On-demand access with Sym

Sym is a security and access workflow platform that lets you manage just-in-time access to your Tailscale resources.

On-demand access to Tailscale resources can be provisioned using Sym. This works by adding and removing members from groups defined in Tailscale access control lists (ACLs).

Sym will use a user’s Slack email address in Tailscale ACLs. If the user's Tailscale email is different from the email used by Slack, you will need to use the symflow CLI to manage the user identity.

Prerequisites

Before you begin this guide, you’ll need a tailnet with at least one device and a Sym account.

For information about creating a tailnet, see the Tailscale quickstart.
For information about creating a Sym account, see Getting Started with Sym.

Integration

For the full set of instructions, see Sym's documentation for setting up a Tailscale access target. To use Sym with Tailscale, you’ll need to:

Generate a Tailscale API access token from the Keys page of the admin console. Then, share this API access token with the Sym Runtime.
In Sym, define a sym_integration resource with type = tailscale.
1. Set the external_id to your tailnet’s organization. For example, example.com, myemail@example.com, example.github, or example.org.github. You can find your organization in the Settings page of the admin console.
2. Set the api_token_secret to the sym_secret referencing your Tailscale API access token.
Define which groups you’d like to manage access to in Tailscale. In Sym, define a sym_target resource with type = tailscale_group, and specify the group_name that appears in ACLs, for example, for group:prod in Tailscale ACLs, specify group_name=prod in Sym.

Example configuration

When configuring Tailscale to work with Sym, you will need to set up groups that Sym can add users to and remove users from as their access is granted or revoked.

Use ACL tags when adding servers to your Tailscale network, so that their access is based on their purpose. Then, you can allow groups to have access to certain tags in Tailscale ACLs. You can also make a group a tag owner if they should be able to manage tagged devices.

For example, if you want the SRE team group:sre-prod to be able to SSH into production servers with tag:prod, you can set up a configuration like:

{
  // This is the group that we will add/remove user to/from
  "groups": {
    "group:prod": []
  },
  // This allow users from the prod group to list Tailnet resources with the "tag:prod".
  "acls": [
    { "action": "accept", "src": ["group:prod"], "dst": ["tag:prod:*"] }
  ],
  // This allow users from the prod group to connect to instances with the `tag:prod`
  "ssh": [
    {
      "action": "accept",
      "src": ["group:prod"],
      "dst": ["tag:prod"],
      "users": ["ec2-user"]
    }
  ],
  "tagOwners": {
    "tag:prod": ["group:prod"]
  }
}

Now when an SRE needs to access production, they can use Sym's Slack integration to request temporary access to SSH into production, and Sym will update the tailnet policy file to allow the temporary access.