I have created a Teleport server running on Ubuntu, 22.04 LTS.
I am using Teleport Version v12.0.4.
Configured teleport.yaml file at
etc/teleport.yaml
teleport.yaml config file
version: v2
teleport:
nodename: ip-xx-xx-x-x
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
format:
output: text
ca_pin: ""
diag_addr: ""
auth_service:
enabled: "yes"
listen_addr: 0.0.0.0:3025
cluster_name: ip-xx-xx-x-xxx
proxy_listener_mode: multiplex
authentication:
type: github
ssh_service:
enabled: "yes"
labels:
env: devops
commands:
- name: hostname
command: [hostname]
period: 1m0s
app_service:
enabled: yes
debug_app: true
apps:
- name: "<application name>"
uri: "https://applicationname.example.com"
#insecure_skip_verify: true # Add this line to disable TLS certificate verification
public_addr: "applicationname.teleport-xyz.example.com"
labels:
env: "prod"
app: "applicationname"
commands:
- name: "os"
command: ["/usr/bin/uname"]
period: "5s"
proxy_service:
enabled: "yes"
web_listen_addr: 0.0.0.0:443
public_addr: teleport-xyz.example.com:443
https_keypairs:
- key_file: /etc/letsencrypt/live/teleport-xyz.example.com/privkey.pem
cert_file: /etc/letsencrypt/live/teleport-xyz.example.com/fullchain.pem
https_keypairs_reload_interval: 0s
acme: {}
Using systemctl start teleport to start the teleport server.
I have created a user with the name XYZ with the role [access].
Access.yaml file:
kind: role
metadata:
description: Access cluster resources
id: 167xxxxxxxxxxxxxxx
name: access
spec:
allow:
app_labels:
app: applicationname
aws_role_arns:
- '{{internal.aws_role_arns}}'
azure_identities:
- '{{internal.azure_identities}}'
db_labels:
'*': '*'
db_names:
- '{{internal.db_names}}'
db_service_labels:
'*': '*'
db_users:
- '{{internal.db_users}}'
gcp_service_accounts:
- '{{internal.gcp_service_accounts}}'
kubernetes_groups:
- '{{internal.kubernetes_groups}}'
kubernetes_labels:
'*': '*'
kubernetes_resources:
- kind: pod
name: '*'
namespace: '*'
kubernetes_users:
- '{{internal.kubernetes_users}}'
logins:
- '{{internal.logins}}'
- ubuntu
- ec2-user
node_labels:
'*': '*'
rules:
- resources:
- event
verbs:
- list
- read
- resources:
- session
verbs:
- read
- list
where: contains(session.participants, user.metadata.name)
- resources:
- instance
verbs:
- list
- read
windows_desktop_labels:
'*': '*'
windows_desktop_logins:
- '{{internal.windows_logins}}'
deny: {}
options:
cert_format: standard
create_host_user: false
desktop_clipboard: true
desktop_directory_sharing: true
enhanced_recording:
- command
- network
forward_agent: true
idp:
saml:
enabled: true
max_session_ttl: 30h0m0s
pin_source_ip: false
port_forwarding: true
record_session:
desktop: true
ssh_file_copy: true
version: v6
I'm able to login into the web UI.
I try to launch the application from the teleport panel's application section. I get access denied.