Documentation

Teleport

Suggest Edits

This manual is a walk-through instruction on creating a Teleport integration on Entitle.

Teleport is an open-source tool for providing zero trust access to servers and cloud applications using SSH, Kubernetes and HTTPS.

Generate credentials file

You must have a user with the editor permission, and a max_session_time of at least 8760h.

Run the following commands in a shell, and use the output (content of OUTPUT_FILE) as the ‘identity’.

USERNAME=api-admin
AUTH_SERVER=ec2-3-84-24-67.compute-1.amazonaws.com:3080 # Or 3025
OUTPUT_FILE=entitle_teleport_cert.txt
TMP_FILE=tmp_$OUTPUT_FILE
tsh login --user=$USERNAME --ttl=525600m --proxy=$AUTH_SERVER
# Enter Password to log in
# You might need to use the --insecure flag

# Generate the identity file
tctl auth sign --auth-server=$AUTH_SERVER --format=file --user=$USERNAME --out=$TMP_FILE --ttl=8760h
while read line; do printf "%s" "$line\n"; done < $TMP_FILE > $OUTPUT_FILE
rm $TMP_FILE
cat $OUTPUT_FILE
# Copy the file content

Build the Entitle integration configuration

Teleport can be configured to allow access based on any label/name we would provide it with, without verifying its existence or relevance.

Therefore, when building the integration, we must know what options should be available for the users to ask permission to. You should configure these options via the role_options scope as you wish.

identity should be the teleport credentials from the identity credentials file.

Example:

{
    "url": "xxxxxx",
    "identity": "xxxxxx",
    "role_options": {
      "AppLabels": ["applabel:one,two,three", "Apppp:a", "app:*"],
      "NodeLabels": ["nodelabel:one,two,three", "Nodeeee:a", "nodeeee:*"],
      "ClusterLabels": ["clusterlabel:one,two,three", "Clusterrrr:a", "clusterrrr:*"],
      "DatabaseLabels": ["databaselabel:one,two,three", "Databaseeee:a", "databaseeee:*"],
      "KubernetesLabels": ["kuberneteslabel:one,two,three", "Kubernetessss:a", "kubernetessss:*"],
      "WindowsDesktopLabels": ["windowsdesktoplabel:one,two,three", "WindowsDesktopppp:a", "windowsdesktopppp:*"],
      "Logins": ["L_USER", "logins"],
      "KubeUsers": ["K_USER", "kubeusers"],
      "Namespaces": ["N_USER", "namespaces"],
      "HostGroups": ["H_USER", "hostgroups"],
      "KubeGroups": ["K_USER", "kubegroups"],
      "AWSRoleARNs": ["A_USER", "awsrolearns"],
      "HostSudoers": ["H_USER", "hostsudoers"],
      "DatabaseUsers": ["D_USER", "databaseusers"],
      "WindowsDesktopLogins": ["W_USER", "windowsdesktoplogins"]
    }
}

Updated about 1 month ago

What’s Next