Tailscale
Overview
With the Tailscale integration, you can granularly manage SSH access within your tailnet:
- Allow users to request just-in-time access to resources on your tailnet from the web and Slack
- Set the right resource owners to delegate approvals to those with the most context
- Configure day-one access to Tailscale resources with groups from your identity provider
- Automatically escalate and revoke privileged resource access based on on-call schedules, e.g., PagerDuty or Opsgenie
How to Set up the App
Before you begin this guide, you’ll need a tailnet and an Opal account.
For information about creating a tailnet, see the Tailscale quickstart.
To use Opal with Tailscale:
- Generate a Tailscale API key from the keys page of the admin console.
- In Opal, navigate to Catalog, click on the + App icon, and select the Tailscale App
- Set the App Admin to the team that should manage the Tailscale App in Opal.
- Enter a Description of how you use Tailscale, so colleagues know what they’re requesting access to. For example, “SSH access to the production network”.
- Set the Tailnet name to be your tailnet’s domain name. You can find the name of your tailnet by opening the admin console and copying the name next to the Tailscale logo in the upper left corner of the page, e.g.,
example.com
,[email protected]
, orexample.github
. - Set the Tailscale API key to the API key you generated.
- Determine which Tailscale ACL tags should be imported into Opal. This is done by the App Admin. For each ACL tag that is selected, Opal will automatically parse the existing access rules and SSH access rules that apply to that tag, and which groups have access to the tagged sources using those rules.
Now a user can request access or SSH access to a specific tag in Tailscale, or to join a specific group.
Updated 4 months ago
What’s Next