LogoLogo
Main SiteStart Now
  • Home
    • What Is BastionZero?
      • Server Access
      • Database Access
      • Kubernetes Access
      • Web Server Access
    • Product Security
    • Architecture
    • Taxonomy
  • Deployment
    • Getting Started
    • Installing the ZLI
    • Installing the Agent
    • Installing the Desktop App
  • Automation & Integrations
    • CircleCI
    • GitHub Actions
    • Go SDK
    • Google Cloud Run
    • Slack
      • Using the BastionZero app for Slack
    • Terraform
    • Third-Party Clients
  • Admin Guide
    • Authentication
      • SSO Management
      • User Management
      • MFA Management
      • Service Accounts Management
    • Authorization
    • Auditing
    • Target and Connection Management
  • How To Guides
    • Passwordless Database Access
      • Passwordless Access to MySQL and Postgres on GCP Cloud SQL
      • Passwordless Access to AWS RDS PostgreSQL
      • Passwordless Access to AWS RDS MySQL
      • Passwordless Access to Self-Hosted Postgres
    • How to use BastionZero to connect to a Linux Host using the ZLI
    • How to use BastionZero to manage SSH Keys
  • User Guide
    • Installing the ZLI
    • ZLI Cheat Sheet
    • Connecting to Your Targets
    • Troubleshooting Guide
  • ZLI Reference Manual
  • API Specification
  • Getting Help
  • Security Policy
  • Open Source Software Credits
    • Backend Services
    • Bzero Agent
    • Client Daemon
    • Desktop App
    • Go SDK
    • Helm Provider
    • Terraform Provider
    • Web App
    • ZLI
  • Product Changes
  • Service Status
  • GitHub
Powered by GitBook

Copyright © 2024

On this page
  • Get your target off the public internet.
  • Set up your CircleCI runner.
  • Access your BastionZero targets using your CircleCI runner.
  • Example ./circleci/config.yaml
  1. Automation & Integrations

CircleCI

Secure your CircleCI runners and use them to access your targets via BastionZero service accounts

PreviousInstalling the Desktop AppNextGitHub Actions

Last updated 6 months ago

The BastionZero product is maintained for existing BastionZero customers only.

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s service.

This guide explains how to use BastionZero to secure your CircleCI runners and close off a vulnerable access point in your infrastructure. It also demonstrates how to leverage to access your targets through CircleCI.

Get your target off the public internet.

The following example is for a Linux target. BastionZero also secures access to , , and .

To secure your Linux target with BastionZero, you will need to do the following:

  1. (ZLI) on your local machine (if you have not already done so).

  2. , bzero, on your target.

  3. with BastionZero.

  4. Ensure that the appropriate users have access to your target via .

  5. Verify your policy rules by connecting to your target using zli connect {target-user}@{target-name}.

  6. Your target is now secured with BastionZero! You can close any open ports and remove long-lived credentials, such as Secure Shell (SSH) keys.

Set up your CircleCI runner.

After securing your target, we can set up the CircleCI runner. If you already have a config.yaml you would like to use, feel free to skip directly to the .

  1. Create a in CircleCI by connecting to a code repository of your choosing and newly creating or importing an existing /.circleci/config.yaml.

  2. [Self-hosted runners only]. Create a new self-hosted runner using the . You can learn about self-hosted runners through . Specific instructions for creating a runner on a Linux machine can be found . Note that instead of using SSH to access your target, use BastionZero to create a shell session via zli connect {target-user}@{target-name}.

  3. You are ready to add your first job! Continue to the to see how you can access your BastionZero targets with CircleCI.

Access your BastionZero targets using your CircleCI runner.

  1. To configure your AWS credentials with CircleCI, navigate to your project. Click the ellipses on the right of your project name and select "Project Settings" -> "Environment Variables." Add two environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Ensure these AWS credentials have an Identity and Access Management (IAM) policy that allows access to the S3 bucket storing your BastionZero service account credentials.

  2. Commit your config once step 2 is complete and after you have substituted in the right URIs for fetching your BastionZero service account credentials. You should see CircleCI kick off a new workflow with your updated config almost immediately.

Example ./circleci/config.yaml

version: 2.1

jobs:
  sa-example:
    # This example uses an Ubuntu 22.04 image provided by CircleCI
    machine:
      image: ubuntu-2204:2022.07.1
    steps:
      # Install the ZLI
      - run: sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E5C358E613982017
      - run: sudo add-apt-repository 'deb http://download-apt.bastionzero.com/production/apt-repo stable main' -y
      - run: sudo apt update
      - run: sudo apt install -y zli
      # Install the AWS CLI and download the credential files needed 
      # for BastionZero service accounts
      - run: pip install awscli
      # Make sure to replace these URIs with your own
      - run: aws s3 cp s3://circle-ci-sa-example/provider-creds.json provider-creds.json
      - run: aws s3 cp s3://circle-ci-sa-example/bzero-creds.json bzero-creds.json
      # Log in as your BastionZero service account and list your targets
      - run: zli service-account login --providerCreds provider-creds.json --bzeroCreds bzero-creds.json
      - run: zli lt

workflows:
  sa-workflow:
    jobs:
      - sa-example

Once you have your runner set up, it is time to give it a job. Although jobs are going to be very specific to your own workflows, we will show you how you can access your BastionZero targets using CircleCI runners and .

If you have not created a BastionZero service account yet, follow to get started.

Copy and paste the in your /.circleci/config.yaml file. This job will first download the ZLI onto your target. Then, it will retrieve the BastionZero service account credentials from your Amazon Simple Storage Service (S3) bucket using the Amazon Web Services (AWS) credentials configured with CircleCI. Finally, it will log in to BastionZero as your BastionZero service account. From here, your service account can carry out any necessary tasks through BastionZero. Make sure you update the AWS URIs below to point at your S3 buckets.

BastionZero's service accounts
below config
Access for Infrastructure
BastionZero service accounts
Install the Zero Trust Command Line Interface
Install the BastionZero agent
new pipeline
CircleCI web app
CircleCI's documentation
here
next section
section below
policy
Kubernetes clusters
databases
web servers
Register the agent
these instructions