Services
Services allow you to authenticate and sign in to servers using a service user. This enables you to use the security of ephemeral certificates when building automation that requires access to remote servers.
Services example
Let's explore services with a basic example. Let's suppose you use your CI servers to deploy the latest build to your application servers. A typical solution for this would be to use static SSH keys without a passphrase and rely on SSH to perform whatever operations are required on the remote server. By defining a service in Advanced Server Access, you can eliminate the static credential and ensure that your CI user only has access to the production server when you intend it to.
Let's dive deeper into this example and explore how you could configure Jenkins to use service authentication to SSH to remote hosts.
Set up a server
To get started, configure the following:
- Install the Advanced Server Access agent and enroll the Jenkins server in Advanced Server Access.
- Install the Advanced Server Access client on the server.
- Identify the UID of the Jenkins user. For example, on Linux you can use a command similar to: id -u <username>).
- Run sft proxycommand --config, and copy the output into the SSH configuration file for the Jenkins user (for example, /home/jenkins/.ssh/config). To fully use service authentication in Jenkins, configure an SSH proxy command for the Jenkins user so that you can transparently authenticate while using any command that relies on SSH.
Now you can create a service, which can securely authenticate to servers with Jenkins.
Create a service account
-
Open the Advanced Server Access dashboard.
- Create a service user and add an API key to it. See Service users.
-
Assign the service account to projects containing servers that Jenkins needs to communicate.
Link the user to the service account
-
In the Advanced Server Access dashboard, click Projects.
-
Select the project where your Jenkins server is enrolled.
-
Select Servers, and choose the Jenkins server on which to use the service user.
- Click Services, and then click Add Service.
- Select the service user that you created from the Service User dropdown, and then enter the Jenkins User UID.
-
Click Submit.
You can now SSH to remote hosts managed by Advanced Server Access by using the sft ssh <server-name> command.