1

I have created a Teleport server running on Ubuntu, 22.04 LTS.

I am using Teleport Version v12.0.4.

Configured teleport.yaml file at

etc/teleport.yaml

teleport.yaml config file

version: v2
teleport:
  nodename: ip-xx-xx-x-x
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  cluster_name: ip-xx-xx-x-xxx
  proxy_listener_mode: multiplex
  authentication:
      type: github
ssh_service:
  enabled: "yes"
  labels:
    env: devops
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
app_service:
    enabled: yes
    debug_app: true
    apps:
    - name: "<application name>"
      uri: "https://applicationname.example.com"
        #insecure_skip_verify: true # Add this line to disable TLS certificate verification
      public_addr: "applicationname.teleport-xyz.example.com"
      labels:
        env: "prod"
        app: "applicationname"
      commands:
      - name: "os"
        command: ["/usr/bin/uname"]
        period: "5s"
proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:443
  public_addr: teleport-xyz.example.com:443
  https_keypairs:
  - key_file: /etc/letsencrypt/live/teleport-xyz.example.com/privkey.pem
    cert_file: /etc/letsencrypt/live/teleport-xyz.example.com/fullchain.pem
  https_keypairs_reload_interval: 0s
  acme: {}

Using systemctl start teleport to start the teleport server.

I have created a user with the name XYZ with the role [access].

Access.yaml file:

kind: role
metadata:
  description: Access cluster resources
  id: 167xxxxxxxxxxxxxxx
  name: access
spec:
  allow:
    app_labels:
      app: applicationname
    aws_role_arns:
    - '{{internal.aws_role_arns}}'
    azure_identities:
    - '{{internal.azure_identities}}'
    db_labels:
      '*': '*'
    db_names:
    - '{{internal.db_names}}'
    db_service_labels:
      '*': '*'
    db_users:
    - '{{internal.db_users}}'
    gcp_service_accounts:
    - '{{internal.gcp_service_accounts}}'
    kubernetes_groups:
    - '{{internal.kubernetes_groups}}'
    kubernetes_labels:
      '*': '*'
    kubernetes_resources:
    - kind: pod
      name: '*'
      namespace: '*'
    kubernetes_users:
    - '{{internal.kubernetes_users}}'
    logins:
    - '{{internal.logins}}'
    - ubuntu
    - ec2-user
    node_labels:
      '*': '*'
    rules:
    - resources:
      - event
      verbs:
      - list
      - read
    - resources:
      - session
      verbs:
      - read
      - list
      where: contains(session.participants, user.metadata.name)
    - resources:
      - instance
      verbs:
      - list
      - read
    windows_desktop_labels:
      '*': '*'
    windows_desktop_logins:
    - '{{internal.windows_logins}}'
  deny: {}
  options:
    cert_format: standard
    create_host_user: false
    desktop_clipboard: true
    desktop_directory_sharing: true
    enhanced_recording:
    - command
    - network
    forward_agent: true
    idp:
      saml:
        enabled: true
    max_session_ttl: 30h0m0s
    pin_source_ip: false
    port_forwarding: true
    record_session:
      desktop: true
    ssh_file_copy: true
version: v6

I'm able to login into the web UI.

I try to launch the application from the teleport panel's application section. I get access denied.

access denied image.

NIHAL NAIK
  • 11
  • 2
  • Hi NIHAL - couple suggestions. Post this in our Slack channel. We have a community slack channel around Teleport and you will most likely have better success in getting an answer from someone there rather than SO. Also, verify your join token was successful (if the app is showing up I'm assuming it was). Check your event logs within Teleport as well. Typically there are logs for app access and it might give more detail on what is happening. – Valien Mar 10 '23 at 14:22

0 Answers0