From c6a5e5fce8414eee289b55dbb39f94382176c1d1 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 5 May 2026 13:35:05 -0600 Subject: [PATCH 01/12] docs(sra): add tunnel connection limitations for session recording and secretless access (DOCS-418) --- docs/Secure Remote Access/index.md | 4 ++-- .../sra-admin-guides/sra-resource-types/sra-tunnels.md | 7 +++++++ .../sra-user-guides/sra-desktop-application-beta.md | 4 ++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/Secure Remote Access/index.md b/docs/Secure Remote Access/index.md index 627dc44c0..c84d6b876 100644 --- a/docs/Secure Remote Access/index.md +++ b/docs/Secure Remote Access/index.md @@ -41,8 +41,8 @@ Akeyless Secure Remote Access provides a robust set of features designed to supp 2. Rotated Secret Access: Privileged secrets can be used to access remote resources with the ability to automatically rotate the credentials once the session ends. 3. Support for Various Protocols: Akeyless supports a variety of protocols, including SSH, RDP, SQL, kubectl, and more. 4. Request for Access: Admins have the ability to enable an option for users to [request access](https://docs.akeyless.io/docs/request-access) for a specific resource on-demand, using a built-in approval workflow. -5. Audit and Session Management: Akeyless provides full session management with auditing and recording capabilities to keep you compliant. Session recordings and transcripts can be automatically exported to remote storage systems for long-term retention. -6. Granular RBAC: Access can be tightly scoped so that each user is granted only the necessary permissions to the specific targets or resources they need (Users are restricted from accessing anything beyond their defined scope). Users only need SRA permissions to initiate connections—without requiring any _Read_ access to the underlying secrets. +5. Audit and Session Management: Akeyless provides full session management with auditing and recording capabilities to keep you compliant. Session recordings and transcripts can be automatically exported to remote storage systems for long-term retention. **Note:** Session recording is not available for tunnel-based connections (including the Desktop Application), because end-to-end encryption prevents the bastion from inspecting the traffic. +6. Granular RBAC: Access can be tightly scoped so that each user is granted only the necessary permissions to the specific targets or resources they need (Users are restricted from accessing anything beyond their defined scope). For portal-based connections, users only need SRA permissions to initiate connections—without requiring any _Read_ access to the underlying secrets. **Note:** Secretless access does not apply to tunnel-based connections; those connections require explicit _Read_ permission on the secret item. 7. Native SSO integrations: SRA supports authentication by way of SSO protocols such as OIDC, SAML, and LDAP. 8. Multiple connection interfaces: WebUI, CLI, Desktop app diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-tunnels.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-tunnels.md index d76021cbb..c00535f3c 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-tunnels.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-tunnels.md @@ -20,6 +20,13 @@ While your local machine uses the [Akeyless Connect](https://docs.akeyless.io/do * The [Secure Remote Access server](https://docs.akeyless.io/docs/remote-access-setup-k8s) deployed. +## Limitations + +Because tunnel connections use end-to-end encryption between the client and the remote target, the SRA bastion cannot inspect the traffic. This has two important implications: + +* **No session recording**: Tunnel connections are not recorded. Traffic is encrypted between the client and the target, so the bastion cannot capture session content. +* **Secretless access is not supported**: Unlike [portal-based connections](https://docs.akeyless.io/docs/sra-portal), tunnels require the user to have explicit `Read` permission on the secret item in Akeyless. The bastion cannot inject credentials into the tunnel without the user being able to see them. + ## Usage > ⚠️ **Warning:** diff --git a/docs/Secure Remote Access/sra-user-guides/sra-desktop-application-beta.md b/docs/Secure Remote Access/sra-user-guides/sra-desktop-application-beta.md index 02816e9d9..7f7a0e0fd 100644 --- a/docs/Secure Remote Access/sra-user-guides/sra-desktop-application-beta.md +++ b/docs/Secure Remote Access/sra-user-guides/sra-desktop-application-beta.md @@ -30,6 +30,10 @@ Who benefits from using this application? The Desktop Application creates a tunnel to the designated resource and securely injects the password. To support this process, any user working with the Desktop Application must have [read