Akeyless Connect

Starting from CLI version 1.42.0 Akeyless CLI supports a new command which replaces the Akeyless Sphere script for native CLI Secure Remote Access.

The Akeyless connect command enables CLI access from any UNIX terminal.

Prerequisite

👍

Note:

Starting from Windows 10, Microsoft supports native feature "Windows subsystem for Linux".
This feature enable users to utilize their Windows OS environment as a UNIX like system.

To work with Akeyless connect command from Windows machine, place the .akeyless-connect.rc script on your home directory.

Usage

  1. Download & Install the Akeyless CLI.

  2. Create your ~/.akeyless-connect.rc :

# ---------------------------------------------------------------------
# Copyright © 2021  Akeyless Security LTD.
#
# All rights reserved
# ----------------------------------------------------------------------

#
# This file is a user-specific configuration file for akeyles-connect Secure Remote Access
# it should be located in user home directory named .akeyless-connect.rc
#

# IDENTITY_FILE - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)
IDENTITY_FILE=""

# CERT_ISSUER_NAME - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session
CERT_ISSUER_NAME=""

# AKEYLESS_PROFILE - Akeyless CLI profile to be used
AKEYLESS_PROFILE="default"

# AKEYLESS_GW_REST_API - URL for Akeyless API Gateway (RestAPI)
AKEYLESS_GW_REST_API=""

# Following are used for control service, to configure the temporary session:
# ${BASTION_API_PROTO}://"${BASTION_API_PREFIX}${BASTION_HOST}${BASTION_API_PATH}":"${BASTION_API_PORT}
#
BASTION_API_PREFIX=""
BASTION_API_PATH=""
BASTION_API_PROTO=http
BASTION_API_PORT=9900

# Allow caching of temp session creds
SESSION_CACHING=no

# Display connection stages
DISPLAY_STAGES=yes

Where:

CERT_ISSUER_NAME - Full path to Akeyless SSH Cert Issuer.

AKEYLESS_GW_REST_API - URL of Akeyless Gateway RestAPI endpoint.

👍

Tip

Akeyless connect command supports legacy ~/.akeyless-sphere.rc configuration file.

  1. Use akeyless connect command to perform SSH authentication to the target server via Akeyless Secure Remote Access Bastion:

Full options list:

-t, --target                     *Target resource, example formats: [email protected][:port], us-east-2, mysql-server:3306, etc.
-v, --via-bastion                 Bastion host, which the connection will go through. e.g.: bastion-host:port. 
-c, --cert-issuer-name            Akeyless Certificate Issuer Name. If not specified will be taken from ~/.akeyless-connect.rc 
-i, --identity-file               Selects a file from which the identity (private key) for public key authentication is read.  The default is ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa.
-n, --secret-name                 Path to Secret, based on the required connection
    --ssh-extra-args              Additional SSH arguments (except -i)
    --bastion-ctrl-proto[=http]   Bastion API Protocol [http/https]
    --bastion-ctrl-subdomain      Bastion control API URL prefix. e.g. https://<prefix>.bastion-host
    --bastion-ctrl-path           Bastion control API path. e.g. https://bastion-host/<path>
    --bastion-ctrl-port[=9900]    Bastion control API port. e.g. https://bastion-host:<7777>
    --gateway-rest-endpoint       Gateway RestAPI URL. e.g. https://rest.akeyless.io
    --profile                     Use a specific profile from your akeyless/profiles/ folder

Examples

SSH:

akeyless connect -t [email protected][:port] -v <via-sra-bastion-ssh-service>

AWS:

akeyless connect -c my-ssh-cert-issuer -v <via-sra-bastion-ssh-service>:<port> -n "<Path to AWS Dynamic Secret>"

In case you already defined the Cert Issuer inside the akeyless-connect.rc file you can use:

akeyless connect -v <via-sra-bastion-ssh-service>:<port> -n "<Path to AWS Dynamic Secret>"

MongoDB:

akeyless connect -t <mongo server IP>:27017 -v <via-sra-bastion-ssh-service>:<port> -n "<Path to MongoDB Dynamic Secret>"

MySQL:

akeyless connect -t <mysql-server>:3306 -v <via-sra-bastion-ssh-service>:<port> -n "<Path to MySQL Dynamic Secret>"

EKS:

akeyless connect -v <via-sra-bastion-ssh-service>:<port> -n "<Path to EKS Dynamic secret>"

Non- interactive connection to K8s:

Linux:

AKEYLESS_PARAM='get pod' akeyless connect -t <k8 cluster endpoint> -v <via-sra-bastion-ssh-service> -n "Path To K8s Dynamnic Secret" --ssh-extra-args "non-interactive"

Windows:

$env:AKEYLESS_PARAM = 'get pods'; .\akeyless.exe connect -t <k8 cluster endpoint> -v <via-sra-bastion-ssh-service> -n "Path To K8s Dynamnic Secret" --ssh-extra-args "non-interactive"

Did this page help you?