SRA Advanced Configuration

Secure Remote Access Bastion

Cluster Name

############
## Global ##
############
clusterName: defaultCluster

Each Bastion is uniquely identified by combining the Privilege Access ID Authentication Method and the Cluster Name.

It means that changing the Privilege Access ID or the Cluster Name of your Bastion instance will create an entirely new Bastion instance.

It is recommended to set a meaningful Cluster Name for your Bastion cluster from the very beginning. By default, your cluster name is defaultCluster.

To do that, you can set the clusterName="meaningful-cluster-name" field as part of the Bastion deployment.

SSH Legacy Algorithm

############
## Global ##
############
legacySigningAlg: "false"

As both classic SSH and RDP access are based on SSH certificates, to support legacy algorithms for SSH signing, please set the legacySigningAlg with true to sign the SSH certificates using the legacy '[email protected]' signing algorithm.

RDP User Acces

Set the usernameSubClaim with the relevant attribute that exists inside your IDP JWT, e.g. email, to set the connection to your target server using the current authenticated username.

############
## Global ##
############
usernameSubClaim:

Proxy

To configure your proxy settings, you can set several parameters, including proxy settings for HTTP traffic, HTTPS traffic, and Ignore Hosts, using the no_proxy field, to prevent local traffic from going through your proxy server.

# Linux system HTTP Proxy
httpProxySettings:
  http_proxy: ""
  https_proxy: ""
  no_proxy: ""

Session Recording

To work with session recording for RDP, provide the following settings to upload your recording to an S3 bucket:

config:
    rdpRecord:
      enabled: false
      # automatically upload session recordings to S3 in your AWS account
      s3:
        region: ""
        bucketName: ""
        bucketPrefix: ""
        # optional, run with explicit credentials (without AWS IAM roles)
        awsAccessKeyId: ""
        awsSecretAccessKey: ""

      # Specifies an existing secret to be used for bastion, management AWS credentials
      existingSecret: ""

To authenticate using an explicit AWS Key provide the relevant awsAcceessKeyId with the matchingawsSecretAccessKey, or using an existing K8s Secret containing those credentials using existingSecret setting, alternatively the authentication against your S3 Bucket will be done based on the instance IAM Role.

Session Management

sessionTermination:
    ## Session Termination is available for okta and keycloak
    ## Ref: https://docs.akeyless.io/docs/professional-bastion
      enabled: false
      apiURL: ""
      apiToken: ""

Log Forwarding

To enable log forwarding to an existing log management system, please find a list of available target systems and configurations on this page.


Did this page help you?