Ephemeral Access to Resources
What is Ephemeral Access?
Ephemeral Access refers to the practice of granting temporary access to certain users (or groups) within a defined window of time in order to allow them to carry specific actions.
Ephemeral Access to Resources can be achieved using either the APIs or the Command Line Interface therefore a good understand of either is advisable before proceeding.
Ephemeral Access with Twingate
There are multiple ways to achieve ephemeral access with Twingate:
Approach 1:
You can dynamically create a dedicated Twingate Group and assign a combination of Twingate Users and Twingate Resources to it in a single command.
This newly created Group will grant access to the given Users only and upon completion, the Group can be safely removed with a separate command.
Approach 2:
You can update a Twingate Group definition to add a specific Twingate Resource to it, temporarily then safely update the same Group definition to remove the Resource from it.
Approach 3:
You can pre-create Twingate Groups (with no Users in them) with Resources assigned to them that you anticipate will require ephemeral access. You can then simply add Users to the right dedicated Group for a certain amount of time, then remove the Users from the dedicated Group.
Other Approaches
There are many more ways to achieve this using the APIs or the Command Line Interface, we encourage Twingaters to explore the various functions of both in order to determine the best route for them based on their own context.
Example: Create a Group and assign Users & Resources
Using the CLI, you can use the following command to Create an Ephemeral Group, assign 1 resource and 2 users to it:
(Note: every object has a unique ID which can be retrieved with the API or CLI and is used in all commands)
python3 ./tgcli.py -s BlackSnake -f CSV group create -g "My Ephemeral Group" -u "VXNlcjo5MjMzMg==,VXNlcjo5MjMzNw==" -r "UmVzb3VyY2U6MTU0NTA3OA=="
The response returns the definition of the new group along with the unique ID representing this new group (the Unique ID will be useful below when deleting the Group):
(Note: the output below is in CSV format but the CLI also offers JSON format and a more human readable format called Dataframes)
APIResponseOK,APIResponseError,GroupID,GroupName,CreatedAt,updatedAt,isActive,Type,UserIdList,ResourceIdList
True,,R3JvdXA6MzQzODI=,My Ephemeral Group,2022-06-04T16:48:23.907380+00:00,2022-06-04T16:48:23.907407+00:00,True,MANUAL,"['VXNlcjo5MjMzMg==', 'VXNlcjo5MjMzNw==']",['UmVzb3VyY2U6MTU0NTA3OA==']
After X Minutes or once access should be revoked, the following CLI command can be used in combination with the unique ID representing the new group in order to delete it:
python3 ./tgcli.py -s BlackSnake -f CSV group delete -i "R3JvdXA6MzQzODI="
The Command Line Interface will return a status indicating the operation was carried out successfully:
APIResponseOK,APIResponseError
True,
Bonus: Making Sure the Group Was Deleted
You can use the Command Line Interface for many more things, including checking whether a specific Group exists or not.
Let’s run a command to check whether our Ephemeral Group still exists:
python3 ./tgcli.py -s BlackSnake -f CSV group show -i "R3JvdXA6MzQzODI="
You can see that the CLI returns an empty list of Groups, meaning that, as expected, our Ephemeral Group no longer exists:
GroupID,GroupName,isActive,Type,UserIdList,ResourceIdList
Last updated 20 days ago