LogoLogo
  • Welcome to Release
  • Getting started
    • Quickstart
    • Create an account
    • Prepare to use Release
    • Create an application
      • Create custom application
      • Create from template
      • Servers vs runnables
    • Create an environment
  • Guides and examples
    • Domains and DNS
      • Manage domains
      • DNS and nameservers
        • Configure GoDaddy
        • Configure Cloudflare
        • Configure Namecheap
        • Other DNS hosts
      • Routing traffic
    • Example applications
      • Full stack voting app
      • Flask and RDS counter app
      • Static site with Gatsby
      • Golang with Postgres and Nginx
      • WordPress with MySQL
      • Spring and PostgreSQL
      • Terraform and Flask
      • OpenTelemetry demo
      • Load balancer with hostname
      • Static JavaScript service
      • SSH bastion access to services
      • ngrok and OAuth for private tunnels
      • Using OAuth Proxy
      • Hybrid Docker and static site
      • App Imports: Connecting two applications
      • Example library
    • Running instances
      • Cron jobs
      • Jobs
      • Using Helm charts
      • Using terminal
      • Viewing logs
      • Troubleshooting
        • ImagePullBackoff error
        • CrashLoopBackoff error
        • Exit codes
        • OOM: out of memory
    • Advanced guides
      • Containers guide
      • Application guide
      • Kubernetes guide
      • Create a cluster
      • Upgrade a cluster
      • Managing node groups
      • Patch node groups
      • Hostnames and rules
      • Serve traffic on multiple ports
      • Configure access to your K8s cluster
      • Designing for multiple environments
      • Microservices architecture
      • Monitoring your clusters
      • Performance tuning
      • Visibility and monitoring
      • Working with data
        • Container-based data
        • Seeding and migration
        • Cloud-provided data
        • Golden images
        • Third party
      • Pausing Instant Datasets
        • Application pausing schedules
        • Pause/resume environments
      • Infrastructure as code
        • Terraform
  • Reference documentation
    • Account settings
      • Account info
      • Managing users
      • Build settings
        • Build arguments
        • Build SSH keys
      • Add integrations
      • View clusters and cloud integrations
      • Add datasets
      • Environment handles
    • Workflows in Release
      • Stages of workflows
      • Serial deployments
      • Parallel deployments
      • Rolling deployments
      • Rainbow deployments
    • Networking
      • Network architecture (AWS)
      • Network architecture (GCP)
      • Ingresses
      • IP addresses
      • Cloud-provided services
      • Third-party services
    • Release environment versioning
    • Application settings
      • Application Template
        • Schema definition
      • Default environment variables
      • GitHub
      • Pull requests
      • GitOps
      • Just-in-time file mounts
      • Primary App Link
      • Create application FAQ
      • App-level build arguments
      • Parameters
      • Workspaces
    • End-to-end testing
    • Environment settings
      • Environment configuration
      • Environment variables
        • Environment variable mappings
        • Secrets vaults
        • Using Secrets with GitOps
        • Kubernetes Secrets as environment variables
        • Managing legacy Release Secrets
    • Environment expiration
    • Environment presets
    • Instant datasets on AWS
    • Instant datasets on GCP
    • Instant dataset tasks
      • Tonic Cloud
      • Tonic On-Premise
    • Cloud resources
    • Static service deployment
    • Helm
      • Getting started
      • Version-controlled Helm charts
      • Open-source charts
      • Building Docker images
      • Ingress and networking
      • Configuration
    • GitOps
    • The .release.yaml file
    • Docker Compose conversion support
    • Reference examples
      • Adding and removing services
      • Managing service resources
      • Adding database containers to the Application Template
      • Stock Off-The-Shelf Examples
    • Release API
      • Account Authentication
      • Environments API
        • Create
        • Get
        • Setup
        • Patch
      • User Authentication
      • Environment Presets API
        • Get Environment Preset List
        • Get Environment Preset
        • Put Environment Preset
  • Background concepts
    • How Release works
  • Frequently asked questions
    • Release FAQ
    • AWS FAQ
    • Docker FAQ
    • JavaScript FAQ
  • Integrations
    • Integrations overview
      • Artifactory integration
      • Cloud integrations (AWS)
        • AWS guides
        • Grant access to AWS resources
        • AWS how to increase EIP quota
        • Control your EKS fleet with systems manager
        • Managing STS access
        • AWS Permissions Boundaries
        • Private ECR Repositories
        • Using an Existing AWS VPC
        • Using an Existing EKS Cluster
      • Docker Hub integration
      • LaunchDarkly integration
      • Private registries
      • Slack integration
      • Cloud integrations (GCP)
        • GCP Permissions Boundary
      • Datadog Agent
      • Doppler Secrets Manager
      • AWS Secrets Management
    • Source control integrations
      • GitHub
        • Pull request comments
        • Pull request labels
        • GitHub deployments
        • GitHub statuses
        • Remove GitHub integration
      • Bitbucket
      • GitLab
    • Monitoring and logging add-ons
      • Datadog
      • New Relic
      • ELK (Elasticsearch, Logstash, and Kibana)
  • Release Delivery
    • Create new customer integration
    • Delivery guide
    • Release to customer account access controls
    • Delivery FAQs
  • Release Instant Datasets
    • Introduction
    • Quickstart
    • Security
      • AWS Instant Dataset security
    • FAQ
    • API
  • CLI
    • Getting started
    • Installation
    • Configuration
    • CLI usage example
    • Remote development environments
    • Command reference
      • release accounts
        • release accounts list
        • release accounts select
      • release ai
        • release ai chat
        • release ai config-delete
        • release ai config-init
        • release ai config-select
        • release ai config-upsert
      • release apps
        • release apps list
        • release apps select
      • release auth
        • release auth login
        • release auth logout
      • release builds
        • release builds create
      • release clusters
        • release clusters exec
        • release clusters kubeconfig
        • release clusters shell
      • release datasets
        • release datasets list
        • release datasets refresh
      • release deploys
        • release deploys create
        • release deploys list
      • release development
        • release development logs
        • release development start
      • release environments
        • release environments config-get
        • release environments config-set
        • release environments create
        • release environments delete
        • release environments get
        • release environments list
        • release environments vars-get
      • release gitops
        • release gitops init
        • release gitops validate
      • release instances
        • release instances exec
        • release instances logs
        • release instances terminal
  • Release.ai
    • Release.ai Introduction
    • Getting Started
    • Release.ai Templates
    • Template Configuration Basics
    • Using GPU Resources
    • Custom Workflows
    • Fine Tuning LlamaX
    • Serving Inference
Powered by GitBook
On this page
  • Create bastion service
  • Create and upload public keys to gain access
  • Connect to the bastion
  • Optional: Use the bastion as a jump host

