Closed rihardsgrislis closed 10 months ago
I went ahead and tested it with scope device:write
and this:
"tagOwners": {
"tag:ci": ["autogroup:admin"],`
},
Works fine but I'm unsure about my choice of autogroup:admin
.
that should be ok. However, you don't need to specify a tag owner for this as the OAuth client will automatically assign tags to the ephemeral devices.
For example, this should also work:
"tagOwners": {
"tag:ci": []
}
tag owners allows the owners to assign tags to devices (https://tailscale.com/kb/1068/acl-tags/#defining-tag-owners). In this case, the device will be tagged automatically.
You can make use of the tag in your ACLs for more fine-grained permissioning if desired.
@peteretelej thanks, removing "autogroup:admin"
from tag:ci
works!
However, I checked the documentation on ACL tags and that's the same as having the autogroup:admin
specified. :D
A shorthand notation, [], is available for autogroup:admin. - https://tailscale.com/kb/1018/acls/#tag-owners
Hey Tailers,
I noticed you guys have deprecated the 'authkey' input in favor of an OAuth API client. Sounds good, but I'm a bit stuck trying to switch over.
From the action's readme I picked up that I should use "tag:ci" in the GitHub Action. But then, when I'm setting up the OAuth Client, things get a bit foggy. I picked "devices:write" for my client's scope. Wasn't quite sure about that, some more info might help which scopes are required for the action?
Next step, adding a tag since it's required for "devices:write". I'm guessing I need "tag:ci" here too, right? But when I click "Manage tags in Access Controls" the progress is lost due to redirect.
Here's the part that's got me scratching my head:
Which user should I put here? Then, I remembered the readme said this:
"At least one tag is required: an OAuth client is not associated with any of the Users on the tailnet, it has to Tag its nodes."
That left me a bit puzzled.
Hope you guys can help me sort this out. The switch from 'authkey' to OAuth Client isn't quite the walk in the park I hoped it'd be.
Thanks!