Allowed Access IDs and SRA Entitlements

Use this page to configure which identities can request SRA sessions and which privileged machine identity is used by bastion components.

Entitlement Model

SRA request authorization is based on two identity classes:

Privileged Access ID: The machine identity used by bastion components to fetch required item data and execute privileged control-plane operations.
Allowed Access IDs: The requester identities allowed to initiate remote access sessions through the bastion.

Both must be configured correctly. If an Access ID is not in the allowlist, session requests are denied.

Common configuration areas include:

Gateway management configuration for allowed requester IDs.
Docker environment variables, such as PRIVILEGED_ACCESS_ID and ALLOWED_ACCESS_IDS.
Helm values for bastion and dispatcher privileged identity settings.

Use Gateway allowed access commands to add and remove requester IDs for a cluster:

akeyless add-gw-access-id \
  --cluster-name <CLUSTER_NAME> \
  --access-id <REQUESTER_ACCESS_ID>

akeyless delete-gw-access-id \
  --cluster-name <CLUSTER_NAME> \
  --access-id <REQUESTER_ACCESS_ID>

For Docker-based deployments, configure both the privileged identity and requester allowlist:

-e PRIVILEGED_ACCESS_ID=<PRIVILEGED_ACCESS_ID> \
-e ALLOWED_ACCESS_IDS=<ACCESS_ID_1>,<ACCESS_ID_2>

For SSH-based SRA sessions, the SSH Certificate Issuer is part of the effective entitlement chain:

Secure Remote Access must be enabled on the issuer.
The issuer can restrict target hosts through host restriction controls.
For older Gateway versions, issuer allowed users can require additional session_* compatibility entries.

For issuer configuration details, see SSH Certificates.

Confirm the privileged identity is configured and valid for your deployment type.
Confirm requester Access IDs are present in the allowlist.
Confirm the requester role has the required SRA capabilities.
Confirm the SSH Certificate Issuer is enabled for SRA when SSH-based access is required.