Secure Remote Access Bastion on Docker

Docker Setup

The Akeyless Secure Remote Access Bastion provides secure remote access to resources using Just In Time credentials (dynamic, rotated secrets, and SSH certificates). This guide provides guidance for a Docker deployment of Akeyless Secure Remote Access Bastions both Web-bastion and SSH-bastion.

Prerequisites

Network

When using SSH sessions behind a load balancer such as ELB, the session can be closed due to an idle connection timeout, so we recommend increasing it to a reasonably high value or even unlimited.

e.g., when running on AWS with ELB: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html?icmpid=docs_elb_console

Storage

Currently, this setup requires a Volume storage mechanism of Docker.

๐Ÿšง

Note:

To enable Secure Remote Access features, you will have to get an access key to Akeyless private docker repository. Please contact your Account Manager for more details.

Configuration

The Secure Remote Access Bastion should be set with a privileged AccessID with Read and list permissions to fetch the relevant secret on behalf of your users. Set the PRIVILEGED_ACCESS_ID variable with the relevant AccessID as described in the Authentication section of this page.

Users can have only list permissions on their secrets. Upon successful authentication against your IDP, the bastion will fetch the requested secret from Akeyless and will inject them directly for your users transparently.
To control who will be the relevant users that will be allowed to request access from the Akeyless Bastion, set the ALLOWED_ACCESS_IDS variable with a list of AccessIDs that will be authorized to request access.

For RDP access that use Fixed user feature rely on the username sub-claims to figure out Windows username to use. If you use a different sub-claim, it should be specified at deployment time using USERNAME_SUB_CLAIM environment variable.

To provide just-in-time native CLI access for your users using Keyless SSH set the CA_PUB variable with the matching public key of the key you used to create the SSH Certificate Issuer

๐Ÿ“˜

Info

If you don't have an SSH certificate ready, please follow this guide on creating SSH Cert issuer with Akeyless Platform and set your CA.

Authentication

The following Authentication Methods are supported:

API Key Authentication

To set your Bastion default authentication based on API Key, set the PRIVILEGED_ACCESS_ID and the matching PRIVILEGED_ACCESS_KEY with a list of ALLOWED_ACCESS_IDS that will be authorized to request access:

docker run --name web-bastion -d -p 8888:8888  \
    -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
    -e PRIVILEGED_ACCESS_ID="<AccessID>" \
    -e PRIVILEGED_ACCESS_KEY="<AccessKey>" \
    -e ALLOWED_ACCESS_IDS="<AccessIDs>" \
    -e CLUSTER_NAME="Akeyless Bastion" \
    -e USERNAME_SUB_CLAIM="FIXED_USER_KEY_NAME" \
    --restart unless-stopped akeyless/zero-trust-bastion:latest
docker run --name ssh-bastion -d -p 0.0.0.0:2222:22 -p 0.0.0.0:9900:9900  \
       -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
       -e PRIVILEGED_ACCESS_ID="<AccessID>" \
       -e PRIVILEGED_ACCESS_KEY="<AccessKey>" \
       -e ALLOWED_ACCESS_IDS="<AccessIDs>"  \
       -e CA_PUB="<CA Public Key>" \
       -e CLUSTER_NAME="Akeyless Bastion" \
       --cap-add=SYS_ADMIN --privileged --restart unless-stopped akeyless/ssh-proxy:latest

CSP IAM Authentication

While running your Dockers inside your cloud environment, you can use AWS IAM, GCP, or Azure Active Directory, using machine-to-machine authentication between Akeyless and your Cloud Service Provider with a list of allowed AccessIDs that will be authorized to request access.

