Rails Console Access via Teleport

Always follow the change management process

To make changes in production, open a change request in #production using /change declare. An SRE will execute the steps on your behalf. See the change management process for details.

Use this guide to open a Rails console session using Teleport’s tsh command-line tool. If you prefer, you can alternatively open a session directly through the web UI.

Prerequisites

• Teleport access via Okta (see getting access).
• tsh is installed (see installation instructions).

Process

Default access

Read-only access to non-prod rails consoles is assigned by default via the non-prod-rails-console-ro role, so skip the Request Access steps and go straight to Log in.

Request access

Important

When requesting access, the Reason field must contain a permanent link to a GitLab issue (or similar) outlining what access you require and why you need it.

Otherwise your request will be rejected (see Teleport Approver Workflow).

1. Identify the role you need:

   Env	Access type	Role
   Non-prod	Read-only	No request needed, skip to Log in.
   Prod	Read-only	prod-rails-console-ro

2. Log in to Teleport:

   tsh login --proxy=production.teleport.gitlab.net

3. Request the role:

   tsh request create \
     --roles=<Role> \
     --reason="<GitLab issue URL / ZenDesk ticket URL>"

4. An automated message will appear in the #teleport-requests Slack channel. If you’re a member of Engineering or Security, tag your direct manager to review the request. Otherwise, ask in the #eng-managers channel for review by any available engineering manager.

   For more information, refer to the Teleport Approver Workflow.

5. Once approved, the Slack bot will notify you in #teleport-requests.

Log in

1. Log in to tsh again, providing the ID of your approved access request

   tsh login --request-id=<request-id>

2. Open an SSH session to the target rails host:

   tsh ssh <username>@<hostname> # see below table for <username> & <hostname>

   Env	Access type	username	hostname
   Non-prod	Read-only	rails-ro	console-ro-01-sv-gstg
   Prod	Read-only	rails-ro	console-ro-01-sv-gprd

Next Steps

• Access requests are temporary and expire after 12 hours, but may be used across multiple sessions. Renew it before or after expiration using the same request process.
• Learn about tsh’s features in Teleport’s docs.

Support

• For help with Teleport or the approval process, ask in #security_help.
• To report a Teleport bug, open an issue with Infrastructure Security.

Troubleshooting

tsh request create timed out

tsh request create will wait for approval and return once the request is approved, denied, or expires.

If it times out before a decision, check #teleport-requests slack channel or the Teleport Web UI for the request ID — you don’t need to re-request if it was approved.

Terminal type error

Symptom:

[WARNING] Could not load command "rails/commands/console/console_command". Error: The terminal
could not be found, or that it is a generic type, having too little information for curses
applications to run.

Fix: Set TERM to xterm-256color:

TERM=xterm-256color tsh ssh rails-ro@console-ro-01-sv-gprd

Error: failed to add one or more keys to the agent

See getting_access.md — Troubleshooting.

Verbose output

tsh --debug ssh rails-ro@console-ro-01-sv-gprd