How to map users to nodes dynamically?


This question is ported from the support chat

Is it possible to have a user map to a node by rules using labels without using roles.

I know you can add rules to roles, and I have that part working - My groups in OIDC map through to Roles in Teleport nicely, admin for admin, dev for dev etc.

But what I need is to some how map user to workstation without using Groups/Roles as I don’t want to have to create 1 role per node.

Essentially (I think) I want to add rules to the OIDC connector so that I can map user-to-node. Alternately, I need a dynamic way to create Roles, just like Users are created dynamically.


I think the best way to solve this is to use Teleport’s template variables that could be used both in roles and nodes.

Administrators can create one role that will refer to the variables, for example:

kind: role
version: v3
  name: dynamic
  # SSH options used for user sessions 
    # max_session_ttl defines the TTL (time to live) of SSH certificates 
    # issued to the users with this role.
    max_session_ttl: 1h

    # forward_agent controls either users are allowed to use SSH agent forwarding
    forward_agent: true

    # port_forwarding
    port_forwarding: false

  # allow section declares a list of resource/verb combinations that are
  # allowed for the users of this role. by default nothing is allowed.
    # logins array defines the OS logins a user is allowed to use.
    # A few special variables are supported here (see below)
    # 'external' object opens access to traits received from OIDC or SAML connector, 
    # for example, for each user allowed logins are pulled from the 'logins' OIDC traits
    # or SAML attribute statements
    logins: ['{{external.logins}}']

    # A list of kubernetes groups to assign
    # this section can refer to external traits
    kubernetes_groups: ['{{external.k8s_groups}}']

    # node labels that a user can connect to. The wildcard ('*') means "any node",
    # this section can refer to external traits as well, so users will only gain 
    # the access to nodes if the OIDC trait or SAML trait list 'node_types' contain
    # the nodes with appropriate access labels
      'access': ['{{external.node_types}']

    # see below.
    - resources: ['*']
      verbs: ['*']

  # the deny section uses the identical format as the 'allow' section.
  # the deny rules always override allow rules.
  deny: {}


This solution works well - Thank-you.

1 Like