AWS IAM

AWS IAM can be used for an instance with an IAM Role. While working with an IAM Role associated with the instance itself, you can provide your AWS IAM Access ID as your PRIVILEGED_ACCESS_ID, with a list of ALLOWED_ACCESS_IDS that will be authorized to request access:

docker run --name web-bastion -d -p 8888:8888  \
    -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
    -e PRIVILEGED_ACCESS_ID="<AccessID>" \
    -e ALLOWED_ACCESS_IDS="<AccessIDs>" \
    -e USERNAME_SUB_CLAIM="FIXED_USER_KEY_NAME" \
    -e CLUSTER_NAME="Akeyless Bastion" \
    --restart unless-stopped akeyless/zero-trust-bastion:latest
docker run --name ssh-bastion -d -p 0.0.0.0:2222:22 -p 0.0.0.0:9900:9900  \
       -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
       -e PRIVILEGED_ACCESS_ID="<AccessID>" \
       -e ALLOWED_ACCESS_IDS="<AccessIDs>"  \
       -e CA_PUB="<CA Public Key>" \
       -e CLUSTER_NAME="Akeyless Bastion" \
       --cap-add=SYS_ADMIN --privileged --restart unless-stopped akeyless/ssh-proxy:latest

GCP GCE

Deploying Akeyless Bastion over Docker using the authentication between your Bastion and Akeyless SaaS using our GCP Authentication method can be done using the GCP.
Set your GCP GCE Access ID as your PRIVILEGED_ACCESS_ID and at least one another Access ID in the ALLOWED_ACCESS_IDS list.

docker run --name web-bastion -d -p 8888:8888  \
    -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
    -e PRIVILEGED_ACCESS_ID="<AccessID>" \
    -e GCP_AUDIENCE="akeyless.io" \
    -e ALLOWED_ACCESS_IDS="<AccessIDs>" \
    -e USERNAME_SUB_CLAIM="FIXED_USER_KEY_NAME" \
    -e CLUSTER_NAME="Akeyless Bastion" \
    --restart unless-stopped akeyless/zero-trust-bastion:latest
docker run --name ssh-bastion -d -p 0.0.0.0:2222:22 -p 0.0.0.0:9900:9900  \
       -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
       -e PRIVILEGED_ACCESS_ID="<AccessID>" \
       -e ALLOWED_ACCESS_IDS="<AccessIDs>"  \
       -e CA_PUB="<CA Public Key>" \
       -e CLUSTER_NAME="Akeyless Bastion" \
       --cap-add=SYS_ADMIN --privileged --restart unless-stopped akeyless/ssh-proxy:latest

Azure Active Directory

Set your Azure Active Directory Access ID as your PRIVILEGED_ACCESS_ID with the matching service principal azureobjectID', with a list of ALLOWED_ACCESS_IDS` that will be authorized to request access.

docker run --name web-bastion -d -p 8888:8888  \
    -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
    -e PRIVILEGED_ACCESS_ID="<AccessID>" \
    -e AZURE_OBJECT_ID="<AzureObjectID>" \
    -e GCP_AUDIENCE="akeyless.io" \
    -e ALLOWED_ACCESS_IDS="<AccessIDs>" \
    -e USERNAME_SUB_CLAIM="FIXED_USER_KEY_NAME" \
    -e CLUSTER_NAME="Akeyless Bastion" \
    --restart unless-stopped akeyless/zero-trust-bastion:latest
docker run --name ssh-bastion -d -p 0.0.0.0:2222:22 -p 0.0.0.0:9900:9900  \
       -e AKEYLESS_GW_URL = "https://rest.akeyless.io" \
       -e PRIVILEGED_ACCESS_ID="<AccessID>" \
       -e ALLOWED_ACCESS_IDS="<AccessIDs>"  \
       -e CA_PUB="<CA Public Key>" \
       -e CLUSTER_NAME="Akeyless Bastion" \
       --cap-add=SYS_ADMIN --privileged --restart unless-stopped akeyless/ssh-proxy:latest

