Skip to content

cmd/tailscale/cli,feature: add support for identity federation #17529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 17, 2025
Merged

cmd/tailscale/cli,feature: add support for identity federation #17529

merged 1 commit into from
Oct 17, 2025
+420 −14

Conversation

@mcoulombe
Copy link
Contributor

@mcoulombe mcoulombe commented Oct 10, 2025
edited
Loading

Add new arguments to tailscale up so authkeys can be generated dynamically via identity federation.

Example command:

tailscale up \
--advertise-tags=tag:wif \
--wif-client-id=1234DEVEL/5678DEVEL \
--wif-id-token=ey...

Updates #9192

@mcoulombe mcoulombe force-pushed the max/identity-federation-support branch from 3a9a986 to 2e648e5 Compare October 10, 2025 21:38
@mcoulombe mcoulombe marked this pull request as draft October 10, 2025 21:41
@mcoulombe mcoulombe force-pushed the max/identity-federation-support branch from 2e648e5 to 0e8c3df Compare October 10, 2025 21:47
@mcoulombe mcoulombe marked this pull request as ready for review October 14, 2025 13:20
mpminardi
mpminardi reviewed Oct 14, 2025
View reviewed changes
mpminardi
mpminardi reviewed Oct 14, 2025
View reviewed changes
mpminardi
mpminardi reviewed Oct 14, 2025
View reviewed changes
cmd/tailscale/cli/up.go
}
// Try to resolve the auth key via workload identity federation if that functionality
// is available and no auth key is yet determined.
if f, ok := tailscale.HookResolveAuthKeyViaWIF.GetOk(); ok && authKey == "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for future us to double check if we have credential precedence documented somewhere and will need to add this as a result

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it'll be worth mentioning in the command doc

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider calling this from ResolveAuthKey instead? That way it'll work in tsnet too (the original purpose of my ResolveAuthKey PR was to move common logic out into a place where both the CLI and tsnet could use it)

Copy link
Contributor Author

@mcoulombe mcoulombe Oct 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ResolveAuthKey & ResolveAuthKeyViaWIF diverge enough that it feels best to keep them separate. They'll grow apart even more as we expand the ResolveAuthKeyViaWIF implementation while we work on the GA release.

For our beta release we do not plan to support tsnet just yet. We want a bit more time in the incubator before we cover more than tailscale up.

mpminardi
mpminardi reviewed Oct 14, 2025
View reviewed changes
mpminardi
mpminardi reviewed Oct 14, 2025
View reviewed changes
feature/identityfederation/identityfederation.go
return authkey, nil
}

func parseOptionalAttributes(clientID string) (ephemeral bool, preauthorized bool, err error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: might be good to put this somewhere common that can be used by the resolveAuthKey path as a followup

Copy link
Contributor Author

@mcoulombe mcoulombe Oct 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know where it'd be appropriate to share code between different hooks? I tried to find a common place but nothing seemed obvious.

mpminardi
mpminardi reviewed Oct 15, 2025
View reviewed changes
@mcoulombe mcoulombe force-pushed the max/identity-federation-support branch from 0e8c3df to 98effb6 Compare October 15, 2025 13:46
@mcoulombe mcoulombe force-pushed the max/identity-federation-support branch from 98effb6 to 1e1dbd6 Compare October 15, 2025 19:46
@mcoulombe
Copy link
Contributor Author

mcoulombe commented Oct 15, 2025
edited
Loading

@tendstofortytwo sup, adding you to this PR since you worked on tailscale.HookResolveAuthKey recently. Happy to answer any questions you need if the context of these changes is not clear.

tendstofortytwo
tendstofortytwo reviewed Oct 16, 2025
View reviewed changes
Copy link
Contributor

@tendstofortytwo tendstofortytwo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey! I'm on PTO so this isn't super thorough, just did a quick pass 😅 consider asking in #client if you haven't already

cmd/tailscale/cli/up.go Outdated
upf.BoolVar(&upArgs.advertiseDefaultRoute, "advertise-exit-node", false, "offer to be an exit node for internet traffic for the tailnet")
upf.BoolVar(&upArgs.postureChecking, "report-posture", false, hidden+"allow management plane to gather device posture information")
upf.StringVar(&upArgs.wifClientID, "wif-client-id", "", "Client ID used to generate authkeys via workload identity federation")
upf.StringVar(&upArgs.wifIDToken, "wif-id-token", "", "ID token from the identity provider to exchange with the control server for workload identity federation")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe worth gating on the feature being present?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry can you explain what you mean or give me an example? I don't see other arguments being conditionally gated.

cmd/tailscale/cli/up.go
}
// Try to resolve the auth key via workload identity federation if that functionality
// is available and no auth key is yet determined.
if f, ok := tailscale.HookResolveAuthKeyViaWIF.GetOk(); ok && authKey == "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider calling this from ResolveAuthKey instead? That way it'll work in tsnet too (the original purpose of my ResolveAuthKey PR was to move common logic out into a place where both the CLI and tsnet could use it)

@mpminardi mpminardi requested a review from tomhjp October 16, 2025 21:16
@mcoulombe
Copy link
Contributor Author

hey! I'm on PTO so this isn't super thorough, just did a quick pass 😅 consider asking in #client if you haven't already

Sorry didn't know you were on PTO, I'll ask in #client thanks!

tomhjp
tomhjp reviewed Oct 17, 2025
View reviewed changes
@mcoulombe mcoulombe force-pushed the max/identity-federation-support branch 3 times, most recently from 6ffb19e to 3f3eeed Compare October 17, 2025 20:32
mpminardi
mpminardi reviewed Oct 17, 2025
View reviewed changes
mpminardi
mpminardi reviewed Oct 17, 2025
View reviewed changes
@mcoulombe
cmd/tailscale/cli,feature: add support for identity federation
ed90cc4 
Add new arguments to `tailscale up` so authkeys can be generated dynamically via identity federation.

Updates #9192

Signed-off-by: mcoulombe <max@tailscale.com>
@mcoulombe mcoulombe force-pushed the max/identity-federation-support branch from 3f3eeed to ed90cc4 Compare October 17, 2025 21:51
@mcoulombe mcoulombe merged commit 6a73c0b into main Oct 17, 2025
57 checks passed
@mcoulombe mcoulombe deleted the max/identity-federation-support branch October 17, 2025 22:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomhjp tomhjp tomhjp left review comments

@tendstofortytwo tendstofortytwo tendstofortytwo left review comments

@mpminardi mpminardi mpminardi approved these changes

@oxtoacart oxtoacart Awaiting requested review from oxtoacart

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mcoulombe @tomhjp @tendstofortytwo @mpminardi