Documentation

Remote Access on Docker

Suggest Edits

Akeyless Remote Access provides secure remote access to resources using just-in-time credentials (dynamic secrets, rotated secrets, and SSH certificates).

This guide provides instructions on deploying Akeyless Secure Remote Access (SRA) using Docker Compose. The deployment includes the Akeyless Gateway, SRA Web UI, SRA SSH Proxy, and a Redis cache for performance optimization

Prerequisites

Ensure you have the following installed on your system:

  • Docker Installed (version 20.10 or later)
  • Docker Compose (version 1.29 or later)
  • Environment variables configured in .env files
  • SSH Certificate Issuer for CLI Access.
  • At least 1 vCPU available with 1GB RAM per Docker container.

🌐

Network Configuration

  • Ensure sticky sessions are enabled.
  • Cloud Provider Load Balancer: Configure the load balancer to support sticky sessions. For example, in AWS, you can use Elastic Load Balancer (ELB). Refer to the AWS ELB Sticky Sessions Documentation for guidance.
  • When SSH sessions are routed through a load balancer, such as ELB, they may be disconnected due to idle connection timeouts. To avoid this, we recommend increasing the idle timeout to a higher value or setting it to unlimited.
  • For AWS ELB, you can adjust the idle timeout settings as outlined in the AWS ELB Idle Timeout Documentation.

Deployment Overview

The Docker Compose file defines the following services:

ServiceDescriptionPorts
Akeyless GatewayCentral access control and authentication gateway8000 (API), 8080 (Health)
SRA WebWeb-based Zero Trust portal for remote accessAs specified in YAML
SRA SSH ProxySecure SSH-based remote access2222 (SSH), 9900 (Internal)
Redis CacheCaching service for improved performanceInternal only

Each service runs within an isolated Docker bridge network (internal-net), ensuring secure internal communication.

Configuration

The deployment uses number of environment files for configuration:

  • gateway.env - Defines environment variables for Akeyless Gateway.
  • sra.env - Defines environment variables for Secure Remote Access services.
  • .env- Used to store the REDIS_PASS is stored. Allows users to restrict access to this file for enhanced security.

Example Configuration

gateway.env

# CLUSTER_NAME: The name of your Akeyless cluster (must match what's configured in Akeyless).
# GATEWAY_ACCESS_ID / GATEWAY_ACCESS_KEY: Credentials obtained from the Akeyless console.
# GATEWAY_ACCESS_TYPE: e.g., "k8s", "docker", or another deployment type.
# GATEWAY_AUTHORIZED_ACCESS_ID: Additional Access ID for delegated or extended usage.
# VERSION: Which Gateway Docker image version/tag to pull (e.g. "latest").
# ENABLE_METRICS: Set to "true" or "false" to enable metrics in the Gateway.
# GATEWAY_CLUSTER_CACHE: Should remain "enable"
# For more detailed information, refer to:
# https://docs.akeyless.io/docs
# User values for the gateway deployment
CLUSTER_NAME=""
# Obtain GATEWAY_ACCESS_ID and GATEWAY_ACCESS_KEY from the Akeyless platform:
GATEWAY_ACCESS_ID=""
GATEWAY_ACCESS_KEY=""
GATEWAY_ACCESS_TYPE=""
GATEWAY_AUTHORIZED_ACCESS_ID=""
VERSION=""
ENABLE_METRICS=""
GATEWAY_CLUSTER_CACHE="enable"
# Secure Remote Access (SRA)
# If SRA exists, define the internal URLs for SRA services (SSH & Web).
# Adjust these if you're changing container names or ports.
# ----- Default SRA Gateway Section -----
REMOTE_ACCESS_WEB_SERVICE_INTERNAL_URL: http://akeyless-web:8888
REMOTE_ACCESS_SSH_SERVICE_INTERNAL_URL: http://akeyless-ssh:9900
# ----- Redis Section -----
REDIS_PASSWORD=your-secure-password
# Default redis values
REDIS_ADDR: redis-cache:6379

For more information on deployment of Gateway via Docker Compose, please refer to Gateway documentation.

sra.env

# USE_CLUSTER_CACHE: use Redis caching for the Akeyless Gateway
# (As Best Practices, set to "true" to use Redis)
USE_CLUSTER_CACHE="true"
# UNIFIED_GATEWAY: Enables unified Akeyless Gateway mode
UNIFIED_GATEWAY="true"
# ----- Default SRA WEB-SSH Section -----
# Internal URL for the SRA service (SSH proxy) 
# used by the gateway to route SSH traffic (port 9900 by default)
REMOTE_ACCESS_SSH_SERVICE_INTERNAL_URL=http://akeyless-ssh:9900
# REMOTE_ACCESS_SSH_ENDPOINT:
# Actual SSH endpoint (container name and port 22 by default)
REMOTE_ACCESS_SSH_ENDPOINT=akeyless-ssh:22
# ----- Default Gateway Section -----
GATEWAY_URL=http://akeyless-gateway:8000
# Internal API endpoint (port 8080) used for Gateway health checks or internal calls
INTERNAL_GATEWAY_API=http://akeyless-gateway:8080
# ----- SSH Section -----
# For more information on SSH_HOST_KEY_PATH refer to https://docs.akeyless.io/docs/remote-access-advanced-configuration-docker#ssh-fingerprint
SSH_HOST_KEYS_PATH=""

.env

REDIS_PASS=very-secure-password

🚧

Restricting User Access

To enable only specific users to use Secure Remote Access, make sure to add the relevant GATEWAY_AUTHORIZED_ACCESS_ID in the sra.env file.

A comma-separated list can be used for multiple IDs. While this is not mandatory, it is a good security practice to limit user access. If not configured, a Warning message will appear.

In order to provide just-in-time native CLI access for your users using SSH Certificates, you should mount your ca.pub file to /var/akeyless/creds/ inside of the akeyless-ssh component. To do this, provide a local directory which contains your ca.pub file which you created as part of your SSH Certificate Issuer creation.

📘

Creating a public key

If you don't have an SSH certificate ready, please follow this guide on creating SSH Cert issuer with Akeyless and set your ca.pub.

Running the Deployment

  1. Ensure you have the docker-compose.yml and.envfiles are in your working directory.
  2. Start the Services

Deploying as Akeyless Gateway

To deploy only the Akeyless Gateway, run:

docker-compose --profile gateway up -d

Deploying as Secure Remote Access (SRA)

To deploy only the SRA components, run:

docker-compose --profile sra up -d

Deploying Both Gateway and SRA

To deploy both the Akeyless Gateway and SRA, run:

docker-compose up -d

📘

Verify Deployment

Check that the deployed containers are running with docker ps

To stop and remove all services, run:

docker-compose down

Security Considerations

  • Redis Password: Ensure REDIS_PASSWORD is securely set in the .env file.
  • Network Isolation: The bridge network (internal-net) restricts external access to Redis and internal services.
  • Minimal Privileges: Define the Redis container to run as a non-root user, (i.e. user: "1001:1001") and verify thatSRA SSH Proxy has restricted privileges.

❗️

Allowed Redirect Gateways

The Allowed Redirect Gateways option ensures that only specific redirects (usually Remote Access are accepted). This configuration, allows administrators to define a list of authorized URLs that will be considered valid for redirection from the Web Portal back to the remote access server.

Run the following command from the Terminal:

akeyless gateway update remote-access --allowed-urls <redirect-urls>

This can also be done via the console by going to Gateways -> Your-Gateway -> Manage Gateway -> Remote Access.

Updated 19 days ago

Footer Section