/github-action-just-in-time-access

A GitHub Action to request and approve just-in-time access to tailnet resources

BSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

github-action-just-in-time-access

status: experimental

A GitHub Action allowing Tailscale users to request and approve just-in-time access to resources on your tailnet. The action uses the workflow_dispatch event to manually run a workflow and the Posture attributes API with Expiry to update device attributes used as part of network policy.

ℹ️ This functionality is in its early days and requires a feature flag be enabled on your account before you can make use of it. Please contact us if you'd like to test it - we're eager to hear your feedback.

Set up

  1. Copy .github/workflows/tailscale-just-in-time.yaml.example to your GitHub repo. Remove the .example suffix from the filename.

  2. Customize the inputs in .github/workflows/tailscale-just-in-time.yaml.

  3. Commit your customized tailscale-just-in-time.yaml to your repo and push to GitHub.

  4. Create a GitHub environment.

    1. Name the environment tailscale-prod, or a different value if you've changed it in the workflow file.

    2. Set Required reviewers to individuals or a team required to approve the request.

    3. Create a Tailscale OAuth Client and add the following Environment secrets to the GitHub environment:

      TAILSCALE_OAUTH_CLIENT_ID
      TAILSCALE_OAUTH_CLIENT_SECRET
  5. Manually run the workflow.

Local testing

Test locally using https://github.com/nektos/act/. Note: act will move directly from request to approve without waiting for manual approval.

act workflow_dispatch \
    -s TAILSCALE_OAUTH_CLIENT_ID -s TAILSCALE_OAUTH_CLIENT_SECRET \
    --input source-device='cameron.tail0123456.ts.net' \
    --input posture='custom:prodAcccess=true' \
    --input amount-of-time='12 hours' \
    --input reason='testing locally with act'