Access Resources Remotely

Depending on the resource type, you can securely access resources in the following ways:

Connect from the Secure Remote Access Portal

The default authentication method for logging in to the Secure Remote Access Portal is Security Assertion Markup Language (SAML). For details about integrating your SAML authentication with the Akeyless Vault Platform, see here.

  1. Go to
  1. In the SAML Access ID field, enter your SAML Access ID.

  2. In the Akeyless Gateway URL field, enter your Akeyless Gateway URL on port 8080.

  3. If you are connecting to a database, SSH, or RabbitMQ resources, in the Web Client URL field, enter the URL of your Secure Remote Access Bastion web-sra service URL.

  4. (Optional) If you are connecting to applications using Web Access in Isolated mode, in the Web Access Dispatcher URL field, enter the URL of your Web Access Bastion.

  5. Select Sign in.
    The portal shows all the supported resource types. The number of resources of a particular type that you are authorized to access appears in the top-right corner of the resource tile. If no number appears for a resource, you are not authorized to access any resources of that type.


To simplify login, after you enter all the required information but before you sign in, select Generate SAML Bookmark URL to create a link to the completed form. The link is copied to your clipboard for you to save in a convenient place, such as your browser bookmarks, and use in the future to automatically complete the login details.

Connect from a UNIX Terminal

Akeyless Connect command provides you with secure CLI access to resources from any UNIX terminal.


To use Akeyless Connect you need:



Akeyless connect command supports legacy ~/.akeyless-sphere.rc configuration file.

  1. Download the latest version of Akeyless Command Line Interface (CLI).

  2. Create a resource file called ~/.akeyless-connect.rc as follows:

# ---------------------------------------------------------------------
# Copyright © 2021  Akeyless Security LTD.
# All rights reserved
# ----------------------------------------------------------------------

# This file is a user-specific configuration file for akeyles-connect Secure Remote Access
# it should be located in user home directory named .akeyless-connect.rc

# IDENTITY_FILE - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)

# CERT_ISSUER_NAME - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session

# AKEYLESS_PROFILE - Akeyless CLI profile to be used

# AKEYLESS_GW_REST_API - URL for Akeyless API Gateway (RestAPI)

# Following are used for control service, to configure the temporary session:

# Allow caching of temp session creds

# Display connection stages


From Windows 10, the Windows subsystem for Linux feature enables you to use your Windows OS environment as a UNIX-like system. To work with Akeyless connect command from a Windows machine, place the .akeyless-connect.rc script in your home directory.

  1. Use the akeyless connect command to connect to a resource through the Secure Remote Access Bastion:
akeyless connect -t  <[[email protected]]target/hostname/ip[:port]> via <sra-bastion-ssh-sra-service/ip[:port]>

Legacy Mode

To support legacy applications, Akeyless enables a hybrid mode based on SSH certificates and SSH keys. When a user accesses a legacy resource, the platform uses an SSH certificate to connect to the Secure Remote Access Bastion. The SRA Bastion in turn uses your SSH key or password to connect to the legacy resource.


There are risks to SSH password authentication. Ensure you are connecting to the correct resource.

  1. Create a static secret in Akeyless Vault, the value of which is your SSH private key or SSH password.

  2. Run the update-item command to enable either the ssh-password or ssh-private-key mode to the secret.

$ akeyless update-item --name <Path/to/static/secret> /
--secure-access-enable true /
--secure-access-ssh-creds  <[password/private-key> /
--secure-access-bastion-issuer </Path/of/SSH Cert Issuer> /
--secure-access-host <Target SSH server >
$ akeyless update-item --name <static secret name> /
--add-tag ssh-private-key

Did this page help you?