Tailscale Integration

This guide will show you how to setup an integration between Tailscale and Indent. Through API magic, Indent securely grants access to just about any service.

Set up Tailscale for free →

What can I do with Tailscale + Indent?

• Prevent accidents, like connecting to the wrong env
• Discourage misuse by protecting sensitive info with policies
• Improve security and ease-of-use with simple, on-demand, auto-expiring access

Tailscale is a solution for securely accessing servers and other resources.

For a full list of installable solutions, view our Integrations page.

Prerequisites

• Tailscale OAuth client

Installation

1. Create Tailscale credentials

1. Create a Tailscale OAuth client with ACL:Write scope:
   • https://login.tailscale.com/admin/settings/oauth
2. Copy and paste the Client ID and Client Secret into Indent.

2. Install Tailscale integration

1. Go to Indent dashboard → Tailscale integration page
2. Enter the Client ID and Client Secret from the previous step
3. Follow Tailscale's instructions for creating groups and ACL tags
   • Groups and ACL tags control what resources you get when requesting access through Indent

Usage

Interactive Demo

Want to see how Indent + Tailscale works before you install?

In the following example, you're logged in as Fouad and can request access to a Tailscale Group. Requesting access to any service with Indent grants secure, on-demand, and auto-expiring access. In this setup, Tailscale resources that are associated with your ACL groups and tags are accessible once your petition is approved.

Try submitting and approving a request:

Troubleshooting

Paying Indent customers have a direct line for support through the Indent Community Slack. Any questions posted there receive priority response.

All Indent users can use the Contact Us page for help troubleshooting.

Use cases

How to Request Temporary Tailscale Access With Indent

1. Visit the Request Access page on your Indent dashboard, and request a Tailscale resource
   • Or, if you have the Slack integration setup, you can type /access or click the lightning bolt to request
2. On your Petitions page you should be able to see your request waiting for approval
   • Open the petition, click the Review Petition button, and follow the prompts to approve

Once approved, you should see yourself in the users page of the Tailscale admin console. You now have access to the servers and devices listed on the machines page of the Tailscale admin console. Note that to see the Tailscale admin console, you need to have an admin role in Tailscale.

Questions

How do I install a self-host Tailscale + Indent integration?

This self-hosted option is best used for places who need to manage the approval logic themselves. This is usually only done to meet exceptionally demanding security standards. Most organizations are best served with the install option at the top of the page.

1. Cloning the repo

• Click on the Use This Template button to clone the repo
• In your new repo go to Settings → Secrets → Actions
• Leave this tab open for adding secrets from the next steps

2. Configuring the S3 bucket

• Go to AWS S3 and select an existing bucket or create a new one
  • Most of the default settings are good, but some recommended values are:
    • Name — easily identifiable name for the bucket, such as indent-deploy-state-123
    • Region — where you plan to deploy the Lambda, like us-west-2
    • Bucket versioning — if you want to have revisions of past deployments, otherwise pick disabled
    • Default encryption — enable for server-side encryption for deployment files
  • This integration currently assumes your region is us-west-2, and you want S3 encryption turned on. If you choose other settings, update your main.tf values accordingly.
• In a new tab open main.tf from your GitHub repo, and change the empty value for backend to the name of your bucket
  note

  In main.tf, only update the empty bucket value in the Terraform block.

3. Configuring AWS credentials

• Go to AWS IAM → Add Users and create a new user for deploys, such as indent-terraform-deployer
• Configure the service account's access:
  • Credential type — select Access key - Programmatic access
  • Permissions — click Attach existing policies directly and select AdministratorAccess
  • Follow the prompts until the account is created
• Add the resulting values as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to GitHub Secrets

4. Connecting to Tailscale

• Go to the Keys page of the Tailscale admin console and generate a new API key
  • Set this API key as the GitHub secret TAILSCALE_API_KEY
  • Note that as Tailscale API keys expire, this will need to be refreshed every 90 days
• Locate your Tailnet name by opening your Tailscale admin console and copying the name next to the Tailscale logo in the upper left corner of the page
  • Set your tailnet name as the GitHub secret, as the GitHub secret TAILSCALE_TAILNET

5. Deploying

• On your Indent dashboard go to Integrations → Catalog → Tailscale OR follow this link
  • Copy the webhook secret, and in a new tab add it to your GitHub Secrets as INDENT_WEBHOOK_SECRET
  • Leave this Tailscale integrations page open for the next step
• From your repo navigate to GitHub Actions → The latest job → deploy.webhook, and follow the prompts to run the workflow
  • Click the new deploy.webhook, and copy the URL printed in the Terraform Output section
  • On your Indent + Tailscale integrations page, paste and save the URL you just copied

Try it out

Congrats! Your installation should now be complete. Try requesting acccess to a Tailscale resource.

How do I ask for help?

If you have questions or need help with your integration, try chatting with the [Indent Support](https://support.indent.com).