SRA Advanced Configuration

Secure Remote Access Bastion

Suggest Edits

Cluster Name

############
## Global ##
############
clusterName: defaultCluster

Each Bastion is uniquely identified by combining the Privilege Access ID Authentication Method and the Cluster Name.

It means that changing the Privilege Access ID or the Cluster Name of your Bastion instance will create an entirely new Bastion instance.

It is recommended to set a meaningful Cluster Name for your Bastion cluster from the very beginning. By default, your cluster name is defaultCluster.

To do that, you can set the clusterName="meaningful-cluster-name" field as part of the Bastion deployment.

SSH Legacy Algorithm

############
## Global ##
############
legacySigningAlg: "false"

As both classic SSH and RDP access are based on SSH certificates, to support legacy algorithms for SSH signing, please set the legacySigningAlg with true to sign the SSH certificates using the legacy '[email protected]' signing algorithm.

RDP User Acces

Set the usernameSubClaim with the relevant attribute that exists inside your IDP JWT, e.g. email, to set the connection to your target server using the current authenticated username. 

############
## Global ##
############
usernameSubClaim:

Proxy

To configure your proxy settings, you can set several parameters, including proxy settings for HTTP traffic, HTTPS traffic, and Ignore Hosts, using the no_proxy field, to prevent local traffic from going through your proxy server.

# Linux system HTTP Proxy
httpProxySettings:
  http_proxy: ""
  https_proxy: ""
  no_proxy: ""

Session Recording

To work with session recording for RDP, provide the following settings to upload your recording to an S3 bucket or to an Azure Blob storage: 

config:
    rdpRecord:
      enabled: true
      keepLocalRecording: false
      # automatically upload session recordings to S3 in your AWS account
      s3:
        region: ""
        bucketName: ""
        bucketPrefix: ""
        # optional, run with explicit credentials (without AWS IAM roles)
        awsAccessKeyId: ""
        awsSecretAccessKey: ""

      # Specifies an existing secret to be used for bastion, management AWS credentials
      existingSecret: ""

config:
    rdpRecord:
      enabled: true
      keepLocalRecording: false
      # automatically upload session recordings to Blob storage in your Azure account
      azure:
        storageAccountName: ""
        storageContainerName: ""
        # optional, run with explicit credentials (without Azure IAM roles)
        azureClientId: ""
        azureClientSecret: ""
        azureTenantId: ""
        
      # Specifies an existing secret to be used for bastion, management AWS credentials
      existingSecret: ""

To authenticate using an explicit AWS Key provide the relevant awsAcceessKeyId with the matchingawsSecretAccessKey, or using an existing K8s Secret containing those credentials using existingSecret setting, alternatively the authentication against your S3 Bucket will be done based on the instance IAM Role.

To store local recordings inside your Bastion server, set the KeepLocalRecording with true, session recordings will be stored inside the bastion under /home/akeyless/recordings

Session Management

To revoke an existing session from your Akeyless Gateway Overviewor your IdP like Okta, or Keycloak, enable the sessionTermination and set the apiURL to your Gateway, or to your IdP URL.

sessionTermination:
    ## Session Termination is available for Akeyless GW, okta and keycloak
      enabled: true
      apiURL: ""
      apiToken: ""

Log Forwarding

To enable log forwarding to an existing log management system, please find a list of available target systems and configurations on this page.

Redirect to Bastion URLs

To ensure only validated redirects are accepted, you can harden your bastion using the allowedBastionUrls variable with a list of URLs that will be considered valid for redirection from the Akeyless Zero Trust Portal back to the relevant web-bastion: 

ztbConfig:
  # List of URLs that will be considered valid for redirection from the Portal back to the bastion
  allowedBastionUrls: []

Concurrent Unauthenticated Connections

To specify the maximum number of concurrent unauthenticated connections to the SRA Bastion, set the following env variable under the sshConfig as follows:

sshConfig:
  env:
    - name: CONFIG_MAX_STARTUPS
      value: "200:30:300"

SSH Fingerprint

To accept the SSH Bastion host key fingerprint automatically without re-accepting it after upgrades etc. You can set an environment variable as part of the chart deployment with a dedicated folder within your Akeyless account. The SRA bastion will automatically store the relevant fingerprints within that folder. In this example, we will store the fingerprints inside /MY_SSH_BASTION_HOST_KEYS folder.
Note, please ensure your Bastion default Auth Method has the following permissions on that folder create,read, list:

sshConfig:
  env:
    - name: SSH_HOST_KEYS_PATH
      value: /MY_SSH_BASTION_HOST_KEYS

Updated 11 days ago