0

for a CI/CD pipeline, i need an image for connecting to my teleport cluster to use a bot, which i will a create. Therefore i have installed gravitational/teleport:12.4.11 (following this link ) with all required tools. The Log-in using tsh login --proxy=myteleport.registry.com works fine, but the following tctl get usersor tctl get roles --format=text throws ERROR: access denied to perform action "list" on "role", access denied to perform action "read" on "role". I highly appreciate any tips or suggestions you may give to resolve this.

fipse
  • 15
  • 5

1 Answers1

1

It seems that the user who logged in using the tsh login command does not have the necessary privileges to view a list of users or roles with tctl.

You can try adding a role that grants the required permissions. Here's an example of a role configuration manage-users-and-roles.yaml:

kind: role
metadata:
  description: role to manage users & roles 
  name: manage-users-and-roles
spec:
  allow:
    rules:
    - resources:
      - user
      - role
      - read
      verbs:
      - list
      - create
      - read
      - update
      - delete
  deny: {}
version: v4

Add this role to teleport :

tctl create -f manage-users-and-roles.yaml

And then link this role with your user :

tctl users update <your-username> --set-roles <existing-roles>,manage-users-and-roles

Note that you should be connected on your teleport server with the admin user

You can find more information about managing roles on teleport in their docs :

EnergY
  • 41
  • 4
  • Hi, thanks for your answer. I tried your suggestion, however if running `tctl create -f roles.yml` results in ERROR: access denied to perform action "read" on "role". I'm also setting up teleport via a docker-compose.yml, but i'm not sure if and where to edit the role administration there... – fipse Aug 08 '23 at 10:16
  • Hi, if you're using docker-compose, then you need to execute your `tctl` command inside your container, try to exec into your container `docker exec -it bash` and then you will have the administrative roles, hopefully it will work. tctl doc : [link](https://goteleport.com/docs/ver/12.x/reference/cli/#tctl) – EnergY Aug 08 '23 at 17:49
  • thanks, for the hints. Btw do you know how to make a longer usage of the gitlab-token because mine stops as default after 30min? So first i use tctl create -f gitlab-token.yml, then tctl bots add g --roles=access --token= --logins=root but the token stops as described after 30 min. – fipse Aug 17 '23 at 09:25