Closed IvanRibakov closed 11 months ago
The OAuth client is responsible for creating the node on the tailnet. device:write
will allow it to do so. You'll be required to specify a Tag for the nodes it creates, OAuth clients cannot create nodes for a User (because they don't have a User), they can only create nodes for a Tag. https://tailscale.com/kb/1068/acl-tags/
What access that node gets is determined by the ACLs applied to the Tag, not by the OAuth client. The default ACL allows anything to connect to anything, but if you've modified the ACLs to limit access then you'll need to ensure the CI Tag is allowed to access what it needs to get to.
@DentonGentry so is device:write
the only scope needed, or is acl:read
also required for the OAuth client? I'm assuming I can leave some scope checkboxes completely unchecked to forbid read AND write access.
The only thing the OAuth client does for this github-action is create the node on the tailnet. device:write
is sufficient for that.
An OAuth client with acl:read
would be allowed to use the API to read the ACLs: https://github.com/tailscale/tailscale/blob/main/api.md#get-policy-file
That isn't necessary for this GitHub Action, you'd only need acl:read
if you're going to additionally do something else which requires reading the ACL file.
Thank you, @DentonGentry !
Hi, I'm not very experience Tailscale user and I don't fully understand all the risks that having access to various parts of the Tailscale API could pose if misused. As such, my question is - what are the minimal OAuth client scope settings required for a simple (IP-based) access to a remote host on a Tailscale network from CI?
Would
devices:read
be enough if remote host IP is known upfront?