ERROR: access denied to perform action "list" on "role", access denied to perform action "read" on "role"

Question

for a CI/CD pipeline, i need an image for connecting to my teleport cluster to use a bot, which i will a create. Therefore i have installed gravitational/teleport:12.4.11 (following this link ) with all required tools. The Log-in using tsh login --proxy=myteleport.registry.com works fine, but the following tctl get usersor tctl get roles --format=text throws ERROR: access denied to perform action "list" on "role", access denied to perform action "read" on "role". I highly appreciate any tips or suggestions you may give to resolve this.

Answer 1

It seems that the user who logged in using the tsh login command does not have the necessary privileges to view a list of users or roles with tctl.

You can try adding a role that grants the required permissions. Here's an example of a role configuration manage-users-and-roles.yaml:

kind: role
metadata:
  description: role to manage users & roles 
  name: manage-users-and-roles
spec:
  allow:
    rules:
    - resources:
      - user
      - role
      - read
      verbs:
      - list
      - create
      - read
      - update
      - delete
  deny: {}
version: v4

Add this role to teleport :

tctl create -f manage-users-and-roles.yaml

And then link this role with your user :

tctl users update <your-username> --set-roles <existing-roles>,manage-users-and-roles

---

Note that you should be connected on your teleport server with the admin user

You can find more information about managing roles on teleport in their docs :

• https://goteleport.com/docs/access-controls/guides/role-templates/