Tailscale Slack Accessbot
As noted in Just-in-time access, Tailscale provides several ways for you to provide just-in-time (JIT) access to resources in your Tailscale network (known as a tailnet). This topic shows you how you can use the Tailscale Access workflow for Slack to set up a workflow where users can request temporary access via Slack.
How it works
Tailscale Access is a Slack Workflow App developed by Tailscale that allows users to use Slack to request instantaneous, time-bound access, known as just-in-time access, to Tailscale resources from other people in their organization.
Device attributes have an optional expiry
property that lets you set a time in the future to expire the attribute. When set, the device attribute automatically expires at the specified time. You can use this to provide just-in-time access to resources by assigning attributes like custom:prodAccess
to a device for a given time.
Inside Slack, a user can use the Request Tailscale Access shortcut to Tailscale Access. This will prompt them for:
- what they want to access
- which device they want to access it from
- how long they need access for
- who should approve their access
- why they need the access
If there are Tailscale devices owned by a user with an email address matching the Slack user who requested access, a list of those devices will be displayed. The user will also get prompted with a list of all devices in a tailnet.
When the request has been submitted, the selected approver will be notified and they can choose to approve or deny the request. Upon approval, the workflow will add the required attribute to the selected device with an expiry set to the selected time.
Deploy the Slack App for the first time
-
Confirm that the Slack Team to which you want to install the Tailscale Accessbot has a paid Slack plan which allows you to Deploy apps to Slack infrastructure.
-
Install Deno on your local machine following the Deno Installation instructions.
-
Install the Slack CLI on your local machine following the Slack Quickstart Guide.
-
Authenticate with the Slack CLI by running
slack login
in your terminal:- The output will contain a command like
/slackauthticket NzY5YmViN2QtY2ZjZS12ZmRjLTlmYTktNjI0NjI5NWI1ODFk
which you should paste into the Slack chat box. - Approve the permissions that Slack will grant your CLI.
- Paste the confirmation code back into the Slack CLI's Enter challenge code prompt.
- The output will contain a command like
-
Add the Tailscale Accessbot code to a git repository of your own:
-
Run the following commands to create a new directory for the accessbot code and config:
mkdir tailscale-accessbot cd tailscale-accessbot
-
Run the following commands to pull the Tailscale Accessbot code into your new directory:
git init -b main git remote add upstream https://github.com/tailscale/accessbot.git git pull upstream main
-
(Optional, recommended) Create a private git repository on GitHub, GitLab, or your preferred git host of choice, and push your code there:
git remote add origin git@github.com:myorg/tailscale-accessbot git push -u origin main
-
-
Deploy the app to Slack:
-
Run the following command to begin deploying your app to Slack, which will prompt you to select the Team to install to:
slack deploy
- If you receive an error containing
app_approval_request_denied
then your Slack team is configured with Require App Approval turned on but Allow members to request approval for apps turned off. Speak to one of your Slack team owners about changing these settings to allow you to proceed. They can either turn on the Allow members to request approval for apps setting or add your user to the Select App Managers to manage apps > Workspace Owners and selected members or groups option. Retryslack deploy
after this change. - If you are asked whether you would like to request approval to install the app, select Yes. Once Slack tells you that approval has been granted, you may re-run
slack deploy
.
- If you receive an error containing
-
Create the trigger when prompted.
-
Slack will give you a Shortcut URL such as
https://slack.com/shortcuts/Ft074AB2RW12/…
which won't work in your web browser, but which can be used within the Slack app. Paste the Shortcut URL from your terminal into a Slack chatroom and it will render a Start Workflow button: -
Selecting the Start Workflow button will show the following error because we are yet to connect it to Tailscale:
-
The Slack CLI will have created a .slack directory containing apps.json and config.json files. These contain the app identifiers that allow the Slack CLI to update the app later. You should now
git commit
these files and if backing up to a remote repository,git push
.
-
-
Connect the app to Tailscale:
-
Create a tag for the Tailscale Accessbot by adding the following to your Tailnet ACLs (requires Owner or Network Admin role if editing by hand):
"tagOwners": { "tag:accessbot": ["autogroup:owner", "autogroup:admin", "autogroup:network-admin", "autogroup:it-admin"], },
-
Generate an OAuth client in Tailscale with the
devices:core
scope, selecting thetag:accessbot
tag that you created in the prior step: -
Run the following command from your accessbot directory, using the OAuth Client ID in place of
<client-id>
, and selecting the appropriate team when prompted:slack env add TAILSCALE_CLIENT_ID <client-id>
-
Run the following command from your accessbot directory, using the OAuth Client secret in place of
<secret>
, and selecting the appropriate team when prompted:slack env add TAILSCALE_CLIENT_SECRET <secret>
-
Going back to Slack, selecting the Start Workflow button again should now present the Accessbot screen:
- An alternative way to trigger the workflow is to start typing its name in the "slash command" pop-up menu that you should see after pressing the "/" key.
-
Any errors that occur during the operation of the Workflow will be sent to you in Slack, or can be inspected on demand using
slack activity
, or watched in real-time usingslack activity --tail
. -
Proceed to the next section to configure the available access profiles and update your app.
-
Configure profiles
Configuration of Tailscale Access profiles is done by editing config.ts
. All available configuration options can be seen in the schema under config.ts
.
