A GitHub Action allowing Tailscale users to request and approve just-in-time access to resources on your tailnet. The action uses the workflow_dispatch
event to manually run a workflow and the Posture attributes API with Expiry to update device attributes used as part of network policy.
ℹ️ This functionality is in its early days and requires a feature flag be enabled on your account before you can make use of it. Please contact us if you'd like to test it - we're eager to hear your feedback.
-
Copy .github/workflows/tailscale-just-in-time.yaml.example to your GitHub repo. Remove the
.example
suffix from the filename. -
Customize the
inputs
in .github/workflows/tailscale-just-in-time.yaml. -
Commit your customized
tailscale-just-in-time.yaml
to your repo and push to GitHub. -
-
Name the environment
tailscale-prod
, or a different value if you've changed it in the workflow file. -
Set Required reviewers to individuals or a team required to approve the request.
-
Create a Tailscale OAuth Client and add the following Environment secrets to the GitHub environment:
TAILSCALE_OAUTH_CLIENT_ID TAILSCALE_OAUTH_CLIENT_SECRET
-
Test locally using https://github.com/nektos/act/. Note: act
will move directly from request
to approve
without waiting for manual approval.
act workflow_dispatch \
-s TAILSCALE_OAUTH_CLIENT_ID -s TAILSCALE_OAUTH_CLIENT_SECRET \
--input source-device='cameron.tail0123456.ts.net' \
--input posture='custom:prodAcccess=true' \
--input amount-of-time='12 hours' \
--input reason='testing locally with act'