[Question] Minimal OAuth client scope for basic network access

[IvanRibakov]

Hi, I'm not very experience Tailscale user and I don't fully understand all the risks that having access to various parts of the Tailscale API could pose if misused. As such, my question is - what are the minimal OAuth client scope settings required for a simple (IP-based) access to a remote host on a Tailscale network from CI?

Would devices:read be enough if remote host IP is known upfront?

[DentonGentry]

The OAuth client is responsible for creating the node on the tailnet. device:write will allow it to do so. You'll be required to specify a Tag for the nodes it creates, OAuth clients cannot create nodes for a User (because they don't have a User), they can only create nodes for a Tag. https://tailscale.com/kb/1068/acl-tags/

What access that node gets is determined by the ACLs applied to the Tag, not by the OAuth client. The default ACL allows anything to connect to anything, but if you've modified the ACLs to limit access then you'll need to ensure the CI Tag is allowed to access what it needs to get to.

[IvanRibakov]

@DentonGentry so is device:write the only scope needed, or is acl:read also required for the OAuth client? I'm assuming I can leave some scope checkboxes completely unchecked to forbid read AND write access.

[DentonGentry]

The only thing the OAuth client does for this github-action is create the node on the tailnet. device:write is sufficient for that.

An OAuth client with acl:read would be allowed to use the API to read the ACLs: https://github.com/tailscale/tailscale/blob/main/api.md#get-policy-file That isn't necessary for this GitHub Action, you'd only need acl:read if you're going to additionally do something else which requires reading the ACL file.

[IvanRibakov]

Thank you, @DentonGentry !