On-demand access with ConductorOne
ConductorOne is a security platform that allows you to manage access requests for your Tailscale entitlements.
On-demand access to Tailscale resources can be provisioned using ConductorOne. This works by adding and removing members from groups, access rules, and SSH access rules defined in Tailscale access control lists (ACLs).
ConductorOne can be used with user & group provisioning to update SCIM-integrated group membership in groups used in Tailscale ACLs. Likewise, ConductorOne can be used to assign a user to the Tailscale application, with the user synced through SCIM to your Tailscale network.
You can connect multiple tailnets to ConductorOne simultaneously.
Before you begin this guide, you’ll need a tailnet and a ConductorOne account.
For information about creating a tailnet, see the Tailscale quickstart.
For information about creating a ConductorOne account, see ConductorOne.
See the full instructions in ConductorOne’s blog post for setting up an integration with Tailscale.
To use ConductorOne with Tailscale, you’ll need to:
- Generate a Tailscale API access token from the Keys page of the admin console.
- In ConductorOne, select the Tailscale integration and then click Add Connector.
- Choose the option to Create a new app.
- Set the Tailscale API key to the Tailscale API access token you generated.
- Set the Tailnet to your tailnet’s organization. For example,
example.org.github, etc. You can find your organization in the Settings page of the admin console.
ConductorOne will automatically identify all the users in the tailnet and parse existing access rules in Tailscale ACLs, including SSH access rules, as entitlements in ConductorOne. The application owner in ConductorOne can specify for each entitlement, such as group membership or another SSH access rule, whether to restrict access by time, and whether to use the default application grant policy.
Now a user can request access to a specific Tailscale entitlement through the Request access page of ConductorOne and through Slack. ConductorOne will update the tailnet policy file to allow the temporary access.