On-demand access with Opal

Opal is a centralized authorization platform for IT and infrastructure teams to make access management requests self-service.

On-demand access to Tailscale resources can be provisioned using Opal. This works by adding and removing members from SSH access rules for ACL tags.

Opal can also be used with user & group provisioning to update group membership in Okta groups used in Tailscale ACLs, or assign the Tailscale application users in Okta.

Prerequisites

Before you begin this guide, you’ll need a tailnet and an Opal account.

  • For information about creating a tailnet, see the Tailscale quickstart.

  • For information about creating an Opal account, see Opal.

Integration

See the full instructions in Opal’s blog post for setting up an integration with Tailscale.

To use Opal with Tailscale, you’ll need to:

  1. Generate a Tailscale API access token from the keys page of the admin console.
  2. In Opal, add Tailscale as a new application.
    1. Set the App Admin to the team that should manage the Tailscale app in Opal.
    2. Enter a Description of how you use Tailscale, so colleagues know what they’re requesting access to. For example, “SSH access to the production network”.
    3. Set the Tailnet name to be your tailnet’s organization. For example, example.com, myemail@example.com, example.github, example.org.github, etc. You can find your organization in the Settings page of the admin console.
    4. Set the Tailscale API key to the Tailscale API access token you generated.
  3. Determine which Tailscale ACL tags should be imported into Opal. This is done by the App Admin. For each ACL tag that is selected, Opal will automatically parse the existing access rules and SSH access rules that apply to that tag, and which groups have access to the tagged sources using those rules.

Now a user can request access or SSH access to a specific tag in Tailscale.

Last updated