On-demand access with Indent

Indent is a way to get just-in-time access to your Tailscale resources, with Indent handling on-demand requests, including request approval workflows.

On-demand access to Tailscale resources such as cloud apps and infrastructure can be provisioned using Indent. This works by adding and removing members from Tailscale groups.

Prerequisites

Before you begin this guide, you’ll need a tailnet with at least one device and an Indent space.

Integration

For the full set of instructions, see Indent’s documentation for setting up a Tailscale webhook integration. To use Indent with Tailscale resources, you’ll need to:

  1. Set up Indent’s integration for Tailscale. This requires cloning a GitHub action and using Terraform to deploy changes to Indent.
    1. Generate a Tailscale API key from the keys page of the admin console, and set it as the GitHub secret TAILSCALE_API_KEY.
    2. Set your tailnet’s domain as the GitHub secret TAILSCALE_TAILNET. For example, example.com, myemail@example.com, example.github, example.org.github, etc. You can find the name of your tailnet in the Settings page of the admin console.
  2. Sync Tailscale groups you want to use for access control to Indent. In the Resources page of the Indent dashboard, click Pull from Integrations to obtain Tailscale groups.

Example configuration

When configuring Tailscale to work with Indent, you will need to set up groups that Indent can add users to and remove users from as their access is granted or revoked.

Use ACL tags when adding servers to your Tailscale network, so that their access is based on their purpose. Then, you can allow groups to have access to certain tags in Tailscale ACLs. You can also make a group a tag owner if they should be able to manage tagged devices.

For example, if you want the SRE team group:sre-prod to be able to SSH into production servers with tag:prod, you can set up a configuration like:

{
  "groups": {
    "group:sre-prod": ["alice@example.com", "bob@example.com"],
  },
  "acls": [
    {
      "action": "accept",
      "src": ["group:sre-prod"],
      "dst": ["tag:prod:*"]
    },
  ],
  "ssh": [
    {
      "action": "accept",
      "src": ["group:sre-prod"],
      "dst": ["tag:prod"],
      "users": ["ubuntu", "root"]
    },
  ]
  "tagOwners": {
    "tag:prod": ["group:sre-prod"]
  }
}

Now when an SRE needs to access production, they can use the /access command for Indent in Slack, or go to access.new, to request temporary access to SSH into production.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms