Azure Serverless
This guide describes how to run a Serverless Gateway on Azure based on Function APP using Azure Bicep.
Prerequisites
- Azure CLI
- Azure Bicep
- Permission to create and manage Resource Group in Azure.
Gateway Configuration
Clone the Serverless Gateway repository locally:
gh repo clone akeyless-community/akeyless-serverless-gateway
Edit the akeyless-serverless-gateway/bicep/Azure/serverless-gateway/params.bicepparam
file according to the sections below.
Authentication
Set your Gateway with a default Authentication Method to control the level of access your Gateway will have inside your Akeyless account.
The following Authentication Methods are supported for Azure Serverless:
When using Azure AD as the admin_access_id
of the Gateway, make sure to set in addition a list of users that will be able to manage your Gateway configuration using the allowed_access_permissions
parameter, for example:
using 'main.bicep'
@description('Initial Display Name')
param initial_display_name = 'Akeyless Serverless'
@description('''This is the url for Akeyless service,
available inputs are https://vault.akeyless.io or https://vault.eu.akeyless.io''')
param akeyless_url = 'https://vault.akeyless.io'
@description('Cluster Name')
param cluster_name = 'Azure Serverless'
@description('Allowed values are azure_ad or access_key https://docs.akeyless.io/docs/access-and-authentication-method')
param admin_access_id_type = 'azure_ad'
@description('Akeyless Admin Access ID')
param admin_access_id = '<Access ID>'
@description('''Akeyless Allowed Access Permissions
The input should be in this json format. See the below example:
'[{"name": "", "access_id": "", "permissions": ["admin"]}]'
''')
param allowed_access_permissions = '[{"name": "", "access_id": "", "permissions": ["admin"]}]'
@description('''Akeyless Customer key fragments (Zero Knowledge).
For more information https://docs.akeyless.io/docs/implement-zero-knowledge
The input should be in json format. See the below example.
Use the exact format here inside the {braces} and add it to the `default = ` empty value below.
{
"customer_fragments": [
{
"id": "<Customer Fragment ID>",
"value": "<Customer Fragment Value>",
"description": "My Serverless Fragment",
"name": "ServerLessFragment"
}
]
}''')
param customer_fragments = '{}'
@description('Then name of the function app')
param functionAppName = 'akeyless-serverless-gateway'
@description('Name of the managed environment')
param managedEnvironmentName = 'serverless-gateway'
@description('docker image')
param docker_img = ''
@description('docker tag')
param docker_tag = 'latest'
using 'main.bicep'
@description('Initial Display Name')
param initial_display_name = 'Akeyless Serverless'
@description('''This is the url for Akeyless service,
available inputs are https://vault.akeyless.io or https://vault.eu.akeyless.io''')
param akeyless_url = 'https://vault.akeyless.io'
@description('Cluster Name')
param cluster_name = 'Azure Serverless'
@description('Allowed values are azure_ad or access_key https://docs.akeyless.io/docs/access-and-authentication-method')
param admin_access_id_type = 'access_key'
@description('Akeyless Admin Access ID')
param admin_access_id = '<Access ID>'
@description('Akeyless Admin Access Key - not relevant when admin_access_id_type = azure_ad')
param admin_access_key = '<Access Key>'
@description('''Akeyless Allowed Access Permissions
The input should be in this json format. See the below example:
'[{"name": "", "access_id": "", "permissions": ["admin"]}]'
''')
param allowed_access_permissions = '[{"name": "", "access_id": "", "permissions": ["admin"]}]'
@description('''Akeyless Customer key fragments (Zero Knowledge).
For more information https://docs.akeyless.io/docs/implement-zero-knowledge
The input should be in json format. See the below example.
Use the exact format here inside the {braces} and add it to the `default = ` empty value below.
{
"customer_fragments": [
{
"id": "cf-xyzxyzxyzxyzxyzxyz",
"value": "SomE/CUstOmer/FrAGMenTvALue==",
"description": "MyFirstCF"
}
]
}''')
param customer_fragments = '{}'
@description('Then name of the function app')
param functionAppName = 'akeyless-serverless-gateway'
@description('Name of the managed environment')
param managedEnvironmentName = 'serverless-gateway'
@description('docker image')
param docker_img = ''
@description('docker tag')
param docker_tag = 'latest'
Where:
-
admin_access_id_type
: The Auth Method type for the Gateway eitheraccess_key
orazure_ad
. -
admin_access_id
: The Access ID of the Gateway default Auth Method. -
admin_access_key
: The Access Key of theadmin_access_id
. Relevant only whenadmin_access_id_type
isaccess_key
. -
allowed_access_permissions
: A list of allowed Access IDs, to delegate permissions users will have on your Gateway components. Required whenadmin_access_id_type
isazure_ad
. For example, it can be used with API Key or SAML, etc. -
functionAppName
: The name for the Function APP that will be created in Azure.
Customer Fragment
To work with Zero-Knowledge edit the customer_fragments
param as follows:
"customer_fragments": [{"id": "<Customer Fragment ID>","value": "<Customer Fragment Value>","description": "My Serverless Fragment","name": "ServerLessFragment"}]
Installation
To install the module, run the following commands from the cloned directory
Create a Resource Group:
az group create -l <location> -n <resource_group>
Deploy the Gateway using the Resource Group that was created:
az deployment group create -g <resource_group> -f main.bicep -p params.bicepparam --query "properties.outputs.functionAppURL.value"
Alternatively, the /akeyless-serverless-gateway/bicep/Azure/serverless-gateway/Mainfile
file can be configured to create the resource group and to install the serverless Gateway by setting the following:
RESOURCE_GROUP = akeless-serverless-gateway
LOCATION = <location>
BICEP_MAIN = main.bicep
BICEP_PARAMS = params.bicepparam
Upon successfully installing the Serverless Gateway, the Gateway console URL will be printed.
Gateway URL
The default value of the Gateway URL ends with
/console
which will route you to Akeyless Gateway Console (Port18888
).To connect to Akeyless Gateway Configuration Manager (Port
8000
) use:/config
instead
Initial Gateway Configuration
To configure your Akeyless Gateway:
- On your browser, navigate to the URL in the first output above.
- Enter your credentials to log in.
Limitations
Unavailable services:
Kubernetes / LDAP Authentication, Caching, Automatic Migration, Event on status changes, TLS Configuration.
Updated 14 days ago