Documentation

Teleport | Entitle

Suggest Edits

What is Teleport?

Teleport is an open-source tool that provides zero trust access to servers and cloud applications using protocols like SSH, Kubernetes, and HTTPS.

How is this integration useful?

By integrating Teleport with Entitle, organizations can centralize and automate access controls for servers, cloud applications, and infrastructure, improving security and compliance. Centralized access controls and credential management help organizations meet compliance requirements and make it easier to audit who has access to what resources.

Generate credentials file

You must have a user with the editor permission, and a max_session_time of at least 8760h.

Run the following commands in a shell, and use the output (content of OUTPUT_FILE) as the ‘identity’.

USERNAME=api-admin
AUTH_SERVER=ec2-3-84-24-67.compute-1.amazonaws.com:3080 # Or 3025
OUTPUT_FILE=entitle_teleport_cert.txt
TMP_FILE=tmp_$OUTPUT_FILE
tsh login --user=$USERNAME --ttl=525600m --proxy=$AUTH_SERVER
# Enter Password to log in
# You might need to use the --insecure flag

# Generate the identity file
tctl auth sign --auth-server=$AUTH_SERVER --format=file --user=$USERNAME --out=$TMP_FILE --ttl=8760h
while read line; do printf "%s" "$line\n"; done < $TMP_FILE > $OUTPUT_FILE
rm $TMP_FILE
cat $OUTPUT_FILE
# Copy the file content

Build the Entitle integration configuration

Teleport can be configured to allow access based on any label/name we would provide it with, without verifying its existence or relevance.

Therefore, when building the integration, we must know what options should be available for the users to ask permission to. You should configure these options via the role_options scope as you wish.

identity should be the teleport credentials from the identity credentials file.

Example:

{
    "url": "xxxxxx",
    "identity": "xxxxxx",
    "role_options": {
      "AppLabels": ["applabel:one,two,three", "Apppp:a", "app:*"],
      "NodeLabels": ["nodelabel:one,two,three", "Nodeeee:a", "nodeeee:*"],
      "ClusterLabels": ["clusterlabel:one,two,three", "Clusterrrr:a", "clusterrrr:*"],
      "DatabaseLabels": ["databaselabel:one,two,three", "Databaseeee:a", "databaseeee:*"],
      "KubernetesLabels": ["kuberneteslabel:one,two,three", "Kubernetessss:a", "kubernetessss:*"],
      "WindowsDesktopLabels": ["windowsdesktoplabel:one,two,three", "WindowsDesktopppp:a", "windowsdesktopppp:*"],
      "Logins": ["L_USER", "logins"],
      "KubeUsers": ["K_USER", "kubeusers"],
      "Namespaces": ["N_USER", "namespaces"],
      "HostGroups": ["H_USER", "hostgroups"],
      "KubeGroups": ["K_USER", "kubegroups"],
      "AWSRoleARNs": ["A_USER", "awsrolearns"],
      "HostSudoers": ["H_USER", "hostsudoers"],
      "DatabaseUsers": ["D_USER", "databaseusers"],
      "WindowsDesktopLogins": ["W_USER", "windowsdesktoplogins"]
    }
}

What's next?

Make sure your setup is complete by testing your integration.

Updated 3 days ago