permission](https://docs.akeyless.io/docs/rbac#permissions-for-items-access-roles-auth-methods-and-targets) on the Secret Item. +> ℹ️ **Note (Tunnel-Based Connections):** +> +> The Desktop Application establishes connections by way of an encrypted tunnel. Because the bastion cannot inspect tunnel traffic, **session recordings are not captured** for Desktop Application sessions. Additionally, **secretless access does not apply**—users must have explicit `Read` permission on the secret item. See [Tunnels](https://docs.akeyless.io/docs/sra-tunnels) for details. + ## Installation Guide Download the relevant Desktop Application installer from ([https://download.akeyless.io/Akeyless_Artifacts/](https://download.akeyless.io/Akeyless_Artifacts/)). From 0d0f6891e979b44aaff9ddc20aec8ea14a0dd9e8 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 5 May 2026 15:50:46 -0600 Subject: [PATCH 02/12] docs(sra): update links to Web Access Bastion documentation across multiple files --- docs/Secure Remote Access/index.md | 2 +- .../sra-resource-types/sra-azure-portal.md | 6 +++--- .../sra-resource-types/sra-gcp-portal.md | 2 +- .../sra-resource-types/sra-k8s-cluster.md | 4 ++-- .../sra-resource-types/sra-rabbitmq.md | 4 ++-- .../sra-admin-guides/sra-resource-types/sra-ssh.md | 2 +- .../sra-resource-types/sra-tunnels.md | 4 ++-- .../sra-resource-types/sra-web-applications.md | 12 ++++++------ .../sra-setup/sra-setup-overview.md | 2 +- .../sra-user-guides/sra-portal.md | 2 +- 10 files changed, 20 insertions(+), 20 deletions(-) diff --git a/docs/Secure Remote Access/index.md b/docs/Secure Remote Access/index.md index c84d6b876..52cc680b8 100644 --- a/docs/Secure Remote Access/index.md +++ b/docs/Secure Remote Access/index.md @@ -82,6 +82,6 @@ Akeyless' Remote Access solution supports connections to the following resource ## Web Access -In addition, you can define Remote Access to external SaaS systems using the [Web Access Application](https://docs.akeyless.io/docs/web-access-on-k8s) as a separate deployment, not connected to the Gateway. This enables you to remotely access web-based applications in Isolated mode, which restricts user access to only the websites you determine, either while connected to a SaaS system or using a secure proxy mode to enable access for an internal resource from the external network. +In addition, you can define Remote Access to external SaaS systems using the [Web Access Application](https://docs.akeyless.io/docs/sra-web-access-on-k8s) as a separate deployment, not connected to the Gateway. This enables you to remotely access web-based applications in Isolated mode, which restricts user access to only the websites you determine, either while connected to a SaaS system or using a secure proxy mode to enable access for an internal resource from the external network. For details about the various Remote Access components, see [Overview Section](https://docs.akeyless.io/docs/sra-setup-overview). diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-azure-portal.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-azure-portal.md index 1333d5aae..ac5993cd6 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-azure-portal.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-azure-portal.md @@ -54,7 +54,7 @@ akeyless rotated-secret update azure \ where: -By default, access to the Azure portal will use direct network access mode. To work with Akeyless [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s) for session isolation or as a secure proxy entry point, please set **one** of the following: +By default, access to the Azure portal will use direct network access mode. To work with Akeyless [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s) for session isolation or as a secure proxy entry point, please set **one** of the following: * `secure-access-web-browsing`: Optional, secure browser by way of Akeyless Web Access Bastion. @@ -83,9 +83,9 @@ Let's set up remote access to the Azure Portal from the Akeyless Console. If you * `Direct connection`: Default, using a direct connection to AWS portal by way of Akeyless Secure Remote Access Bastion. - * `Secure Web Browsing`: Optional, only required to enable access to the Azure Portal in Isolated mode, which restricts user access to other websites while they are logged in to the portal. **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). + * `Secure Web Browsing`: Optional, only required to enable access to the Azure Portal in Isolated mode, which restricts user access to other websites while they are logged in to the portal. **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). - * `Secure Web Proxy`: Optional, secure web proxy mode **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). + * `Secure Web Proxy`: Optional, secure web proxy mode **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). 