CircleCI
Secure your CircleCI runners and use them to access your targets via BastionZero service accounts
This guide explains how to use BastionZero to secure your CircleCI runners and close off a vulnerable access point in your infrastructure. It also demonstrates how to leverage BastionZero service accounts to access your targets through CircleCI.
Get your target off the public internet.
The following example is for a Linux target. BastionZero also secures access to Kubernetes clusters, databases, and web servers.
To secure your Linux target with BastionZero, you will need to do the following:
Install the Zero Trust Command Line Interface (ZLI) on your local machine (if you have not already done so).
Install the BastionZero agent,
bzero, on your target.Register the agent with BastionZero.
Ensure that the appropriate users have access to your target via policy.
Verify your policy rules by connecting to your target using
zli connect {target-user}@{target-name}.Your target is now secured with BastionZero! You can close any open ports and remove long-lived credentials, such as Secure Shell (SSH) keys.
Set up your CircleCI runner.
After securing your target, we can set up the CircleCI runner. If you already have a config.yaml you would like to use, feel free to skip directly to the next section.
Create a new pipeline in CircleCI by connecting to a code repository of your choosing and newly creating or importing an existing
/.circleci/config.yaml.[Self-hosted runners only]. Create a new self-hosted runner using the CircleCI web app. You can learn about self-hosted runners through CircleCI's documentation. Specific instructions for creating a runner on a Linux machine can be found here. Note that instead of using SSH to access your target, use BastionZero to create a shell session via
zli connect {target-user}@{target-name}.You are ready to add your first job! Continue to the section below to see how you can access your BastionZero targets with CircleCI.
Access your BastionZero targets using your CircleCI runner.
Once you have your runner set up, it is time to give it a job. Although jobs are going to be very specific to your own workflows, we will show you how you can access your BastionZero targets using CircleCI runners and BastionZero's service accounts.
If you have not created a BastionZero service account yet, follow these instructions to get started.
Copy and paste the below config in your
/.circleci/config.yamlfile. This job will first download the ZLI onto your target. Then, it will retrieve the BastionZero service account credentials from your Amazon Simple Storage Service (S3) bucket using the Amazon Web Services (AWS) credentials configured with CircleCI. Finally, it will log in to BastionZero as your BastionZero service account. From here, your service account can carry out any necessary tasks through BastionZero. Make sure you update the AWS URIs below to point at your S3 buckets.To configure your AWS credentials with CircleCI, navigate to your project. Click the ellipses on the right of your project name and select "Project Settings" -> "Environment Variables." Add two environment variables:
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY. Ensure these AWS credentials have an Identity and Access Management (IAM) policy that allows access to the S3 bucket storing your BastionZero service account credentials.Commit your config once step 2 is complete and after you have substituted in the right URIs for fetching your BastionZero service account credentials. You should see CircleCI kick off a new workflow with your updated config almost immediately.
Example ./circleci/config.yaml
./circleci/config.yamlLast updated