An example of a minimal configuration can begin as follows:
export const config: Config = {
profiles: [
{
attribute: "custom:prodAccess",
description: "Production",
notifyChannel: "C06TH49GKHC",
canSelfApprove: true,
approverEmails: [
"alice@example.com",
"bob@example.com",
"charlie@example.com",
],
},
]
} as Config
See the type Profile
declaration at the bottom of config.ts for a description of the different fields available in this config.
After changing config.ts, you must run another slack deploy
to see the config update in the app. It is recommended that you git commit
and git push
at this point too.
Slack documentation has instructions on automatic deployment of the workflow using Github Actions.
Use the attributes as part of network policy
After the workflow has been configured and deployed, you can start using attributes corresponding to the configured access profiles as part of your network policy.
For example, the custom:prodAccess
attribute managed by the workflow can be referenced by a posture and required for production access:
"postures": {
"posture:prodAccess": ["custom:prodAccess == true"],
},
"acls": [
{
"action": "accept",
"src": ["group:dev"],
"dst": ["tag:production"],
"srcPosture": ["posture:prodAccess"]
},
],
See the Device Posture topic and the tailnet policy file syntax topic for more information about postures and posture conditions.
Develop with the accessbot locally
You can run the workflow locally, before deploying it to Slack's infrastructure.
First add the Tailscale Client ID and Secret from the previous step to a .env
file in the root of the project:
TAILSCALE_CLIENT_ID=abc1234CNTRL
TAILSCALE_CLIENT_SECRET=tskey-client-abc1234CNTRL-qwerty1234...
Then you can run the application using the slack
CLI. You'll know an app is the development version if the name has the string (local)
appended:
# Run app locally
slack run
Connected, awaiting events
To stop running locally, press <CTRL> + C
to end the process.
Posture attributes API with Expiry
This section is an extended version of the Posture attributes API from the Device Posture topic that contains additional information about attribute expiry.
Get posture attributes via API
GET /api/v2/device/{deviceID}/attributes
Retrieve all posture attributes for the specified device. This returns a JSON object of all the key-value pairs of posture attributes for the device.
Parameters
deviceID
(required in URL path)
The ID of the device to fetch posture attributes for.
Request example
curl "https://api.tailscale.com/api/v2/device/11055/attributes" \
-u "tskey-api-xxxxx:"
Response
The response is 200
on success. The response body is a JSON object containing all the posture attributes assigned to the node. Attribute values can be strings, numbers, or booleans.
{
"attributes": {
"custom:myScore": 87,
"custom:diskEncryption": true,
"custom:myAttribute": "my_value",
"node:os": "linux",
"node:osVersion": "5.19.0-42-generic",
"node:tsReleaseTrack": "stable",
"node:tsVersion": "1.40.0",
"node:tsAutoUpdate": false
},
"expiries": {
"custom:myScore": "2024-04-23T18:25:43.511Z",
}
}
-
attributes
: a key-value map of all attributes associated with a given node. The values can be either a number, string, or boolean. -
expiries
: a key-value map of attributes that has an expiry time, and when they will expire. Any attribute without an expiry is omitted. If there are no attributes with expiries, the entireexpiries
field is omitted.
Set custom posture attributes via API
POST /api/v2/device/{deviceID}/attributes/{attributeKey}
Create or update a custom posture attribute on the specified device. User-managed attributes must be in the custom
namespace, which is indicated by prefixing the attribute key with custom:
.
Parameters
deviceID
(required in URL path)
The ID of the device on which to set the custom posture attribute.
attributeKey
(required in URL path)
The name of the posture attribute to set. This must be prefixed with custom:
.
Keys have a maximum length of 50 characters including the namespace, and can only contain letters, numbers, underscores, and colon.
Keys are case-sensitive. Keys must be unique, but are checked for uniqueness in a case-insensitive manner. For example, custom:MyAttribute
and custom:myattribute
cannot both be set within a single tailnet.
All values for a given key need to be of the same type, which is determined when the first value is written for a given key. For example, custom:myattribute
cannot have a numeric value (87
) for one node and a string value ("78"
) for another node within the same tailnet.
Posture attribute value
(required in POST body)
{
"value": "foo"
}
A value can be either a string, number, or boolean.
A string value can have a maximum length of 50 characters, and can only contain letters, numbers, underscores, and periods.
A number value is an integer and must be a JSON safe number (up to 2^53 - 1).
Posture attribute expiry
(optional in POST body)
{
"value": "foo",
"expiry": "2024-04-23T18:25:43.511Z"
}
An expiry can be any time in the future, formatted as an RFC3339 string. When set, the device attribute will automatically be removed at the time specified.
Posture attribute comment
(optional in POST body)
{
"value": "foo",
"expiry": "2024-04-23T18:25:43.511Z",
"comment": "access needed to inspect logs on prod vm"
}
A comment can be added to give a reason why an attribute was added.
Request example
curl "https://api.tailscale.com/api/v2/device/11055/attributes/custom:my_attribute" \
-u "tskey-api-xxxxx:" \
--data-binary '{"value": "my_value", "expiry": "2024-04-23T18:25:43.511Z"}'
Response
The response is 2xx
on success. The response body is currently an empty JSON object.