Skip to main content

Tailscale Integration

This guide will show you how to setup an integration between Indent and Tailscale. Once complete, you'll be able to use Tailscale to grant secure on-demand server access.



This page assumes you completed the Indent Quickstart. (5 min setup)


This guide uses GitHub Actions and Terraform to deploy an Indent + Tailscale integration. AWS S3 will be used to store Terraform state, and AWS Lambda will run the webhook.

1. Cloning the repo

  • Click on the Use This Template button to clone the repo
  • In your new repo go to Settings → Secrets → Actions
  • Leave this tab open for adding secrets from the next steps

2. Configuring the S3 bucket

  • Go to AWS S3 and select an existing bucket or create a new one
    • Most of the default settings are good, but some recommended values are:
      • Name — easily identifiable name for the bucket, such as indent-deploy-state-123
      • Region — where you plan to deploy the Lambda, like us-west-2
      • Bucket versioning — if you want to have revisions of past deployments, otherwise pick disabled
      • Default encryption — enable for server-side encryption for deployment files
    • This integration currently assumes your region is us-west-2, and you want S3 encryption turned on. If you choose other settings, update your values accordingly.
  • In a new tab open from your GitHub repo, and change the empty value for backend to the name of your bucket

    In, only update the empty bucket value in the Terraform block.

3. Configuring AWS credentials

  • Go to AWS IAM → Add Users and create a new user for deploys, such as indent-terraform-deployer
  • Configure the service account's access:
    • Credential type — select Access key - Programmatic access
    • Permissions — click Attach existing policies directly and select AdministratorAccess
    • Follow the prompts until the account is created
  • Add the resulting values as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to GitHub Secrets

4. Connecting to Tailscale

  • Go to the Keys page of the Tailscale admin console and generate a new API key
    • Set this API key as the GitHub secret TAILSCALE_API_KEY
    • Note that as Tailscale API keys expire, this will need to be refreshed every 90 days
  • Locate your Tailnet name by opening your Tailscale admin console and copying the name next to the Tailscale logo in the upper left corner of the page
    • Set your tailnet name as the GitHub secret, as the GitHub secret TAILSCALE_TAILNET

5. Deploying

  • On your Indent dashboard go to Integrations → Catalog → Tailscale OR follow this link
    • Copy the webhook secret, and in a new tab add it to your GitHub Secrets as INDENT_WEBHOOK_SECRET
    • Leave this Tailscale integrations page open for the next step
  • From your repo navigate to GitHub Actions → The latest job → deploy.webhook, and follow the prompts to run the workflow
    • Click the new deploy.webhook, and copy the URL printed in the Terraform Output section
    • On your Indent + Tailscale integrations page, paste and save the URL you just copied

Using Indent + Tailscale

Congrats! Your Tailscale integration is ready. You can test that everything is set up correctly by navigating to your Resources page, and clicking Pull from Integrations. On a successful pull you will see Tailscale groups appear as new Resources.

Now it's time to use Indent for requesting membership to a Tailscale group.

  1. Try visiting the request page on the Indent dashboard, or created a request in Slack
    • If you have the Slack integration setup, you can type /access or click the lightning bolt to submit a request
  2. On your Petitions page you should be able to see your request as part of a petition. Try clicking the petition to view more details.
    • From the petition details page, click the Review Petition button and follow the prompts

Once approved, you should see yourself in the users page of the Tailscale admin console. You now now have access to the servers and devices listed on the machines page of the Tailscale admin console. Note that to see the Tailscale admin console, you need to have an admin role in Tailscale.


You added an Indent + Tailscale integration. You're now able to request secure on-demand server access using Indent + Tailscale.


Where do I view the code I'm deploying?

The code is in the initial Indent APIs GitHub repo that you cloned.

Where can I find a list of all of the secrets?
You will find a full list of secrets used by this integration below. To view, click the _View Secrets List_ link.
TAILSCALE_WEBHOOK_SECRETGet this from your Indent App or an Indent Webhook in the Dashboard.
TAILSCALE_PULL_WEBHOOK_SECRETGet this from the Indent Webhook you created while setting up your space.
TAILSCALE_API_KEYYour Tailscale API Key. Get this from your Tailscale Administrator Panel.
TAILSCALE_TAILNETThe name of your Tailscale network. The network you want to manage with Indent.
AWS_ACCESS_KEY_IDYour Programmatic AWS Access Key ID
AWS_SECRET_ACCESS_KEYYour Programmatic AWS Secret Access Key
AWS_SESSION_TOKENOptional: Your AWS Session Token. Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires
How do I redeploy the webhook?
The repo you created from a template auto-deploys to AWS when you push or merge PRs to the `main` branch. You can manually redeploy the webhooks by re-running the [latest GitHub Action job](
How do I ask for help?
If you have questions or need help with your integration, try chatting with the [Indent Support](