Tailscale for DevOps: On-demand access to your Tailscale resources with Sym

Maya Kaczorowski on
Photo of Maya Kaczorowski

Managing privileged access can help improve security by reducing unnecessary access to sensitive resources and customer data. With Tailscale ACLs, you can already manage access to company resources and restrict access with “default deny” rules.

But what if there’s an emergency, and the person on call needs to access your production environment? Solving this is why we’re excited to partner with Sym! Now, users can easily request temporary access to sensitive resources in Tailscale via Slack. These requests can then be approved by team members directly in Slack, or even be automatically approved for certain people — such as on-call engineers.

Tailscale logo connecting to Sym logo

Escalate permissions based on Sym access requests

Tailscale helps users securely access resources in their network — such as production environments and databases — with access rules defined as code. However, sometimes a user needs a resource they don’t currently have permission to access. For example, a user might need to debug an issue, or an on-call employee may need to request elevated access during an emergency. That’s where on-demand access can help.

Sym provides intelligent approvals as code and lets teams centralize privileged access management for their whole infrastructure — enabling engineers to request temporary access to the sensitive resources they need to complete specific tasks.

With Sym, users can get time-limited access to resources on their Tailscale network by requesting membership to groups defined in Tailscale ACLs. And since Tailscale SSH also defines SSH access rules in ACLs, you can grant SSH access by updating group membership using Sym, if you have an access rule allowing SSH access.

To use Sym with Tailscale:

Once approved, the requesting user will have access to the nodes, or ability to SSH into the instances that their escalated Tailscale ACL group gives them access to. Then, when the amount of time specified in their request is up, Sym automatically revokes the user’s access.

Sym also provides a Python SDK that can be used to specify special routing rules for requests, or automate approvals based on a user’s identity, on-call status, or Okta group membership.

Animated gif of requesting access to Tailscale group:prod

Check out Sym’s documentation to get started with on-demand access to Tailscale.

Request access to Tailscale using Okta groups

If you’re using Okta user & group provisioning in Tailscale, you can also manage access to membership in groups synced from Okta to Tailscale using Sym. In this case, use Sym’s Okta integration and set up a Sym access flow for each of the Okta groups included in your Tailscale ACLs.

Sym and Tailscale

You can use Sym to request access to sensitive resources in your Tailscale network, including SSH access to your production environment. By using Sym with Tailscale you can:

See the documentation to get started managing access to Tailscale resources with Sym.

Subscribe for monthly updates

Product updates, blog posts, company news, and more.

Too much email? RSS Twitter