Remote Access on Docker
Akeyless Remote Access provides secure remote access to resources using just-in-time credentials (dynamic secrets, rotated secrets, and SSH certificates).
Remote Access is enabled through the Akeyless Gateway Docker Compose chart deployment. Usually this is added after the Gateway is deployed, but it can be deployed as part of the Gateway deployment. This document will show how to upgrade your deployment to add Remote Access capabilities.
The Remote Access deployment spins up two Docker containers: akeyless-sra-ssh
and akeyless-sra-web
Prerequisites
-
Docker Installed
-
SSH Certificate Issuer for CLI Access.
-
At least 1 vCPU available with 1GB RAM per Docker container.
Deploying Remote Access
The docker-compose.yaml
and .env
files used to deploy the Gateway hold the Remote Access default values as well.
Configuration
Secure Remote Access will be set with the same GATEWAY_ACCESS_ID
and GATEWAY_ACCESS_ID
you used for your deployment with the Gateway.
To enable only specific users to use Secure Remote Access, make sure to add the relevant GATEWAY_AUTHORIZED_ACCESS_ID
in the .env
file. A comma-separated list can be used for multiple IDs. While this is not mandatory, it is a good security practice to limit user access. If not configured, a Warning message will appear.
In order to provide just-in-time native CLI access for your users using SSH Certificates, you should mount your ca.pub
file to /var/akeyless/creds/
inside of the akeyless-ssh
component. To do this, provide a local directory which contains your ca.pub
file which you created as part of your SSH Certificate Issuer creation.
Creating a public key
If you don't have an SSH certificate ready, please follow this guide on creating SSH Cert issuer with Akeyless and set your
ca.pub
.
Install
Make sure your docker-compose.yaml
and .env
files are in the same directory and you run the below command from that directory.
docker compose up -d
Check that both akeyless-sra-ssh and akeyless-sra-web containers are up by running docker ps
.
Upgrade Remote Access
To upgrade Remote Access to the latest version, run the same command:
docker compose up -d
Recommended Security Configuration Options
Allowed Redirect Gateways
The Allowed Redirect Gateways option ensures that only specific redirects (usually Remote Access are accepted. This configuration, allows administrators to define a list of authorized URLs that will be considered valid for redirection from the Web Portal back to the remote access server. This setup enhances security by ensuring that users are only redirected to trusted URLs.
Run the following command from the Terminal:
akeyless gateway update remote-access --allowed-urls <redirect-urls>
This can also be done via the console by going to Gateways -> Your-Gateway -> Manage Gateway -> Remote Access.
Updated 8 days ago