On-demand access with Sym

Sym is a security and access workflow platform that allows you to manage just-in-time access to your Tailscale resources.

On-demand access to Tailscale resources can be provisioned using Sym. This works by adding and removing members from groups defined in Tailscale ACLs.

Sym will use a user’s Slack email address in Tailscale ACLs. If the user’s Tailscale email is different from the email used by Slack, you will need to use the symflow CLI to manage the user identity.

Prerequisites

Before you begin this guide, you’ll need a tailnet with at least one device and a Sym account.

Integration

For the full set of instructions, see Sym’s documentation for setting up a Tailscale access target. To use Sym with Tailscale, you’ll need to:

  1. Generate a Tailscale API key from the keys page of the admin console. Then, share this API key with the Sym Runtime.
  2. In Sym, define a sym_integration resource with type = tailscale.
    1. Set the external_id to your tailnet’s domain name. For example, example.com, myemail@example.com, example.github, example.org.github, etc. You can find the name of your tailnet in the Settings page of the admin console.
    2. Set the api_token_secret to the sym_secret referencing your Tailscale API key.
  3. Define which groups you’d like to manage access to in Tailscale. In Sym, define a sym_target resource with type = tailscale_group, and specify the group_name that appears in ACLs, e.g., for group:prod in Tailscale ACLs, specify group_name=prod in Sym.

Example configuration

When configuring Tailscale to work with Sym, you will need to set up groups that Sym can add users to and remove users from as their access is granted or revoked.

Use ACL tags when adding servers to your Tailscale network, so that their access is based on their purpose. Then, you can allow groups to have access to certain tags in Tailscale ACLs. You can also make a group a tag owner if they should be able to manage tagged devices.

For example, if you want the SRE team group:sre-prod to be able to SSH into production servers with tag:prod, you can set up a configuration like:

{
  // This is the group that we will add/remove user to/from
  "groups": {
    "group:prod": []
  },
  // This allow users from the prod group to list Tailnet resources with the "tag:prod".
  "acls": [
    { "action": "accept", "src": ["group:prod"], "dst": ["tag:prod:*"] }
  ],
  // This allow users from the prod group to connect to instances with the `tag:prod`
  "ssh": [
    {
      "action": "accept",
      "src": ["group:prod"],
      "dst": ["tag:prod"],
      "users": ["ec2-user"]
    }
  ],
  "tagOwners": {
    "tag:prod": ["group:prod"]
  }
}

Now when an SRE needs to access production, they can use Sym’s Slack integration to request temporary access to SSH into production.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms