Quick Start
This quick start guide is intended to get you started with deploying a Gateway (with Remote Access) using the most basic, required parameters and a clean Kubernetes cluster. Within just a few minutes you will see how easy it is to complete the Gateway deployment and secure your user and machine access. You will also be able to use just-in-time credentials with remote access to log into your various applications and services.
Akeyless Gateway can be deployed on a Kubernetes cluster using the Helm package manager with or without Remote Access. This can also be deployed on Docker using docker-compose, but this guide will focus on K8s.
Akeyless provides a Helm chart to bootstrap the Akeyless Gateway deployment. In K8s deployments, the configuration process takes place before the actual installation.
Security
Please note that this guide was tested with AWS EKS and not secured with TLS. We highly suggest you do not use this in a production environment or with real credentials.
Prerequisites
- A K8s Cluster
- Helm Installed
- kubectl installed
- Minimum 1 vCPU available with 2GB RAM per resource
- The following ports need to be open on the cluster:
Service | Port |
---|---|
Gateway Configuration Manager | 8000 |
SSH Access | 22 |
First things first
Before we get started, you will need an Authentication Method with an Access Role and an SSH Certificate Issuer. If you already have both, skip to the Remote Access Configuration section.
Create Your Authentication Method
Authentication note
For the purposes of this guide, we are using an API Key. However, for security reasons, it is advised to use a more secure authentication method.
Follow this tutorial to create your API Key. Or you can follow the below CLI commands:
- Create an API Key authentication method from the CLI, run the following command:
akeyless auth-method create api-key -name MyFirstAPIKey
- Configure your CLI to work with the API Key by running the following command:
akeyless configure --profile default --access-id <Your API Key Auth AccessID> --access-key <Your API Key>
Create Your Access Role
Follow this tutorial to create an Access Role and associate your Authentication Method. Or you can follow the below CLI commands:
- Create a new access role:
akeyless create-role --name MyFirstRole
- Set the role with access to all Items under /path/to/folder/ with Read and List permissions:
akeyless set-role-rule --role-name MyFirstRole --path "/path/to/folder/\*" --capability read --capability list
- Also, set the role with access to Targets:
akeyless set-role-rule --role-name MyFirstRole --path "/path/to/folder/\*" --rule-type target-rule --capability read --capability list
- Associate the Authentication Method with the Role:
akeyless assoc-role-am --role-name MyFirstRole --am-name MyFirstAPIKey
Now you have an Authentication Method with the right access to deploy the Gateway.
Create Your SSH Certificate Issuer
Follow the below commands:
- Create a new RSA DFC Key in your Akeyless account:
akeyless create-dfc-key -n MyRSAKey -a RSA2048
- Create the SSH Certificate Issuer:
akeyless create-ssh-cert-issuer --name your-ssh-cert-issuer-name --signer-key-name MyRSAKey --allowed-users 'ubuntu' --ttl 300
SSH connection note
This is the bare minimum in order to have a required SSH Certificate Issuer and access the Remote Access Portal. For more details on connecting to a resource via SSH, please see the docs here.
Configuration
Add the Akeyless Helm Repo
Add the following repository to your Helm repository list:
helm repo add akeyless https://akeylesslabs.github.io/helm-charts
helm repo update
Configure the Helm Chart
Here you will find the bare minimum values you will need in your Helm chart to get up and running.
You can download the file from {INSERT DOWNLOAD LINK} and open it in your favorite editor.
Below is an explanation of the minimum required fields by section. Find them in the file and edit them as per the instructions.
Global Section
############
## Global ##
############
akeylessGatewayAuth:
gatewayAccessId: <your_access_id>
gatewayAccessType: access_key
gatewayCredentialsExistingSecret: akeyless-auth
authorizedAccessIDs: <authorized_access_id>
gatewayAccessId
: For this quick start, we will use the API Key authentication method. Add your API Key's Access ID
.
gatewayAccessType
: This is already set to access_key
for API Key authentication.
gatewayCredentialsExistingSecret
: The value is already set to akeyless-auth
. A K8s secret is required for the deployment. In order to create this, follow these steps:
- Create a simple K8s secret with the below template. Ensure you encode your
Access ID
andAccess Key
in base64 and paste those encoded values into the belowadmin-access-id
andadmin-access-key
fields.--- apiVersion: v1 kind: Secret metadata: name: akeyless-auth type: Opaque data: gateway-access-id: gateway-access-key:
- Run
kubect apply -f secret.yaml
and your secret will be created inside K8s.
authorizedAccessIDs
: Remote Access only supports human identities including SAML, OIDC, Certificate, or LDAP authentication. For security reasons, it is advised that you specify at least one Auth Method. If this variable is empty, all supported Auth Methods will be able to access it. For this, you will need to either set up one of the supported Authentication Methods or use your company's existing one.
Note
You must configure one of these Auth Methods in order to test Remote Access. In this case it will be a SAML Authentication Method which we explain how to set up here.
Gateway Section
There is no need to change anything here. Note that the Gateway deployment creates two pods (replicas) in the cluster by default. You can customize that by changing the replicaCount
variable.
Remote Access Section
######################################################
## Default values for akeyless-secure-remote-access ##
######################################################
sra:
# Enable secure-remote-access. Valid values: true/false.
enabled: true
sshConfig:
replicaCount: 1
config:
CAPublicKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAPzDVmeABzsGd0lEl9m2fdgmCzOLVmEGcLxNkn..."
To configure Remote Access, follow these steps:
sra
: Set the enabled
field to true
. Note that the Remote Access deployment creates two more pods in the cluster, one for Web and one for SSH.
CAPublicKey
: For this to work properly, you are also required to provide the matching public key of the key you used to create the SSH Certificate Issuer in Akeyless. More info can be found here. Add the ssh-rsa
value.
Deployment
Deploy the Helm Chart
Once you have finished those steps, run the following command to create your deployment:
helm install quick-start-gw akeyless/akeyless-gateway -f values.yaml
Verify Deployment Success
After about 30-60 seconds, run kubectl get pods
to check that your pods are in Running
state and that the Gateway and Remote Access services are available.
Then run kubectl get services
and look for the EXTERNAL-IP
of the service starting with quick-start-gw
.
Copy the EXTERNAL-IP
and paste that into your browser with port 8000/console (i.e. http://<Your-Akeyless-GW-URL:8000/console>
). If you get the login page, you have successfully deployed the Gateway!
Gateway URLs
For the Gateway, you can access the following:
-
The Gateway's Internal Console is located at
http://<Your-Akeyless-GW-URL:8000/console>
. The internal console means you are working from inside the Gateway and talking directly with the SaaS. If you are using https://console.akeyless.io, you will not be able to interact with this Gateway as it is not secured with TLS.
Remote Access URLs
For Remote Access, you can access the following:
-
The Remote Access Internal Web Portal is located at
http://<Your-Akeyless-GW-URL:8000>/sra/portal
-
Remote Access can also be accessed using our public URL: https://zerotrust.akeyless.io. If you are using the public URL for RDP, Web, or similar sessions, you will be required to add your Web URL endpoint:
http://<Your-Akeyless-GW-URL:8000>/sra/web-client
Testing Out Remote Access
Here we will lay out the steps to get a SAML user to access the Remote Access Portal.
- Firstly, you need to make sure you have your SAML application set up. This requires something like an Okta account set up with the Akeyless application configured, which you can find guides for by googling. You will also need to retrieve your Metadata URL for this.
- Next, run the following command to create your SAML Auth Method and make sure to input your Kubernetes Service External-IP address:
akeyless auth-method create saml --name mySamlAuth --unique-identifier email --idp-metadata-url <your-okta-metadata-url> --allowed-redirect-uri https://console.akeyless.io/login-saml, http://127.0.0.1>:*, http://<EXTERNAL-IP-of-K8s-Service>:*
- Create a role with access to Items with List permissions only. And set Secure Remote Access with Allow Access permissions.
akeyless set-role-rule --role-name MySamlRole --path "/*" --capability list
akeyless set-role-rule --role-name MySamlRole --path "/\*" --rule-type sra-rule --capability allow_access
- Associate your Auth Method as follows:
akeyless assoc-role-am --role-name MySamlRole --am-name MySamlAuth
- Next, open your browser and go to your Remote Access internal endpoint: http://<Your-Akeyless-GW-URL:8000>>/sra/portal
- Enter your SAML AccessID and click “Sign In”. You will be redirected to your Okta login page to log in and then when you finish that it will redirect you to a page with the various types of resources you can set at a later time (see below image). Congrats!
Next Steps
With a Gateway deployed, you can now test out using just-in-time dynamic secrets for various applications and services by setting up Targets. If you are also using Remote Access, you can also set up Remote Access on those Targets and log into those Resources securely from anywhere by reading the docs here.
Updated about 2 hours ago