Enroll a server
To manage access to a server with Advanced Server Access, the server must be running the Advanced Server Access agent, and you must enroll the server into a project. Enrollment is the process where the Advanced Server Access agent configures a server to be managed by a specific project.
If you're using the default configurations, the agent will begin managing user accounts on your server, and enable client certificate authentication for SSH or RDP.
You can enroll servers by using an enrollment token or by attaching an Amazon Web Services (AWS) account to an Advanced Server Access project.
Enroll servers using an enrollment token
An enrollment token is a base64-encoded object with metadata that the Advanced Server Access agent can configure itself from.
To create an enrollment token for a project:
- Open the project from the Advanced Server Access dashboard.
- Switch to the Enrollment tab, then click Create Enrollment Token.
- Enter a description for the token based on its usage (for example, "First Production Buildout", or "Testing Advanced Server Access"). Click Submit to create the token.
- Copy your newly created token to the enrollment token path on the server either by using
your configuration management system (for example, Puppet, Chef, Ansible, and so on), or by writing it to a file.
- On Linux, the enrollment token path is /var/lib/sftd/enrollment.token
- On Windows, the enrollment token path is C:\windows\system32\config\systemprofile\AppData\Local\scaleft\enrollment.token
Enroll servers by attaching an AWS account to an Advanced Server Access project
Advanced Server Access supports optionally attaching an AWS account to an Advanced Server Access project.
The Advanced Server Access Server agent uses signed instance metadata from AWS to identify itself, and can automatically enroll into a project in your team.
This method is the best option to use when all of your AWS servers from a specific AWS account will only belong to one project. You can use this method to enroll servers into that project instead of using an enrollment token. For bare metal or on-premise servers, or when cloud metadata-based enrollment is not available, enroll servers using per-project enrollment tokens.
To attach an AWS account to an Advanced Server Access project:
- Sign in to the AWS console, click Support > Support Center, then locate your AWS account number.
- From the Advanced Server Access dashboard, browse to the desired project and click Add AWS Account. Enter your AWS account number you located in the previous step.
From this point forward, when the agent starts on a server that belongs to this AWS account, if the server has not been previously enrolled in Advanced Server Access, the agent submits signed AWS metadata from the server as proof of its identity, and enrolls it in your Advanced Server Access project.