Tailscale
Learn how to connect Opal to Tailscale to manage SSH access within your tailnet.
With the Tailscale integration, you can granularly manage SSH access within your tailnet:
- Allow users to request just-in-time access to resources on your tailnet from the web and Slack
- Set the right resource owners to delegate approvals to those with the most context
- Configure day-one access to Tailscale resources with groups from your identity provider
- Automatically escalate and revoke privileged resource access based on on-call schedules, e.g., PagerDuty or Opsgenie
Supported resources
Resource | Read | Grant and revoke access | Available in Risk Center |
---|---|---|---|
Tailscale Groups | ✔️ | ✔️ | ✔️ |
Tailscale SSH | ✔️ | ✔️ | ✔️ |
Requirements
Before you begin this guide, you’ll need a tailnet and an Opal account. To learn how to create a tailnet, see the Tailscale quickstart.
Configuration steps
To use Opal with Tailscale:
- Generate a Tailscale API key from the keys page of the admin console. Note that Tailscale API keys expire after 90 days.
- In Opal, go to Inventory, click on the + App icon, and select Tailscale. Set the following fields.
Field | Value | Example(s) |
---|---|---|
App admin | The team that should manage the Tailscale app in Opal. | API Owners |
Description | Let your end users know what they're requesting access to. | SSH access to the production network |
Tailnet name | Your tailnet's domain name. Find this by opening the admin console and copying the name next to the Tailscale logo in the upper left. | example.com , [email protected] , example.github |
Tailscale API key | The API key you generated in Step 1. |
- Import Tailscale resources to Opal by selecting ... > Import items.

For each ACL tag that is selected, Opal automatically parses the existing access rules and SSH access rules that apply to that tag, and which groups have access to the tagged sources using those rules.
Now a user can request access or SSH access to a specific tag in Tailscale or to join a specific group.

Updated 9 days ago
What’s Next