Connecting To Your Resources
Connect to your resources
All connections to secured targets begin with a zli connect. In many cases, this will follow the format zli connect {target-name}. If the target has only one target role associated with it, BastionZero will assume that target role and try to establish a connection. If there are multiple target users for a single target, then the zli will prompt you to connect with the explicit user role. This will look like zli connect {user}@{target-name}.
To verify user roles or target names, run zli lt -d before your connect command.
Example output of zli lt -d

Remote Hosts

Start a shell session with your remote host using the zli.
1
zli connect {target-name}
Copied!
For example, if the remote host is named centos, connecting looks like zli connect centos.

Databases

Begin your connection to your database using the zli.
1
zli connect {database target name}
Copied!
For example, if the database target name is postgres, connecting looks like zli connect postgres.
The zli will return a local port number that can be used in your database client to connect. For example, if using psql, the command would be psql -U {username} -h localhost -p {port number}, where the port number was returned in the output of the zli connection command.

Kubernetes Clusters

  • Generate the kubeConfig to update your existing kubeConfig with the additional context needed to interact with the BastionZero agent. This command is similar to how configs are generated in other managed Kubernetes clusters. For example, the EKS equivalent is aws eks update-kubeconfig --name.
    1
    zli generate kubeConfig --update
    Copied!
  • Verify your context has been updated. The bzero-context should be selected for use.
    1
    kubectl config get-contexts
    Copied!
  • Connect to your cluster using the zli or natively through kubectl. To use the zli, substitute below where your {role} and {clustername} are the Kube role and cluster name you have configured in policy.
    1
    zli connect {role}@{clustername}
    Copied!
The zli integration allows you to capture human-readable commands in the BastionZero logs (i.e., get pods) whereas kubectl commands will appear only as API calls.
To verify that the cluster is online (or if you've forgotten the cluster name or Kube role configured), run
1
zli lt -d
Copied!

Webservers

Connect to your webserver using the zli.
1
zli connect {webserver-name}
Copied!
For example, if the webserver target name is grafana, connecting looks like zli connect grafana.
Your default browser will launch a new tab or window with the connection to your webserver.

SSH & SSH Tunnels

Tunnel to a remote host using the zli.
If you have not configured your local machine to connect via tunnel, update your SSH configuration before connecting. This can be accomplished in two ways.
  1. 1.
    Run the following and copy the output into your SSH config file.
1
zli generate ssh-proxy
Copied!
The output will look like the following:
1
Host bzero-*
2
IdentityFile /Users/ansambor/Library/Preferences/bastionzero-zli-nodejs/bzero-temp-key
3
ProxyCommand zli ssh-proxy -s %n %r %p /Users/ansambor/Library/Preferences/bastionzero-zli-nodejs/bzero-temp-key
Copied!
  1. 1.
    Use BastionZero to generate the SSH config updates for you and include them in your SSH config.
1
zli generate sshConfig
Copied!
Once this is complete, connect to any remote host natively using ssh by appending bzero to the beginning of the hostname.
For example,
  • To begin a shell session as root to the target centos, this will look like ssh [email protected].
  • Tunneling to a remote server application may look like ssh -L 6100:127.0.0.1:5432 [email protected].
  • Tunneling using a client browser to reach an HTTP application on your local network may look like ssh -L 8080:10.0.0.1:80 [email protected].
For additional information on SSH tunnels, check out the SSH tunneling man page.