4. To the right of the **Enable Secure Remote Access** field, select the tick mark icon to save your changes. diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-gcp-portal.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-gcp-portal.md index 8329594b2..7e495cef5 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-gcp-portal.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-gcp-portal.md @@ -44,7 +44,7 @@ To enable Secure Remote Access to the GCP Portal you need: ![Illustration for: 3. On the next screen, tick the box to Enable Secure Remote Access and fill in the following fields for the Web Access option: Injection URL: The GCP login URL to inject…](https://files.readme.io/b0cf7f8-Screenshot_2024-07-08_at_17.13.30.png) - * `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only with** [Zero Trust Web Access](https://docs.akeyless.io/docs/web-access-on-k8s). + * `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only with** [Zero Trust Web Access](https://docs.akeyless.io/docs/sra-web-access-on-k8s). ### Secure Web Browsing (Isolated) diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-k8s-cluster.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-k8s-cluster.md index fd91c43d3..cd8f7d87d 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-k8s-cluster.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-k8s-cluster.md @@ -46,7 +46,7 @@ Where: For [Kubernetes Generic Dynamic Secrets](https://docs.akeyless.io/docs/k8s-generic-dynamic-secrets) you can have Secure Remote Access for your Kubernetes Dashboard URL: * `secure-access-dashboard-url`: The Kubernetes Dashboard URL available only for Generic Kubernetes. -* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). +* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). ## Set Up Remote Access to a Kubernetes Cluster from the Akeyless Console @@ -72,7 +72,7 @@ For **Web Access**: * `Dashboard URL`: Required to enable Secure Remote Access to your Kubernetes Dashboard. -* `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). +* `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). For **CLI Access**: diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-rabbitmq.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-rabbitmq.md index 048d564ae..74ee4a10e 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-rabbitmq.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-rabbitmq.md @@ -41,7 +41,7 @@ akeyless dynamic-secret update rabbitmq \ Where: * `secure-access-url`: The RabbitMQ URL to inject credentials. -* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). +* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). ## Set Up Remote Access to RabbitMQ from the Akeyless Console @@ -54,7 +54,7 @@ Let's set up remote access to RabbitMQ from the Akeyless Console. If you'd prefe 3. Click on the **Secure Remote Access** tab, select the pencil icon, and enable **Secure Remote Access**, then fill in the following fields: * `Injection URL`: Required, a RabbitMQ URL to inject credentials. - * `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). + * `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). 4. To the right of the **Enable Secure Remote Access** field, select the tick mark icon to save your changes. diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-ssh.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-ssh.md index 1b12f6b31..f39b95f73 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-ssh.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-ssh.md @@ -131,7 +131,7 @@ Akeyless enables CLI access from any Unix terminal. * `AKEYLESS_GW_REST_API`: URL for Akeyless API Gateway (REST API). -3. Use `akeyless connect` command to perform SSH authentication to the target server by way of Akeyless [Secure Remote Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s): +3. Use `akeyless connect` command to perform SSH authentication to the target server by way of Akeyless [Secure Remote Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s): ```shell General Template akeyless connect -t <[user@]target/hostname/ip[:port]> -n [/path/to/dynamic-secret] -g diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-tunnels.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-tunnels.md index c00535f3c..f44a5312b 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-tunnels.