Remote Access on Docker

Akeyless Remote Access provides secure remote access to resources using just-in-time credentials (dynamic secrets, rotated secrets, and SSH certificates).

Remote Access is enabled through the Akeyless Gateway Docker Compose chart deployment. Usually this is added after the Gateway is deployed, but it can be deployed as part of the Gateway deployment. This document will show how to upgrade your deployment to add Remote Access capabilities.

The Remote Access deployment spins up two Docker containers: akeyless-sra-ssh and akeyless-sra-web

Prerequisites

  • Docker Installed

  • SSH Certificate Issuer for CLI Access.

  • At least 1 vCPU available with 1GB RAM per Docker container.

Deploying Remote Access

The docker-compose.yaml and .env files used to deploy the Gateway hold the Remote Access default values as well.

Configuration

Secure Remote Access will be set with the same GATEWAY_ACCESS_ID and GATEWAY_ACCESS_ID you used for your deployment with the Gateway.

To enable only specific users to use Secure Remote Access, make sure to add the relevant GATEWAY_AUTHORIZED_ACCESS_ID in the .env file. A comma-separated list can be used for multiple IDs. While this is not mandatory, it is a good security practice to limit user access. If not configured, a Warning message will appear.

In order to provide just-in-time native CLI access for your users using SSH Certificates, you should mount your ca.pub file to /var/akeyless/creds/ inside of the akeyless-ssh component. To do this, provide a local directory which contains your ca.pub file which you created as part of your SSH Certificate Issuer creation.

📘

Creating a public key

If you don't have an SSH certificate ready, please follow this guide on creating SSH Cert issuer with Akeyless and set your ca.pub.

Install

Make sure your docker-compose.yaml and .env files are in the same directory and you run the below command from that directory.

docker compose up -d

Check that both akeyless-sra-ssh and akeyless-sra-web containers are up by running docker ps.

Upgrade Remote Access

To upgrade Remote Access to the latest version, run the same command:

docker compose up -d

Recommended Security Configuration Options

Allowed Redirect Gateways

The Allowed Redirect Gateways option ensures that only specific redirects (usually Remote Access are accepted. This configuration, allows administrators to define a list of authorized URLs that will be considered valid for redirection from the Web Portal back to the remote access server. This setup enhances security by ensuring that users are only redirected to trusted URLs.

Run the following command from the Terminal:

akeyless gateway update remote-access --allowed-urls <redirect-urls>

This can also be done via the console by going to Gateways -> Your-Gateway -> Manage Gateway -> Remote Access.