RDP Dynamic Secrets

You can define a Remote Desktop Protocol (RDP) dynamic secret to dynamically generate user credentials for connecting to a specified Windows host.

When a client requests a dynamic secret value, the Akeyless Vault Platform through your Gateway connects to the target Windows host over SSH and creates a new user.

Prerequisites

  • An Akeyless Gateway.

  • SSH access is enabled on the target Windows host.

  • Privileged Windows user with permission to create and remove users.

Create a Dynamic RDP Secret from the CLI

πŸ‘

Tip

We recommend using dynamic secrets with Targets. It allows saving time on the secrets' configuration for different types of access levels. Where you are not required to provide an inline connection string each time.

To create a dynamic RDP secret from the CLI using an existing RDP Target, run the following command:

akeyless gateway-create-producer-rdp \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--rdp-user-groups <Group Name>

Or using an inline connection string:

akeyless gateway-create-producer-rdp \
--name <Dynamic Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--rdp-user-groups <Group Name> \
--rdp-host-name <RDP Host name> \
--rdp-host-port <RDP port> \
--rdp-admin-name <RDP Admin name> \
--rdp-admin-pwd <RDP Admin Password>

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the Windows host. The name can include the path to the virtual folder where this target resides.

  • gateway-url: Akeyless Gateway URL.

  • rdp-user-groups: RDP UserGroup name(s).

Inline connection strings

Or you can use the command with your Remote Desktop target server connection settings:

  • rdp-host-name: The hostname or IP address of the target Windows server.

  • rdp-host-port: The SSH port for the RDP connection.

  • rdp-admin-name: The username of an Admin user with sufficient permissions to create users, groups, and so on.

  • rdp-admin-pwd: A password of the Admin user.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Producers section.

Fetch a Dynamic RDP Secret value from the CLI

To fetch a dynamic RDP secret value from the CLI, run the following command:

akeyless get-dynamic-secret-value --name <Path to your dynamic secret>

Create a Dynamic RDP Secret in the Akeyless Console

πŸ‘

Tip

To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.

  1. Log in to the Akeyless Console, and go to Secrets & Keys > New > Dynamic Secret.

  2. Select the RDP secret type and click Next.

  3. Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  4. Define the remaining parameters as follows:

  • Target mode: In this section, you can either select an existing RDP Target or specify details of the target Windows server explicitly.

    • Use the Choose an existing target drop-down list to select the existing SSH Target.

    • Select the Explicitly specify target properties to provide details of the target Windows server in the next step.

  • Groups: A comma-separated list of RDP user groups to which the new user should be added.

  • Display message to the user before TTL expires: Select this checkbox to allow displaying messages to the user before TTL expires.

  • Allow user to extend session periodically: Select this checkbox to allow the user to extend session periodically.

  • Externally Provided Username: Select this checkbox to create the same username based on the user identity which issue the get secret value request. Relevant for users which authenticate to Akeyless with an external IDP.

  • User TTL: Provide a time-to-live value for a dynamic secret (i.e., a token). When TTL expires, the token becomes obsolete.

  • Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.

  • Gateway: Select the Gateway through which the dynamic secret will create users.

  • Protection key: To enable Zero-Knowledge, select a key with a Customer Fragment. For more information about Zero-Knowledge, see Implement Zero Knowledge

  1. If you checked the Explicitly specify target properties option, click Next.

  2. Provide details of the target Windows server:

  • Admin user: The username of an Admin user with sufficient permissions to create users, groups, and so on.

  • Admin password: The password of the Admin user.

  • Hostname: The hostname or IP address of the target Windows server.

  • Port: The SSH port for the RDP connection.

  1. Click Finish.

Fetch a Dynamic RDP Secret value from the Akeyless Console

  1. Log in to the Akeyless Console, and go to Secrets & Keys.

  2. Browse to the folder where you created a dynamic secret.

  3. Select the secret and click Get Dynamic Secret button.


Did this page help you?