Tailscale for DevOps: On-demand access to your Tailscale resources with Opal

Maya Kaczorowski on
Photo of Maya Kaczorowski

When you’re working in an environment with strict compliance needs, you want to make sure you’re following the principle of least privilege and granting employees access only to the resources they need to do their job. Tailscale ACLs already make that possible by letting you define what someone can access — and restricting their access to everything else — with “default deny” rules.

In many organizations, access to resources needs to be granted temporarily, such as when someone needs additional information in order to debug a customer issue. This is why we’re partnering with Opal: to provide short-lived, granular, on-demand access to resources in your tailnet. With Opal, your team can generate self-serve access requests and get automatic approvals for faster access to the resources they need, rather than waiting for their help desk ticket to be manually reviewed and provisioned.

Tailscale logo connecting to Opal logo

Just-in-time SSH access to tagged resources

Tailscale manages access to resources in your tailnet, such as SSH access to production resources, using access rules defined as code. If an employee needs access they don’t already have, the Tailscale admin needs to update the access rule or SSH access rule to reflect the change in permissions. This is a manual process, which can take time, and the new, increased access remains in effect until it is manually revoked.

That’s where Opal comes in. With Opal, admins set up powerful approval and security guardrails by adding and removing members from SSH access rules for ACL tags as defined in Tailscale ACLs. Admins can also pre-determine how long access will remain active, or to extend it indefinitely. This means that when they need to, users can easily make access requests to resources using an automated, self-service catalog.

To use Opal with Tailscale:

Requesting access to resources with Tailscale and Opal

Assigning users to Tailscale in Okta as part of onboarding

Opal also provides the ability to manage Okta apps and Okta group membership. This means that if you use Tailscale with user & group provisioning for Okta, you can assign new users to Tailscale when they join, and users can request access if they need it for their job.

Opal and Tailscale

By setting up the Tailscale app in Opal, you can granularly manage your organization’s Tailscale SSH access, so that you can:

See the documentation to get started managing access to resources on your tailnet with Opal.

Share via

Subscribe for monthly updates

Product updates, blog posts, company news, and more.

Too much email? RSS Twitter