Skip to main content
Opal natively supports an integration with Teleport. This integration enables organizations to manage access to groups in Teleport. With Opal’s Teleport integration, you can:
  • Give specific roles via birthright access
  • Grant just-in-time short-lived access to roles
  • Audit who has access specific roles and why
  • Review roles in user access reviews

Supported resources

ResourceReadGrant and revoke accessAvailable in Risk Center
Teleport Roles✔️✔️✔️

Configuration steps

In Teleport, you will need to set up a service account for Opal to perform operations.
  1. Create an opal-service role.
In the Teleport Dashboard, go to Team > Roles, then Create New Role. Use the following YAML: 
kind: role
metadata:
  name: opal-service
spec:
  allow:
    db_labels:
      "*": "*"
    app_labels:
      "*": "*"
    rules:
      - resources:
          - role
          - user
        verbs: ["list", "create", "read", "update", "delete"]
  options:
    max_session_ttl: 8760h
version: v5
The opal-service role is used by Opal to make changes to your system. Note that we use a max session TTL of 8760 hours (1 year). The credentials you generate in a subsequent step will be bound by this TTL, and you will need to reissue the credentials at this interval. You may want to set this value higher to avoid needing to reissue the credentials.
  1. Next, create an opal-impersonator role on the same page. Use the following YAML:
kind: role
version: v5
metadata:
  name: opal-impersonator
spec:
  # SSH options used for user sessions
  options:
    # max_session_ttl defines the TTL (time to live) of SSH certificates
    # issued to the users with this role.
    max_session_ttl: 10h

  # The allow section declares a list of resource/verb combinations that are
  # allowed for the users of this role. By default, nothing is allowed.
  allow:
    impersonate:
      users: ["opal-service"]
      roles: ["opal-service"]

  # The deny section uses the identical format as the 'allow' section.
  # Deny rules always override allow rules.
  deny:
    node_labels:
      "*": "*"
This role allows you to sign a credential on behalf of the opal-service service user.
  1. Attach this role to yourself in the Teleport dashboard by finding your user and going to Options > Edit, and adding opal-impersonator to your User Roles.
  2. Create the opal-service service user. Go to Team > Users > Create New User. Use opal-service as the name and add the opal-service role.
  3. In your terminal, use tsh login to log in to your account (not the opal-service account). If you were already logged in, you must tsh logout and log in again to pick up the new opal-impersonator role. 
tsh login --proxy=myorg.teleport.sh [email protected]
  1. Sign a new credential for the opal-service service account.
tctl auth sign --user=opal-service --out=opal-service.pem --ttl=8760h
Note that this step is possible because you attached the opal-impersonator role to your Teleport user. The TTL in this step should match the value you configured in step 1.
  1. In Opal, go to Inventory, click on the + App icon, and select the Teleport App. Fill out the details for the integration, using the contents of opal-service.pem generated in the previous step as the Opal service account credentials file.
Teleport does not expose user emails. Therefore, Opal is not able to associate Teleport users with Opal users by default. To use the integration, you need to import the mapping via a custom attribute from your IDP.
  1. Make sure that users in your IDP have a field with their Teleport username.
  2. In Opal, make sure that you have connected your IDP.
  3. In Opal, go to Settings > IDP & HR Integrations select the Importing X custom user attributes link on your IDP tile.
2372
  1. Enter the attribute name from your IDP that has the Teleport username, select Teleport username as the Use as value from the dropdown and click Add attribute.
2312
  1. The mappings from Opal user to Teleport username are now imported from your IDP and you can start using the integration.