Is it possible to get the content of a resource label as a variable in a Teleport role ?

[naelhrrd]

Is it possible to get the content of a label in a Teleport role ?

[webvictim]

In a way, yes. You can use traits set on users themselves and match them against roles.

Think about a SAML/OIDC user with these claims/attributes set against their user in Okta, Entra ID, ADFS etc:

allowed_environment: dev
allowed_region: us-east-1

If you created a role which references these:

kind: role
metadata:
  name: dev-access-role
spec:
  allow:
    node_labels:
      environment: '{{external.allowed_environment}}'
      region: '{{external.allowed_region}}'
version: v7

This user would then be able to access any node with this configuration:

...
ssh_service:
  enabled: true
  labels:
    environment: dev
    region: us-east-1
...

This is detailed in the docs here: https://goteleport.com/docs/reference/access-controls/roles/#referring-to-external-traits-in-teleport-roles

[naelhrrd]

Thanks for your reply.

I was thinking of something else. In short, I'd like to be able to retrieve the users of a Linux server and generate a label with them. On this point no worries. What I'm asking is whether it's possible. I want to know if I can give access to my Teleport users according to the labels generated.

For example, here I'm dynamically generating a label that retrieves the users of this server. And so I want to know if I can give access to these SSH users to Teleport users.

[webvictim]

You can't use the contents of a label directly as part of a Teleport role.

You can match something set in a role against a label. So if you had logins: test set in your role and the label was logins: test, you can match on that. It won't work if the label has multiple usernames in the form logins: test test2 test3 as per your example though.

One way you could achieve this is to create one label per login (like user_uchcb: true) and then have a role which references that directly:

kind: role
metadata:
  name: uchcb-access-role
spec:
  allow:
    logins:
    - uchcb
    node_labels:
      user_uchcb: true
version: v7

This will mean you need n roles (where n is the number of total users you have across all servers) but would let you do what you're describing.

Teleport generally works best when users log into servers as either themselves (which you can match through SSO attributes, or a login set directly on local user with tctl users update <teleport-username> --set-logins <login-username>) or with a communal/shared user like ubuntu, ec2-user, root etc which exists on every server. Teleport's audit logs and session recordings provide information on which Teleport user was actually behind the communal login, so it's less important to preserve specific usernames for individuals.