Serverless Gateway

Akelyess Serverless Gateway is a cloud-native development model that enables you to run the Gateway without having to manage servers.

The Serverless Gateway currently can be used only on AWS based on Lambda functions that handle the routine work of provisioning, maintaining, and scaling the Gateway infrastructure.

Once deployed, the Serverless Gateway responds on-demand through an event-driven execution model and automatically scales up and down as needed. For example, issuing just-in-time access credentials using Akeyless Dynamic Secrets will trigger the Gateway for provisioning and for revoking those credentials once TTL expires.

The following guide will demonstrate how to use a Terraform module to create a Serverless Gateway.

Prerequisites

Gateway Configuration

Clone the Serverless Gateway repository locally:

git clone https://github.com/akeyless-community/akeyless-serverless-gateway.git

Edit the akeyless-serverless-gateway/terraform/AWS/serverless-gateway/lambda_env_vars.tf file according to the sections below.

Authentication

Set your Gateway with a default Authentication Method to control the level of access your Gateway will have inside your Akeyless account.

The following Authentication Methods are supported for Serverless mode:

When using AWS IAM as the admin_access_id of the Gateway, make sure to set in addition a list of users that will be able to manage your Gateway configuration using the allowed_access_permissions variable, for example:

variable "admin_access_id_type" {
  description = "Set the Admin Auth Type for the Gateway"
  type        = string
  default     = "access_key"
}

variable "admin_access_id" {
  description = "Akeyless API Key Auth Access ID"
  type        = string
  default     = "<Access ID>"
}

variable "admin_access_key" {
  description = "Akeyless Admin Access Key"
  default     = "<Access Key>"
}

variable "allowed_access_permissions" {
  description = "Akeyless allowed_access_permissions"
  type        = string
  default     = "[{\"name\": \"\", \"<Access ID>\": \"\", \"permissions\": [\"admin\"]}]"
}
variable "admin_access_id_type" {
  description = "Set the Admin Auth Type for the Gateway"
  type        = string
  default     = "aws_iam"
}

variable "admin_access_id" {
  description = "Akeyless AWS IAM Auth Access ID"
  type        = string
  default     = "<Access ID>"
}

variable "allowed_access_permissions" {
  description =  "Akeyless allowed_access_permissions"
  type        = string
  default     = "[{\"name\": \"\", \"<Access ID>\": \"\", \"permissions\": [\"admin\"]}]"
}

Where:

  • admin_access_id_type: The Auth Method type for the Gateway either access_key or aws_iam.

  • admin_access_id: The Access ID of the Default AWS_IAM / API Key Auth Method , can manage all Gateway components and add additional Access Permissions**

  • admin_access_key: The Access_Key of the admin_access_id. Relevant only when admin_access_id_type is access_key.

  • allowed_access_permissions: A list of allowed Access IDs, to delegate permissions users will have on your Gateway components. Required when admin_access_id_type is aws_iam. For example, can be used with API Key or SAML, etc.

Customer Fragment

To work with Zero-Knowledge edit the customer_fragments variable as follows:

variable "customer_fragments"{
  type        = map(any)
  sensitive   = true
  description = ""
  default     =  {
    "customer_fragments": [
      {
        "id": "<Customer Fragment ID>",
        "value": "<Value>",
        "description": "My Serverless Fragment",
        "name": "ServerLessFragment"
      }
    ]
  }
}

Installation

To install the module, run the following commands:

terraform init
terraform apply

Upon successful installation of the Serverless Gateway, the following output will be generated:

Outputs:

akeyless_serverless_gateway_url = "https://uh4i3r4.execute-api.<region>.amazonaws.com/default/console"
aws_api_gateway_rest_api = "arn:aws:apigateway:<region>::/restapis/uh4i3r4"
aws_lambda_function = "arn:aws:lambda:<region>:<aws-acct-id>:function:<your-serverless-gateway>"
repository_url = "<aws-acct-id>.dkr.ecr.<region>.amazonaws.com/<your>-serverless-gateway-repo-for-lambda"

Note: If the Gateway settings need to be updated after installation, edit the relevant values in the terraform files and run terraform apply.

Initial Gateway Configuration

To configure your Akeyless Gateway:

  1. On your browser, navigate to the URL in the first output above labeled: akeyless_serverless_gateway_url.
  2. Enter your credentials to log in.

πŸ“˜

Gateway URL

The default value of the akeyless_serverless_gateway_url ends with /default/console which will route you to Akeyless Gateway Console (Port 18888).

To connect to Akeyless Gateway Configuration Manager (Port 8000) use: /default/config

For more information in regards to the Serverless Gateway, refer to the Serverless Gateway repository

Note: After installing the Serverless Gateway, it becomes accessible as a Lambda Function within your AWS account. This enables you to access comprehensive information, monitor its performance, and gain a complete overview of its functionality, while it's possible to edit the Gateway directly from the Lambda function, any changes made will be overwritten during the next terraform apply command.

AWS Configuration

While the lammbda_env_vars.tf file contains the basic configuration required for deploying the Serverless Gateway, You can also configure the variables.tf file to match your AWS account needs. Below are examples of configurable settings:

  • aws_profile - Set the AWS Profile for authentication, the default value is default

  • region - Set the AWS region, the default value is us-east-2

  • api_gw_name Set the name of the gateway in AWS, default value: akeyless-serverless-gateway-api-gateway

  • lambda_func_name Set the name of the lambda function in AWS, the default value is akeyless-serverless-gateway

Find more information about the available terraform configuration files.

Upgrading the Gateway

The Serverless Gateway version can be updated to different versions based on your preferences, follow these steps to update the Gateway:

  • Enter the Serverless Gateway repo in GitHub
  • Go to Lambda Docker Image Configuration > Selecting a Different Version
  • View available versions
  • In varialbes.tf file, change the field image-tag to the version you desire
  • Run terraform apply

The Serverless Gateway will boot with the version you chose.

Limitations

Unavailable services:

Kubernetes / LDAP Authentication, Caching, Automatic Migration, Event on status changes, TLS Configuration.

Unsupported actions from the console:

  • Getting Dynamic Secret credentials - While it is possible to create a Dynamic Secret from the console using the Serverless Gateway, the Dynamic Secret's credentials need to be fetched from the Gateway itself.

  • Rotate Password - While it is possible to create a Rotated Secret from the console using the Serverless Gateway, the password can be rotated from the Gateway itself.