Was this helpful?

  1. Guides and examples
  2. Example applications

SSH bastion access to services

Access namespace services like pods or databases for maintenance

You can add SSH bastion to an environment to allow team members to securely access resources in the environment, for example, to run utilities accessing backend services like database containers or to perform administrative commands like starting and stopping jobs on private containers not connected to the public internet.

We do not recommend using bastion access in critical environments, such as staging or production. SSH access is usually unaudited and has elevated powers that could be used to cause harm to your services and environments. Most customers do not need SSH bastion access for their environments.

It is a mistake to believe that VPNs and SSH bastions make access to your environments more secure. In reality, these connections may expose your environments to additional risk, and you should keep this in mind if you choose to add SSH bastion access to your application or environment.

Create bastion service

Navigate to the Application Template settings to create a bastion service that will run an SSH image. This example creates a service for you:

- name: bastion
  image: binlab/bastion
  command:
  - sh
  - "-c"
  - >-
    cp /var/lib/bastion/public-key /var/lib/bastion/authorized_keys && 
    chmod 600 /var/lib/bastion/authorized_keys &&
    chown bastion:bastion /var/lib/bastion/authorized_keys &&
    bastion
  ports:
  - type: node_port
    target_port: '22'
    port: '22'
    loadbalancer: true
  hostname: bastion-${env_id}-${domain}

Let's take a look at these configuration directives:

  • name is the name of the service.

  • command provides a series of bash commands that will be run to copy the keys from a known location (keys will be uploaded in the next step) and start the bastion service.

  • ports specifies that the service will listen on port 22, which is standard for SSH.

  • hostname describes the hostname that will be generated for the bastion service.

Create and upload public keys to gain access

Create a text file on your computer called public-key with no file extension. Add the list of public SSH keys to this file, placing each key on a new line. An example file with two keys might look like this:

ssh-rsa AAAAB3Nza...abcd== User1
ssh-rsa AAAAB3Nza...uvwxyz User2

Now navigate to App Settings and scroll down to the "Just-in-time File Mounts" section. Upload the public-key file with the file directory /var/lib/bastion/ and make sure you select the bastion service checkbox. You do not need to select Secret, because this file only contains public keys which are not secrets.

Connect to the bastion

Once you have applied the services to deploy a new environment or update and existing environment, navigate to the environment's details page. You'll find the hostname for the bastion service in the "Hostname URLs" section.

Copy the hostname for the bastion service. You can now use an SSH terminal to connect as the user bastion as follows:

$ ssh bastion@bastion-staging-releaseapp.io
The authenticity of host 'bastion-staging-releaseapp.io (XX.YY.ZZZ.WWW)' can't be established.
ECDSA key fingerprint is SHA256:KKTfemSDp1s.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'bastion-staging-releaseapp.io,XX.YY.ZZZ.WWW' (ECDSA) to the list of known hosts.
Welcome to Bastion!

bastion-c4dc7-cx:~$

You can now execute commands on the bastion to reach hosts beyond the bastion server.

Optional: Use the bastion as a jump host

PreviousStatic JavaScript serviceNextngrok and OAuth for private tunnels

Last updated 2 years ago

Was this helpful?

image refers to .

Next we'll use a to upload the public keys that will be used to access the bastion.

The SSH bastion supports a local configuration you can enable to proxy through the bastion transparently. If you would like to learn more using a proxy jump host, take a look at Tecmint's .

binlab's public SSH container
just-in-time file mount
How to Access a Remote Server Using a Jump Host
Create the file mount with the public keys and save the file