On-demand access with Indent

Indent is a way to get just-in-time access to your Tailscale resources, with Indent handling on-demand requests, including request approval workflows.

On-demand access to Tailscale resources such as cloud apps and infrastructure can be provisioned using Indent. This works by adding and removing members from groups in Tailscale access control lists (ACLs).

Indent can be used with user & group provisioning to update SCIM-integrated group membership in groups used in Tailscale ACLs. Likewise, Indent can be used to assign a user to the Tailscale application, with the user synced through SCIM to your Tailscale network.


Before you begin this guide, you’ll need a tailnet with at least one device and an Indent space.


For the full set of instructions, see Indent’s documentation for setting up a Tailscale webhook integration. To use Indent with Tailscale resources, you’ll need to:

  1. Set up Indent’s integration for Tailscale. This requires cloning a GitHub action and using Terraform to deploy changes to Indent.
    1. Generate a Tailscale API access token from the Keys page of the admin console, and set it as the GitHub secret TAILSCALE_API_KEY.
    2. Set your tailnet’s organization as the GitHub secret TAILSCALE_TAILNET. For example, example.com, myemail@example.com, example.github, example.org.github, etc. You can find your organization in the Settings page of the admin console.
  2. Sync Tailscale groups you want to use for access control to Indent. In the Resources page of the Indent dashboard, click Pull from Integrations to obtain Tailscale groups.

Example configuration

When configuring Tailscale to work with Indent, you will need to set up groups that Indent can add users to and remove users from as their access is granted or revoked.

Use ACL tags when adding servers to your Tailscale network, so that their access is based on their purpose. Then, you can allow groups to have access to certain tags in Tailscale ACLs. You can also make a group a tag owner if they should be able to manage tagged devices.

For example, if you want the SRE team group:sre-prod to be able to SSH into production servers with tag:prod, you can set up a configuration like:

  "groups": {
    "group:sre-prod": ["alice@example.com", "bob@example.com"],
  "acls": [
      "action": "accept",
      "src": ["group:sre-prod"],
      "dst": ["tag:prod:*"]
  "ssh": [
      "action": "accept",
      "src": ["group:sre-prod"],
      "dst": ["tag:prod"],
      "users": ["ubuntu", "root"]
  "tagOwners": {
    "tag:prod": ["group:sre-prod"]

Now when an SRE needs to access production, they can use the /access command for Indent in Slack, or go to access.new, to request temporary access to SSH into production. Indent will update the tailnet policy file to allow the temporary access.