Common end-user access request actions

[WilliamLoy]

When a user needs to request access to resources, they can do so by utilizing the Teleport Access Request features. This document discusses some common actions that an end-user may need to request access successfully.

Requesting a role from command line

Users can request a role using the following tsh command:

tsh login --proxy=teleport-cluster --request-roles=k3-role

The user should receive the following output:

Creating request...
Request ID: xxxxxxxxxxxxx
Username:   end_user                              
Roles:      k3-role                              
Reason:     [none]                               
Reviewers:  [none] (suggested)                   
Status:     PENDING                              

hint: use 'tsh login --request-id=<request-id>' to login with an approved request

Waiting for request approval...

The user remains on the Waiting for request approval... line until the request is approved. When the request is approved, the user is logged in with the approved role attached to the session. This can be verified with tsh status

To request access without waiting the user can add the --request-nowait flag. With the no-wait flag, the user can check for request approval later.

Listing role requests

To login as an approved role, the user must have the approved request-id. A user can list their access requests by using the following command:

tsh request ls

When they have located the request-id they can log in with the approved role attached to the session using the following command:

tsh login --request-id=<request-id>

Adding a reason to a request

Users might be required to add a reason when requesting role access. They can add a reason to their request by using the following command:

tsh login --proxy=teleport-cluster --request-roles=k3-role --request-reason="need k3 access"

Requesting a role from the web interface

1. Log into your Teleport Cluster at your custom URL.
2. Open the Access Request dropdown menu on the left side of the home dashboard and select New Request.
3. Under New Request, choose either role or one of the resource options from the dropdown menu.
4. Click Add to request to the right of the role or resource you need access to.
5. Click Proceed to request.
6. Confirm the details of the Access Request summary and click Submit Request.

From here, you can choose to go back to your request list or make another request.

[ulysseskan]

Also, to get a list of available roles, you can run:

tctl get roles | grep "name:"