[v.16.x] /docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-slack.mdx

[DvdChe]

Applies To

• https://goteleport.com/docs/admin-guides/access-controls/access-request-plugins/ssh-approval-slack/#step-38-create-a-user-and-role-for-the-plugin

Details

add the access list for user_group resource :

    - resources: [ "user_group"]
      verbs: [ "list,  "read"]

How will we know this is resolved?

After a major teleport upgrade, we noticed our teleport slack bot was not able to send notification in slack when we created an access request for app roles. It was ok for others services such ssh, kubernetes. The slack bot had the following stacktrace at request creation:

ERRO   Failed to process request error:[
ERROR REPORT:
Original Error: *interceptors.RemoteError access denied to perform action "list" on "user_group", access denied to perform action "read" on "user_group"
Stack Trace:
	github.com/gravitational/teleport/[email protected]/client/client.go:3645 github.com/gravitational/teleport/api/client.(*Client).ListResources
	github.com/gravitational/teleport/[email protected]/client/client.go:4018 github.com/gravitational/teleport/api/client.GetResourcesWithFilters
	github.com/gravitational/teleport/[email protected]/accessrequest/access_request.go:41 github.com/gravitational/teleport/api/accessrequest.GetResourcesByKind
	github.com/gravitational/teleport/[email protected]/accessrequest/access_request.go:124 github.com/gravitational/teleport/api/accessrequest.GetResourcesByResourceIDs
	github.com/gravitational/teleport/[email protected]/accessrequest/access_request.go:73 github.com/gravitational/teleport/api/accessrequest.GetResourceDetails
	github.com/gravitational/teleport/integrations/access/accessrequest/app.go:519 github.com/gravitational/teleport/integrations/access/accessrequest.(*App).getResourceNames
	github.com/gravitational/teleport/integrations/access/accessrequest/app.go:233 github.com/gravitational/teleport/integrations/access/accessrequest.(*App).onPendingRequest
	github.com/gravitational/teleport/integrations/access/accessrequest/app.go:201 github.com/gravitational/teleport/integrations/access/accessrequest.(*App).handleAcessRequest
	github.com/gravitational/teleport/integrations/access/accessrequest/app.go:179 github.com/gravitational/teleport/integrations/access/accessrequest.(*App).onWatcherEvent
	github.com/gravitational/teleport/integrations/lib/watcherjob/watcherjob.go:300 github.com/gravitational/teleport/integrations/lib/watcherjob.job.eventLoop.job.eventFuncHandler.func1
	github.com/gravitational/teleport/integrations/lib/process.go:213 github.com/gravitational/teleport/integrations/lib.jobFunc.DoJob
	github.com/gravitational/teleport/integrations/lib/process.go:101 github.com/gravitational/teleport/integrations/lib.NewProcess.func2.1
	runtime/asm_amd64.s:1695 runtime.goexit
User Message: access denied to perform action "list" on "user_group", access denied to perform action "read" on "user_group"] request_id:01932a10-402f-7ec8-b235-84050dde2fbf request_op:put request_state:PENDING accessrequest/app.go:210

It was fixed once we added the access list for user_group

Related Issues