authkeys that can bypass manual machine auth

[apenwarr]

Manual machine authorization works well for human-owned client devices, but is very inconvenient when used with automated management of servers and especially containers. Admins then have to compromise by enabling or disabling the manual auth flag globally, affecting both client devices and servers.

The servers & containers in question are almost always configured with preauth keys. We could allow the user to give certain preauth keys a special "bypass manual device auth" flag. Then those preauthed devices wouldn't need to be manually approved.

See also #1124, which discussed letting unauthorized devices have different ACLs entirely. That could be an alternative to this, but is semantically a bit confusing.

[wizzard0]

Maybe it makes sense to also bundle key with ACLs at key creation time?

[DentonGentry]

Since this bug was filed we've added an API endpoint which can authorize a machine: https://github.com/tailscale/tailscale/blob/main/api.md#device-authorized-post
I think this addresses the goal of adding this feature.

@wizzard0 we've also added the ability to associate Tags with an authkey

[michael-careplanner]

While I appreciate that this is now technically possible via that API endpoint, I'd love to see consideration given to making this a fully fledged feature.

Our use case is that we want users on TailScale to be subject to device authorization by an administrator, but we also wish to connect our cloud CI runners for deploying code into our environments and as these are ephemeral can't manually authorize these. We currently face the choice of either disabling device authorization for all users, or bundling an API key into the CI runners next to our ephemeral auth key and using this to immediately authorize the runner.

Obviously giving our CI runners full access to the TailScale API is not an ideal situation and somewhat defeats the point of the lovely feature to assign auth keys to tags, as API access gives full write access over the ACL.

What we'd love to see if the ability to disable machine authorization for machines using auth keys. This could be configurable per auth key (similar to how tags are configure for auth keys). I expect this would be a popular feature especially with ephemeral keys, as I don't expect many people will want to have manual device authorization turned on for ephemeral machines!

[dkerwin]

@michael-careplanner I have a very similar use-case and use a mix of ephemeral keys with device tags and a small daemon that polls the API and approves devices when the tags match. This allows us to have device approval for all systems and automatic approval for CI machines. It might be able to open-source it if you find the idea useful.

[bradfitz]

We implemented this today & it's live.

The web UI supports it and the API has a new preauthorized bool you can set on the JSON request body to POST /api/v2/device/:deviceID/key.