Azure Serverless

This guide describes how to run a Serverless Gateway on Azure based on Function APP using Azure Bicep.

Prerequisites

Gateway Configuration

Clone the Serverless Gateway repository locally:

gh repo clone akeyless-community/akeyless-serverless-gateway

Edit the akeyless-serverless-gateway/bicep/Azure/serverless-gateway/params.bicepparam file according to the sections below.

Authentication

Set your Gateway with a default Authentication Method to control the level of access your Gateway will have inside your Akeyless account.

The following Authentication Methods are supported for Azure Serverless:

When using Azure AD as the admin_access_id of the Gateway, make sure to set in addition a list of users that will be able to manage your Gateway configuration using the allowed_access_permissions parameter, for example:

using 'main.bicep'

@description('Initial Display Name')
param initial_display_name = 'Akeyless Serverless'

@description('''This is the url for Akeyless service,
available inputs are https://vault.akeyless.io or  https://vault.eu.akeyless.io''')
param akeyless_url = 'https://vault.akeyless.io'

@description('Cluster Name')
param cluster_name = 'Azure Serverless'

@description('Allowed values are azure_ad or access_key https://docs.akeyless.io/docs/access-and-authentication-method')
param admin_access_id_type = 'azure_ad'

@description('Akeyless Admin Access ID')
param admin_access_id = '<Access ID>'


@description('''Akeyless Allowed Access Permissions
                  The input should be in this json format. See the below example:
                  '[{"name": "", "access_id": "", "permissions": ["admin"]}]'
                  ''')
param allowed_access_permissions = '[{"name": "", "access_id": "", "permissions": ["admin"]}]'

@description('''Akeyless Customer key fragments (Zero Knowledge).
                For more information https://docs.akeyless.io/docs/implement-zero-knowledge
                The input should be in json format. See the below example.
                Use the exact format here inside the {braces} and add it to the `default = ` empty value below.
                {
                  "customer_fragments": [
                      {
                          "id": "<Customer Fragment ID>",
                          "value": "<Customer Fragment Value>",
                          "description": "My Serverless Fragment",
                          "name": "ServerLessFragment"
                      }
                  ]
                }''')
param customer_fragments = '{}'

@description('Then name of the function app')
param functionAppName = 'akeyless-serverless-gateway'

@description('Name of the managed environment')
param managedEnvironmentName = 'serverless-gateway'

@description('docker image')
param docker_img = ''

@description('docker tag')
param docker_tag = 'latest'
using 'main.bicep'

@description('Initial Display Name')
param initial_display_name = 'Akeyless Serverless'

@description('''This is the url for Akeyless service,
available inputs are https://vault.akeyless.io or  https://vault.eu.akeyless.io''')
param akeyless_url = 'https://vault.akeyless.io'

@description('Cluster Name')
param cluster_name = 'Azure Serverless'

@description('Allowed values are azure_ad or access_key https://docs.akeyless.io/docs/access-and-authentication-method')
param admin_access_id_type = 'access_key'

@description('Akeyless Admin Access ID')
param admin_access_id = '<Access ID>'

@description('Akeyless Admin Access Key - not relevant when admin_access_id_type = azure_ad')
param admin_access_key = '<Access Key>'

@description('''Akeyless Allowed Access Permissions
                  The input should be in this json format. See the below example:
                  '[{"name": "", "access_id": "", "permissions": ["admin"]}]'
                  ''')
param allowed_access_permissions = '[{"name": "", "access_id": "", "permissions": ["admin"]}]'

@description('''Akeyless Customer key fragments (Zero Knowledge).
                For more information https://docs.akeyless.io/docs/implement-zero-knowledge
                The input should be in json format. See the below example.
                Use the exact format here inside the {braces} and add it to the `default = ` empty value below.
                {
                  "customer_fragments": [
                      {
                          "id": "cf-xyzxyzxyzxyzxyzxyz",
                          "value": "SomE/CUstOmer/FrAGMenTvALue==",
                          "description": "MyFirstCF"
                      }
                  ]
                }''')
param customer_fragments = '{}'

@description('Then name of the function app')
param functionAppName = 'akeyless-serverless-gateway'

@description('Name of the managed environment')
param managedEnvironmentName = 'serverless-gateway'

@description('docker image')
param docker_img = ''

@description('docker tag')
param docker_tag = 'latest'

Where:

  • admin_access_id_type: The Auth Method type for the Gateway either access_key or azure_ad.

  • admin_access_id: The Access ID of the Gateway default Auth Method.

  • admin_access_key: The Access Key of the admin_access_id. Relevant only when admin_access_id_type is access_key.

  • allowed_access_permissions: A list of allowed Access IDs, to delegate permissions users will have on your Gateway components. Required when admin_access_id_type is azure_ad. For example, it can be used with API Key or SAML, etc.

  • functionAppName: The name for the Function APP that will be created in Azure.

Customer Fragment

To work with Zero-Knowledge edit the customer_fragments param as follows:

"customer_fragments": [{"id": "<Customer Fragment ID>","value": "<Customer Fragment Value>","description": "My Serverless Fragment","name": "ServerLessFragment"}]

Installation

To install the module, run the following commands from the cloned directory

Create a Resource Group:

az group create -l <location> -n <resource_group>

Deploy the Gateway using the Resource Group that was created:

az deployment group create -g <resource_group> -f main.bicep -p params.bicepparam --query "properties.outputs.functionAppURL.value"

Alternatively, the /akeyless-serverless-gateway/bicep/Azure/serverless-gateway/Mainfile file can be configured to create the resource group and to install the serverless Gateway by setting the following:

RESOURCE_GROUP = akeless-serverless-gateway
LOCATION = <location>
BICEP_MAIN = main.bicep
BICEP_PARAMS = params.bicepparam

Upon successfully installing the Serverless Gateway, the Gateway console URL will be printed.

📘

Gateway URL

The default value of the Gateway URL ends with /console which will route you to Akeyless Gateway Console (Port 18888).

To connect to Akeyless Gateway Configuration Manager (Port 8000) use: /config instead

Initial Gateway Configuration

To configure your Akeyless Gateway:

  1. On your browser, navigate to the URL in the first output above.
  2. Enter your credentials to log in.

Limitations

Unavailable services:

Kubernetes / LDAP Authentication, Caching, Automatic Migration, Event on status changes, TLS Configuration.