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-tunnels.md @@ -10,7 +10,7 @@ metadata: next: description: '' --- -Akeyless Secure Remote Access solution has a built-in `Tunnel` mode, which can be used to connect with various native and thick clients to remote hosts by way of Akeyless SRA SSH server, supported with a complete Audit Trail. +Akeyless Secure Remote Access solution has a built-in `Tunnel` mode, which can be used to connect with various native and thick clients to remote hosts by way of Akeyless SRA SSH server, supported with connection-level audit events. While your local machine uses the [Akeyless Connect](https://docs.akeyless.io/docs/sra-akeyless-connect) CLI, any thick client can be used to establish the connection to a remote server within your internal network by way of the Akeyless SRA SSH server. @@ -18,7 +18,7 @@ While your local machine uses the [Akeyless Connect](https://docs.akeyless.io/do * [Akeyless Connect](https://docs.akeyless.io/docs/sra-akeyless-connect) configured. -* The [Secure Remote Access server](https://docs.akeyless.io/docs/remote-access-setup-k8s) deployed. +* The [Secure Remote Access server](https://docs.akeyless.io/docs/sra-setup-k8s) deployed. ## Limitations diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-web-applications.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-web-applications.md index f947791f7..c9bbfe618 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-web-applications.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-web-applications.md @@ -26,7 +26,7 @@ The following browsing modes are available: ## Prerequisites -* The [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s) deployed. +* The [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s) deployed. * Akeyless [Browser Extension](https://docs.akeyless.io/docs/password-manager-web-extension). @@ -48,8 +48,8 @@ akeyless update-item --name / Where: * `secure-access-url`: The web application login URL to inject secret. -* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). -* `secure-access-web-proxy`: Optional, secure web-proxy, **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). +* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). +* `secure-access-web-proxy`: Optional, secure web-proxy, **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). > ⚠️ **Warning:** > @@ -71,12 +71,12 @@ Let's set up remote access to the web application from the Akeyless Console. If * `Injection URL`: The web application login URL to inject secrets. -* `Secure Web Browsing`: Optional, secure web browsing over an isolated web browser **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). +* `Secure Web Browsing`: Optional, secure web browsing over an isolated web browser **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). -* `Secure Web Proxy`: Optional, secure web proxy by way of the bastion, **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). +* `Secure Web Proxy`: Optional, secure web proxy by way of the bastion, **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). ### Secure Web Browsing (Isolated) -Secure Web Browsing available for applications any web application, includes, self managed Kubernetes dashboard URL, AWS and Azure Portal, those application can be accessed in isolated mode. This method adds an extra layer of security in the usage of credentials injection. This mode requires A [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). +Secure Web Browsing available for applications any web application, includes, self managed Kubernetes dashboard URL, AWS and Azure Portal, those application can be accessed in isolated mode. This method adds an extra layer of security in the usage of credentials injection. This mode requires A [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). All secrets which have **Secure Web Browsing** option enabled are marked with a badge in the Akeyless Secure Remote Access Portal. diff --git a/docs/Secure Remote Access/sra-setup/sra-setup-overview.md b/docs/Secure Remote Access/sra-setup/sra-setup-overview.md index 3fbae6e60..aa56d6624 100644 --- a/docs/Secure Remote Access/sra-setup/sra-setup-overview.md +++ b/docs/Secure Remote Access/sra-setup/sra-setup-overview.md @@ -19,7 +19,7 @@ The Remote Access solution can be deployed in one of two methods: In this section, we will cover how to deploy Remote Access on each solution along with advanced configuration options. -We will also cover deploying the [Zero Trust Web Access](https://docs.akeyless.io/docs/web-access-on-k8s) component for connecting to web application targets from within an isolated browser. +We will also cover deploying the [Zero Trust Web Access](https://docs.akeyless.io/docs/sra-web-access-on-k8s) component for connecting to web application targets from within an isolated browser. Other features in this section include: diff --git a/docs/Secure Remote Access/sra-user-guides/sra-portal.md b/docs/Secure Remote Access/sra-user-guides/sra-portal.md index 5e3347264..d0bf6663f 100644 --- a/docs/Secure Remote Access/sra-user-guides/sra-portal.md +++ b/docs/Secure Remote Access/sra-user-guides/sra-portal.md @@ -27,7 +27,7 @@ Currently, the SRA Portal supports the following authentication methods: 1. Open the SRA Portal: `http://Your-Akeyless-Gateway-URL:8000/sra/portal` 2. Select the relevant authentication method. The default