HomePricing
Search…
Welcome to Release
Getting started
Prepare to Use Release
Create Your Application
Guides and examples
Onboarding Guides
Example applications
Load Balancer with Hostname
Define a Static Javascript Service
Adding SSH Bastion Access to Services
Using ngrok + OAuth for private tunnels
Simple Static Site Example - Gatsby Starter Theme
Docker only example - Voting App
Hybrid - Docker + Static Site Example
App Imports - Connecting Two Apps Together
Example Library
Running Instances
Advanced guides
Reference documentation
Admin / Account Settings
Workflows in Release
Release Environment Versioning
Application Settings
End-to-End Testing
Environment Settings
Environment Expiration
Instant Datasets
Static Service Deployment
Helm
GitOps
The .release.yaml file
Docker Compose Conversion Support
Reference Examples
Release API
Background concepts
How Release Works
Frequently Asked Questions
AWS Support FAQs
Docker Support FAQs
JavaScript Support FAQs
Integrations
Integrations Overview
Source Control Integrations
CLI
Getting Started
Installation
Configuration
CLI Usage Example
Command Reference
Powered By GitBook
Adding SSH Bastion Access to Services
How to access namespace services, like pods or databases for maintenance
Adding an SSH bastion allows users to securely access resources inside your environment. Common use-cases include running utilities to access backend services, like database containers or instances, or to perform administrative commands like starting and stopping jobs on private containers not connected to the public internet.
We do not recommend using bastion access in environments that are critical: for example, in staging or production environments. SSH access is usually unaudited and has elevated powers to do potentially harmful things to your services and environments, so we do not recommend this for most customers.
Some people erroneously believe having VPNs and SSH bastions makes access "more secure" but it may in fact create more openings for bad things to happen. Everything is a tradeoff and you should be aware of what those tradeoffs are for your application and environment. You have been warned.

Create Bastion Service

First, navigate to the Application Template settings to create a bastion service that will run an SSH image. This example creates a service for you:
1
- name: bastion
2
image: binlab/bastion
3
command:
4
- sh
5
- "-c"
6
- >-
7
cp /var/lib/bastion/public-key /var/lib/bastion/authorized_keys &&
8
chmod 600 /var/lib/bastion/authorized_keys &&
9
chown bastion:bastion /var/lib/bastion/authorized_keys &&
10
bastion
11
ports:
12
- type: node_port
13
target_port: '22'
14
port: '22'
15
loadbalancer: true
16
hostname: bastion-${env_id}-${domain}
Copied!
These configuration directives are explained in other sections, but roughly the sections are:
  • name is the name of the service
  • image refers to a public Binlabs ssh container
  • command says to run a bash series of commands to copy the keys and start the bastion service itself. We copy the keys from a known location which will be uploaded in the next step
  • ports describes the service listening on 22, which is standard for SSH
  • hostname describes the hostname that will be generated for the bastion service

Create and Upload Public Keys to Gain Access

The next step is to use a Just in Time File Mount that allows you to upload the public keys that will be used for the bastion. Create a text file on your computer with a list of public SSH keys, one per line and call it public-key with no file extension. An example file with two keys might look like the following:
1
ssh-rsa AAAAB3Nza...abcd== User1
2
ssh-rsa AAAAB3Nza...uvwxyz User2
Copied!
Navigate to the Application Settings area and scroll down to the Just in Time File Mounts. Upload the public-key file with a file directory of /var/lib/bastion/ and make sure you select the bastion service checkbox. You do not need to select "Secret" because this file only contains public keys which are not secrets.
Create the file mount with the public keys and save the file

Connect to the Bastion

After you have completed the steps above and applied the services to deploy a new environment (or update an existing environment), you will need to copy the hostname present in the environment for the bastion service. You can find it in the Hostname URLs section shown below.
Grab the hostname for the bastion service and you can now use an SSH terminal to connect as the user bastion as shown below:
1
$ ssh [email protected]
2
The authenticity of host 'bastion-staging-releaseapp.io (XX.YY.ZZZ.WWW)' can't be established.
3
ECDSA key fingerprint is SHA256:KKTfemSDp1s.
4
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
5
Warning: Permanently added 'bastion-staging-releaseapp.io,XX.YY.ZZZ.WWW' (ECDSA) to the list of known hosts.
6
Welcome to Bastion!
7
​
8
bastion-c4dc7-cx:~$
Copied!
You can now execute commands on the bastion to reach hosts beyond the bastion server.

(Optional) Use the Bastion as a Jump Host

The SSH bastion supports a local configuration you can enable to "proxy" through the bastion transparently. This configuration is advanced, so I will leave you with a link to an article that describes how to use it. Tecmint's Proxy Jump Host documentation.
Previous
Define a Static Javascript Service
Next
Using ngrok + OAuth for private tunnels
Last modified 3mo ago
Copy link
Contents
Create Bastion Service
Create and Upload Public Keys to Gain Access
Connect to the Bastion
(Optional) Use the Bastion as a Jump Host