Rails Console Access via Teleport

Use this guide to open a Rails console session using Teleport’s tsh command-line tool. If you prefer, you can alternatively open a session directly through the web UI.

Prerequisites

Teleport access via Okta (see getting access).
tsh is installed (see installation instructions).

Process

Request access

Identify the role you need. The following table lists some common roles for your convenience:

For all read/write access (both prod & non-prod), review the change management process to determine whether a change request is required. If unsure, reach out to an SRE for assistance. EMs cannot typically approve read-write access.

Env	Access type	Role
Non-prod	Read-only	No request needed, skip to Log in
Non-prod	Read-write	`non-prod-rails-console-rw`
Non-prod (customersdot)	Read-only	No request needed, skip to Log in
Non-prod (customersdot)	Rake	No request needed, skip to Log in
Non-prod (customersdot)	Read-write	No request needed, skip to Log in
Prod	Read-only	`prod-rails-console-ro`
Prod	Read-write	`prod-rails-console-rw`
Prod (customersdot)	Read-only	`prdsub-customersdot-rails-console-ro`
Prod (customersdot)	Rake	`prdsub-customersdot-rake`
Prod (customersdot)	Read-write	`prdsub-customersdot-rails-console-rw`

customersdot access is limited to engineers in the Monetization group (Fulfilment & Growth). For more information, refer to the customers-gitlab-com repository

tsh login --proxy=production.teleport.gitlab.net

Request the role:

tsh request create \
  --roles=<Role> \
  --reason="<GitLab issue URL / ZenDesk ticket URL>"

An automated message will appear in the #teleport-requests Slack channel. If you’re a member of Engineering or Security, tag your direct manager to review the request. Otherwise, ask in the #eng-managers channel for review by any available engineering manager.

For more information, refer to the Teleport Approver Workflow.
Once approved, the Slack bot will notify you in #teleport-requests.
Log in to tsh again, providing the ID of your approved access request
Terminal window
```
tsh login --request-id=<request-id>
```

Log in

Gather the necessary details

Env Access type username hostname
Non-prod Read-only rails-ro console-ro-01-sv-gstg
Non-prod Read-write rails console-01-sv-gstg
Prod Read-only rails-ro console-ro-01-sv-gprd
Open an SSH session to the target rails host
Terminal window
```
tsh ssh <username>@<hostname>
```
For read-write access, once SSHed in, open the Rails console:
Terminal window
```
sudo gitlab-rails console
```

Env	Access type	username	hostname
Non-prod	Read-only	rails-ro	console-ro-01-sv-gstg
Non-prod	Read-write	rails	console-01-sv-gstg
Prod	Read-only	rails-ro	console-ro-01-sv-gprd

Next Steps

Access requests are temporary and expire after 12 hours, but may be used across multiple sessions. Renew it before or after expiration using the same request process.
Learn about tsh’s features in Teleport’s docs.

Support

For help with Teleport or the approval process, ask in #security_help.
To report a Teleport bug, open an issue with Infrastructure Security.

Troubleshooting

`tsh request create` timed out

tsh request create will wait for approval and return once the request is approved, denied, or expires.

If it times out before a decision, check #teleport-requests slack channel or the Teleport Web UI for the request ID — you don’t need to re-request if it was approved.

Terminal type error

Symptom:

[WARNING] Could not load command "rails/commands/console/console_command". Error: The terminal
could not be found, or that it is a generic type, having too little information for curses
applications to run.

Fix: Set TERM to xterm-256color:

TERM=xterm-256color tsh ssh rails-ro@console-ro-01-sv-gprd

Error: `failed to add one or more keys to the agent`

See getting_access.md — Troubleshooting.

Verbose output

tsh --debug ssh rails-ro@console-ro-01-sv-gprd