is **SAML**. Enter your SAML **Access ID**, or choose a different method. -3. If you are also working with [Zero Trust Web Access](https://docs.akeyless.io/docs/web-access-on-k8s), set the **Web Application Dispatcher** with the URL of your `web-access-dispatcher` cluster service; the default is `9000`. If you are working with Secure Proxy, also set the **Web Proxy URL** with the `web-access-dispatcher` cluster service port; the default is `19414`. +3. If you are also working with [Zero Trust Web Access](https://docs.akeyless.io/docs/sra-web-access-on-k8s), set the **Web Application Dispatcher** with the URL of your `web-access-dispatcher` cluster service; the default is `9000`. If you are working with Secure Proxy, also set the **Web Proxy URL** with the `web-access-dispatcher` cluster service port; the default is `19414`. 4. Click the **Generate SAML Bookmark URL** to create a link to the completed form. The link is copied to your clipboard for you to save in a convenient place, such as your browser bookmarks, and use in the future to automatically complete the login details. 5. Click **Sign in**. From 7431a7fe427ff04346e6ca569285babf2da9fae1 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 5 May 2026 15:53:34 -0600 Subject: [PATCH 03/12] docs(sra): update links to Web Access Bastion documentation across multiple files --- docs/Secure Remote Access/index.md | 2 +- .../sra-resource-types/sra-azure-portal.md | 6 +++--- .../sra-resource-types/sra-gcp-portal.md | 2 +- .../sra-resource-types/sra-k8s-cluster.md | 4 ++-- .../sra-resource-types/sra-rabbitmq.md | 4 ++-- .../sra-admin-guides/sra-resource-types/sra-ssh.md | 2 +- .../sra-resource-types/sra-web-applications.md | 12 ++++++------ .../sra-setup/sra-setup-overview.md | 2 +- .../sra-user-guides/sra-portal.md | 2 +- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/docs/Secure Remote Access/index.md b/docs/Secure Remote Access/index.md index 52cc680b8..c84d6b876 100644 --- a/docs/Secure Remote Access/index.md +++ b/docs/Secure Remote Access/index.md @@ -82,6 +82,6 @@ Akeyless' Remote Access solution supports connections to the following resource ## Web Access -In addition, you can define Remote Access to external SaaS systems using the [Web Access Application](https://docs.akeyless.io/docs/sra-web-access-on-k8s) as a separate deployment, not connected to the Gateway. This enables you to remotely access web-based applications in Isolated mode, which restricts user access to only the websites you determine, either while connected to a SaaS system or using a secure proxy mode to enable access for an internal resource from the external network. +In addition, you can define Remote Access to external SaaS systems using the [Web Access Application](https://docs.akeyless.io/docs/web-access-on-k8s) as a separate deployment, not connected to the Gateway. This enables you to remotely access web-based applications in Isolated mode, which restricts user access to only the websites you determine, either while connected to a SaaS system or using a secure proxy mode to enable access for an internal resource from the external network. For details about the various Remote Access components, see [Overview Section](https://docs.akeyless.io/docs/sra-setup-overview). diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-azure-portal.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-azure-portal.md index ac5993cd6..1333d5aae 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-azure-portal.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-azure-portal.md @@ -54,7 +54,7 @@ akeyless rotated-secret update azure \ where: -By default, access to the Azure portal will use direct network access mode. To work with Akeyless [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s) for session isolation or as a secure proxy entry point, please set **one** of the following: +By default, access to the Azure portal will use direct network access mode. To work with Akeyless [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s) for session isolation or as a secure proxy entry point, please set **one** of the following: * `secure-access-web-browsing`: Optional, secure browser by way of Akeyless Web Access Bastion. @@ -83,9 +83,9 @@ Let's set up remote access to the Azure Portal from the Akeyless Console. If you * `Direct connection`: Default, using a direct connection to AWS portal by way of Akeyless Secure Remote Access Bastion. - * `Secure Web Browsing`: Optional, only required to enable access to the Azure Portal in Isolated mode, which restricts user access to other websites while they are logged in to the portal. **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). + * `Secure Web Browsing`: Optional, only required to enable access to the Azure Portal in Isolated mode, which restricts user access to other websites while they are logged in to the portal. **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). - * `Secure Web Proxy`: Optional, secure web proxy mode **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). + * `Secure Web Proxy`: Optional, secure web proxy mode **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). 