Opal + Tailscale

Opal + Tailscale Use cases

Protect against breaches with least privilege

  • Grant just-in-time access to resource son your tailnet that are auto-expiring and fully audited using Slack
  • Ensure that privileged roles have the appropriate identity governance and approval configurations, such as multi-stage approvals, max duration, custom fields, and more

Accelerate employee access on paved roads

  • Enable resource owners with the most context to approve access requests and provision access automatically via Slack
  • Accelerate employee onboarding by enabling managers to request on behalf of their reports or enabling self-service discovery of resource bundles
  • Automate on-call access by provisioning and deprovisioning access via on-call schedules

Simplify compliance without manual overhead

  • Automate user access reviews so compliance teams can snapshot user listings, assign reviewers to self-service reviews, propagate access changes, and generate an auditor-friendly access report
  • Review access of employees who have recently transferred roles or departments

Opal + Tailscale Integration Overview

The Opal team is thrilled to partner with Tailscale so that users can easily make access requests to Tailscale resources using a self-service catalog, while admins can set up powerful approval and security guardrails. With the Tailscale + Opal integration, organizations can granularly manage SSH access with the following workflows:

Tailscale Integration Setup


Before you begin this guide, you’ll need a tailnet and an Opal account. For information about creating a tailnet, see the Tailscale quickstart.

To use Opal with Tailscale:

  1. Generate a Tailscale API key from the keys page of the admin console.
  2. In Opal, add Tailscale as a new application.
  • Set the App Admin to the team that should manage the Tailscale app in Opal.
  • Enter a Description of how you use Tailscale, so colleagues know what they’re requesting access to. For example, “SSH access to the production network”.
  • Set the Tailnet name to be your tailnet’s domain name. You can find the name of your tailnet by opening the admin console and copying the name next to the Tailscale logo in the upper left corner of the page, e.g., example.com, myemail@example.com, or example.github.
  • Set the Tailscale API key to the API key you generated.

Determine which Tailscale ACL tags should be imported into Opal. This is done by the App Admin. For each ACL tag that is selected, Opal will automatically parse the existing access rules and SSH access rules that apply to that tag, and which groups have access to the tagged sources using those rules.

Now a user can request access or SSH access to a specific tag in Tailscale, or to join a specific group.

Manage access with


Interested in Opal?

Get in touch with our team to learn more!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.