docs/pages/identity-governance/access-requests/plugins/opsgenie.mdx
With Teleport's Opsgenie integration, engineers can access the infrastructure they need to resolve alerts quickly, without longstanding admin permissions that can become a vector for attacks.
Teleport's Opsgenie integration allows you to treat Teleport Role Access Requests as Opsgenie alerts, notify the appropriate on-call team, and approve or deny the requests via Teleport. You can also configure the plugin to approve Role Access Requests automatically if the user making the request is on the on-call team for a service affected by an alert.
This guide will explain how to set up Teleport's Access Request plugin for Opsgenie.
(!docs/pages/includes/edition-prereqs-tabs.mdx edition="Teleport Enterprise Cloud"!)
Create an Opsgenie team named teleport-access-request-notifications.
We will configure the Opsgenie plugin to create an alert for the
teleport-access-request-notifications team when certain users
create an Access Request.
The Teleport Opsgenie plugin works by receiving Access Request events from the Teleport Auth Service and, based on these events, interacting with the Opsgenie API.
To create a user, first navigate to Access -> Roles. Then select Create New Role and create the requester role.
kind: role
version: v5
metadata:
name: requester
spec:
allow:
request:
roles: ['editor']
thresholds:
- approve: 1
deny: 1
annotations:
teleport.dev/notify-services: ['teleport-access-request-notifications']
teleport.dev/teams: ['teleport-team']
teleport.dev/schedules: ['teleport-access-alert-schedules']
The teleport.dev/notify-services annotation specifies the schedules the alert will be created for.
The teleport.dev/teams annotation specifies the teams the alert will be created for. This is useful when you
have multiple schedules with escalations or an Opsgenie integration that only works with teams.
The teleport.dev/schedules annotation specifies the schedules the alert will check, and auto approve the
Access Request if the requesting user is on-call.
Create a user called myuser who has the requester role. Later in this
guide, you will create an Access Request as this user to test the Opsgenie
plugin:
To create a user, first navigate to Zero Trust Access -> Users.
Generate an API key that the Opsgenie plugin will use to create and modify alerts as well as list users, services, and on-call policies.
In your Opsgenie dashboard, go to SETTINGS → INTEGRATIONS
See https://support.atlassian.com/opsgenie/docs/create-a-default-api-integration/ for more details.
At this point, you have generated credentials that the Opsgenie plugin will use to connect to the Opsgenie API. To configure the plugin to use this API key, navigate to Add New in the Web UI; in the left pane, click Integration. Click the Opsgenie tile.
As the Teleport user myuser, create an Access Request for the editor role:
(!docs/pages/includes/plugins/create-request.mdx!)
In Opsgenie, you will see a new alert containing information about the
Access Request in either the default schedule specified when enrolling the plugin,
or in the schedules specified by teleport.dev/notify-services annotation in the requester's role.
(!docs/pages/includes/plugins/resolve-request.mdx!)
<Admonition type="info" title="Auditing Access Requests">When the Opsgenie plugin sends a notification, anyone who receives the notification can follow the enclosed link to an Access Request URL. While users must be authorized via their Teleport roles to review Access Request, you should still check the Teleport audit log to ensure that the right users are reviewing the right requests.
When auditing Access Request reviews, check for events with the type Access Request Reviewed in the Teleport Web UI.
(!docs/pages/includes/plugins/access-plugin-troubleshooting.mdx!)