4. To the right of the **Enable Secure Remote Access** field, select the tick mark icon to save your changes. diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-gcp-portal.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-gcp-portal.md index 7e495cef5..8329594b2 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-gcp-portal.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-gcp-portal.md @@ -44,7 +44,7 @@ To enable Secure Remote Access to the GCP Portal you need: ![Illustration for: 3. On the next screen, tick the box to Enable Secure Remote Access and fill in the following fields for the Web Access option: Injection URL: The GCP login URL to inject…](https://files.readme.io/b0cf7f8-Screenshot_2024-07-08_at_17.13.30.png) - * `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only with** [Zero Trust Web Access](https://docs.akeyless.io/docs/sra-web-access-on-k8s). + * `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only with** [Zero Trust Web Access](https://docs.akeyless.io/docs/web-access-on-k8s). ### Secure Web Browsing (Isolated) diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-k8s-cluster.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-k8s-cluster.md index cd8f7d87d..fd91c43d3 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-k8s-cluster.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-k8s-cluster.md @@ -46,7 +46,7 @@ Where: For [Kubernetes Generic Dynamic Secrets](https://docs.akeyless.io/docs/k8s-generic-dynamic-secrets) you can have Secure Remote Access for your Kubernetes Dashboard URL: * `secure-access-dashboard-url`: The Kubernetes Dashboard URL available only for Generic Kubernetes. -* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). +* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). ## Set Up Remote Access to a Kubernetes Cluster from the Akeyless Console @@ -72,7 +72,7 @@ For **Web Access**: * `Dashboard URL`: Required to enable Secure Remote Access to your Kubernetes Dashboard. -* `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). +* `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). For **CLI Access**: diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-rabbitmq.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-rabbitmq.md index 74ee4a10e..048d564ae 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-rabbitmq.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-rabbitmq.md @@ -41,7 +41,7 @@ akeyless dynamic-secret update rabbitmq \ Where: * `secure-access-url`: The RabbitMQ URL to inject credentials. -* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). +* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). ## Set Up Remote Access to RabbitMQ from the Akeyless Console @@ -54,7 +54,7 @@ Let's set up remote access to RabbitMQ from the Akeyless Console. If you'd prefe 3. Click on the **Secure Remote Access** tab, select the pencil icon, and enable **Secure Remote Access**, then fill in the following fields: * `Injection URL`: Required, a RabbitMQ URL to inject credentials. - * `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). + * `Secure Web Browsing`: Optional, secure web browsing over isolated web browser **available only for clients with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). 4. To the right of the **Enable Secure Remote Access** field, select the tick mark icon to save your changes. diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-ssh.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-ssh.md index f39b95f73..1b12f6b31 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-ssh.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-ssh.md @@ -131,7 +131,7 @@ Akeyless enables CLI access from any Unix terminal. * `AKEYLESS_GW_REST_API`: URL for Akeyless API Gateway (REST API). -3. Use `akeyless connect` command to perform SSH authentication to the target server by way of Akeyless [Secure Remote Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s): +3. Use `akeyless connect` command to perform SSH authentication to the target server by way of Akeyless [Secure Remote Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s): ```shell General Template akeyless connect -t <[user@]target/hostname/ip[:port]> -n [/path/to/dynamic-secret] -g diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-web-applications.md b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-web-applications.md index c9bbfe618..f947791f7 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-web-applications.