Session Recording

To enable session recording on your web-bastion you can export the recordings into an S3 bucket:

docker run --name web-bastion -d -p 8888:8888  \
    -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
    -e PRIVILEGED_ACCESS_ID="<AccessID>" \
    -e ALLOWED_ACCESS_IDS="<AccessIDs>" \
    -e USERNAME_SUB_CLAIM="FIXED_USER_KEY_NAME" \
    -e AWS_REGION="<aws region>" \
    -e AWS_S3_BUCKET="<bucket name>" \
    -e AWS_S3_PREFIX="akeyless-zero-trust-bastion" \
    -e CLUSTER_NAME="Akeyless Bastion" \
    --restart unless-stopped akeyless/zero-trust-bastion:latest
docker run --name web-bastion -d -p 8888:8888  \
    -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
    -e PRIVILEGED_ACCESS_ID="<AccessID>" \
    -e ALLOWED_ACCESS_IDS="<AccessIDs>" \
    -e USERNAME_SUB_CLAIM="FIXED_USER_KEY_NAME" \
    -e AWS_REGION= "<aws region>" \
    -e AWS_S3_BUCKET= "<bucket name>" \
    -e AWS_S3_PREFIX=akeyless-zero-trust-bastion \
    -e AWS_ACCESS_KEY_ID="<AWS ACCESS KEY ID>" \
    -e AWS_SECRET_ACCESS_KEY="<AWS ACCESS KEY>" \
    -e CLUSTER_NAME="Akeyless Bastion" \
    --restart unless-stopped akeyless/zero-trust-bastion:latest

Log Forwarding

To forward all your users session logs from the ssh-bastion, mount a local file which hold the setting of your target log server as described in this guide, for example:

docker run --name ssh-bastion -d -p 0.0.0.0:2222:22 -p 0.0.0.0:9900:9900  \
       -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
       -e PRIVILEGED_ACCESS_ID="<AccessID>" \
       -e ALLOWED_ACCESS_IDS="<AccessIDs>"  \
       -e CA_PUB="<CA Public Key>" \
       -e CLUSTER_NAME="Akeyless Bastion" \
       -v &PWD/log_forwarding.conf:/var/akeyless/conf/logand.conf \
       --cap-add=SYS_ADMIN --privileged --restart unless-stopped akeyless/ssh-proxy:latest
cat <<EOT>> log_forwarding.conf
enable="true"
target_log_type="logz_io"
target_logz_io_token=""
target_logz_io_protocol="tcp"
EOT

Redirect to Bastion URLs

To ensure only validated redirects are accepted, you can harden your bastion using the ALLOWED_BASTION_URLS variable with a list of URLs that will be considered valid for redirection from the Akeyless Zero Trust Portal back to the relevant web-bastion:

docker run --name web-bastion -d -p 8888:8888  \
    -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
    -e PRIVILEGED_ACCESS_ID="<AccessID>" \
    -e ALLOWED_ACCESS_IDS="<AccessIDs>" \
    -e USERNAME_SUB_CLAIM="FIXED_USER_KEY_NAME" \
    -e CLUSTER_NAME="Akeyless Bastion" \
    -e ALLOWED_BASTION_URLS="https://mybastion-url.com" \
    --restart unless-stopped akeyless/zero-trust-bastion:latest

Concurrent Unauthenticated Connections

To specify the maximum number of concurrent unauthenticated connections to the SSH Bastion, set the CONFIG_MAX_STARTUPS variable:

docker run --name ssh-bastion -d -p 0.0.0.0:2222:22 -p 0.0.0.0:9900:9900  \
       -e AKEYLESS_GW_URL="https://rest.akeyless.io" \
       -e PRIVILEGED_ACCESS_ID="<AccessID>" \
       -e ALLOWED_ACCESS_IDS="<AccessIDs>"  \
       -e CA_PUB="<CA Public Key>" \
       -e CONFIG_MAX_STARTUPS="200:30:300" \
       -e CLUSTER_NAME="Akeyless Bastion" \
       -v &PWD/log_forwarding.conf:/var/akeyless/conf/logand.conf \
       --cap-add=SYS_ADMIN --privileged --restart unless-stopped akeyless/ssh-proxy:latest

Verify that both web-bastion and ssh-bastion containers are up and running.