: env: staging kubernetes_resources: - kind: '*' namespace: '*' name: '*' api_group: '*' deny: {} ``` ### Kubernetes resources You can restrict access to Kubernetes resources by assigning values to the `kubernetes_resources` field in the `spec.allow` or `spec.deny` fields. The following role allows access to Kubernetes pods with the name `nginx` in any namespace, and all pods in the `dev` namespace: ``` kind: role metadata: name: kube-access version: v8 spec: allow: kubernetes_labels: '*': '*' kubernetes_resources: - kind: pods namespace: '*' name: 'nginx*' api_group: '' - kind: pods namespace: dev name: '*' api_group: '' kubernetes_groups: - viewers deny: {} ``` The `request.kubernetes_resources` field allows you to restrict what kinds of Kubernetes resources a user can request access to. Configuring this field to any value will disallow requesting access to the entire Kubernetes cluster. If the `request.kubernetes_resources` field is not configured, then a user can request access to any Kubernetes resources, including the entire Kubernetes cluster. The following role allows users to request access to Kubernetes namespaces. Requests for Kubernetes resources other than `pods` will not be allowed. ``` kind: role metadata: name: requester-kube-access version: v8 spec: allow: request: search_as_roles: - kube-access kubernetes_resources: - kind: pods api_group: '' ``` The following role allows users to request access only to Kubernetes deployments and/or pods. ``` kind: role metadata: name: requester-kube-access version: v8 spec: allow: request: search_as_roles: - kube-access kubernetes_resources: - kind: deployments api_group: apps - kind: pods api_group: '' ``` The following role allows users to request access to any specific Kubernetes resources. ``` kind: role metadata: name: requester-kube-access version: v8 spec: allow: request: search_as_roles: - kube-access kubernetes_resources: - kind: '*' api_group: '*' ``` The `request.kubernetes_resources` field only restricts what `kind` / `api_group` of Kubernetes resource requests are allowed. To control Kubernetes access to these resources see [Kubernetes Resources](https://goteleport.com/docs/enroll-resources/kubernetes-access/controls.md) section for more details. ### `db` You can restrict access to searching `db` resources by assigning values to the `db_labels` field in the `spec.allow` or `spec.deny` fields. The following role allows access to databases with the `env:dev` or `env:staging` labels: ``` kind: role version: v5 metadata: name: developer spec: allow: db_labels: env: ["dev", "staging"] # Database account names this role can connect as. db_users: ["viewer", "editor"] db_names: ["*"] ``` ### `app` You can restrict access to searching `app` resources by assigning values to the `app_labels` field in the `spec.allow` or `spec.deny` fields. The following role allows access to all applications except for those in `env:prod`: ``` kind: role version: v5 metadata: name: dev spec: allow: app_labels: "*": "*" deny: app_labels: env: "prod" ``` ### `windows_desktop` You can restrict access to searching `windows_desktop` resources by assigning values to the `windows_desktop_labels` field in the `spec.allow` or `spec.deny` fields. The following role allows access to all Windows desktops with the `env:dev` or `env:staging` labels. ``` kind: role version: v4 metadata: name: developer spec: allow: windows_desktop_labels: env: ["dev", "staging"] windows_desktop_logins: ["{{internal.windows_logins}}"] ``` ## Next steps - Read about all of the ways you can configure Access Requests in the [Access Request Configuration Guide](https://goteleport.com/docs/identity-governance/access-requests/access-request-configuration.md). For example, you can configure the `search_as_roles` fields in a user's role to restrict the resources the user has access to list in order to request access. - With Teleport's Access Request plugins, users can manage Access Requests from within your organization's existing messaging and project management solutions. Read the documentation on [Access Request plugins](https://goteleport.com/docs/identity-governance/access-requests/plugins.md). - For more information about creating and managing Access Requests as an end user, read [Request Access to Roles and Resources](https://goteleport.com/docs/connect-your-client/teleport-clients/request-access.md). - Learn about [Access Lists](https://goteleport.com/docs/identity-governance/access-lists.md), which allow you to assign elevated privileges to a list of Teleport users for a limited time.