Teleport
Overview
Opal natively supports an integration with Teleport. This integration enables organizations to manage access to groups within Teleport
Use cases:
- Give specific roles via birthright access
- Grant just-in-time short-lived access to roles
- Audit who has access specific roles and why
- Review roles in user access reviews
Setup
In Teleport, you will need to set up a service account for Opal to perform operations.
- Create an
opal-service
role
In the Teleport Dashboard, navigate to Team
-> Roles
and Create New Role
. Use the following YAML:
kind: role
metadata:
name: opal-service
spec:
allow:
db_labels:
"*": "*"
app_labels:
"*": "*"
rules:
- resources:
- role
- user
verbs: ["list", "create", "read", "update", "delete"]
options:
max_session_ttl: 8760h
version: v5
The opal-service
role will be used by Opal to make changes to your system. Note that we use a max session TTL of 8760 hours (1 year). The credentials you will generate in a subsequent step will be bound by this TTL and you will need to reissue the credentials at this interval. You may want to set this value higher to avoid needing to reissue the credentials.
- Next, create an
opal-impersonator
role on the same page. Use the following YAML:
kind: role
version: v5
metadata:
name: opal-impersonator
spec:
# SSH options used for user sessions
options:
# max_session_ttl defines the TTL (time to live) of SSH certificates
# issued to the users with this role.
max_session_ttl: 10h
# The allow section declares a list of resource/verb combinations that are
# allowed for the users of this role. By default, nothing is allowed.
allow:
impersonate:
users: ["opal-service"]
roles: ["opal-service"]
# The deny section uses the identical format as the 'allow' section.
# Deny rules always override allow rules.
deny:
node_labels:
"*": "*"
This role will allow you to sign a credential on behalf of the opal-service
service user.
-
Attach this role to yourself in the Teleport dashboard by finding your user and going to
Options
->Edit
, and addingopal-impersonator
to yourUser Roles
. -
Create the
opal-service
service user. Go toTeam
->Users
->Create New User
. Useopal-service
as the name and add theopal-service
role. -
In your terminal, use
tsh login
to login to your account (not the opal service account). If you were already logged in, you musttsh logout
and login again to pick up the newopal-impersonator
role.
tsh login --proxy=myorg.teleport.sh [email protected]
- Sign a new credential for the
opal-service
service account
tctl auth sign --user=opal-service --out=opal-service.pem --ttl=8760h
Note that this step is possible because we attached the opal-impersonator
role to our Teleport user. The TTL in this step should match the value you configured in step 1.
- In the Opal dashboard, Navigate to Catalog, click on the + App icon, and select the Teleport App. Fill out the details for the integration, using the contents of
opal-service.pem
generated in the previous step as theOpal service account credentials file
.
Linking Teleport users to Opal users
Teleport does not expose user emails. Therefore, Opal is not able to associate Teleport users with Opal users by default. In order to be able to use the integration, you need to import the mapping via a custom attribute from your IDP.
-
Make sure that users in your IDP have a field with their teleport username.
-
In Opal, make sure that you have connected your IDP (see docs
-
In Opal, go to Settings and under IDP & HR Integrations click on the Importing X custom user attributes link on your IDP tile.
- Enter the attribute name from your IDP that has the teleport username, select Teleport username as the Use as value from the dropdown and click Add attribute.
- The mappings from Opal user to Teleport username will now be imported from your IDP and you should be ready to start using the integration.
Updated 4 months ago