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-web-applications.md @@ -26,7 +26,7 @@ The following browsing modes are available: ## Prerequisites -* The [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s) deployed. +* The [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s) deployed. * Akeyless [Browser Extension](https://docs.akeyless.io/docs/password-manager-web-extension). @@ -48,8 +48,8 @@ akeyless update-item --name / Where: * `secure-access-url`: The web application login URL to inject secret. -* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). -* `secure-access-web-proxy`: Optional, secure web-proxy, **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). +* `secure-access-web-browsing`: Optional, secure web browsing over isolated web browser **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). +* `secure-access-web-proxy`: Optional, secure web-proxy, **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). > ⚠️ **Warning:** > @@ -71,12 +71,12 @@ Let's set up remote access to the web application from the Akeyless Console. If * `Injection URL`: The web application login URL to inject secrets. -* `Secure Web Browsing`: Optional, secure web browsing over an isolated web browser **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). +* `Secure Web Browsing`: Optional, secure web browsing over an isolated web browser **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). -* `Secure Web Proxy`: Optional, secure web proxy by way of the bastion, **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). +* `Secure Web Proxy`: Optional, secure web proxy by way of the bastion, **available only with** [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). ### Secure Web Browsing (Isolated) -Secure Web Browsing available for applications any web application, includes, self managed Kubernetes dashboard URL, AWS and Azure Portal, those application can be accessed in isolated mode. This method adds an extra layer of security in the usage of credentials injection. This mode requires A [Web Access Bastion](https://docs.akeyless.io/docs/sra-web-access-on-k8s). +Secure Web Browsing available for applications any web application, includes, self managed Kubernetes dashboard URL, AWS and Azure Portal, those application can be accessed in isolated mode. This method adds an extra layer of security in the usage of credentials injection. This mode requires A [Web Access Bastion](https://docs.akeyless.io/docs/web-access-on-k8s). All secrets which have **Secure Web Browsing** option enabled are marked with a badge in the Akeyless Secure Remote Access Portal. diff --git a/docs/Secure Remote Access/sra-setup/sra-setup-overview.md b/docs/Secure Remote Access/sra-setup/sra-setup-overview.md index aa56d6624..3fbae6e60 100644 --- a/docs/Secure Remote Access/sra-setup/sra-setup-overview.md +++ b/docs/Secure Remote Access/sra-setup/sra-setup-overview.md @@ -19,7 +19,7 @@ The Remote Access solution can be deployed in one of two methods: In this section, we will cover how to deploy Remote Access on each solution along with advanced configuration options. -We will also cover deploying the [Zero Trust Web Access](https://docs.akeyless.io/docs/sra-web-access-on-k8s) component for connecting to web application targets from within an isolated browser. +We will also cover deploying the [Zero Trust Web Access](https://docs.akeyless.io/docs/web-access-on-k8s) component for connecting to web application targets from within an isolated browser. Other features in this section include: diff --git a/docs/Secure Remote Access/sra-user-guides/sra-portal.md b/docs/Secure Remote Access/sra-user-guides/sra-portal.md index d0bf6663f..5e3347264 100644 --- a/docs/Secure Remote Access/sra-user-guides/sra-portal.md +++ b/docs/Secure Remote Access/sra-user-guides/sra-portal.md @@ -27,7 +27,7 @@ Currently, the SRA Portal supports the following authentication methods: 1. Open the SRA Portal: `http://Your-Akeyless-Gateway-URL:8000/sra/portal` 2. Select the relevant authentication method. The default is **SAML**. Enter your SAML **Access ID**, or choose a different method. -3. If you are also working with [Zero Trust Web Access](https://docs.akeyless.io/docs/sra-web-access-on-k8s), set the **Web Application Dispatcher** with the URL of your `web-access-dispatcher` cluster service; the default is `9000`. If you are working with Secure Proxy, also set the **Web Proxy URL** with the `web-access-dispatcher` cluster service port; the default is `19414`. +3. If you are also working with [Zero Trust Web Access](https://docs.akeyless.io/docs/web-access-on-k8s), set the **Web Application Dispatcher** with the URL of your `web-access-dispatcher` cluster service; the default is `9000`. If you are working with Secure Proxy, also set the **Web Proxy URL** with the `web-access-dispatcher` cluster service port; the default is `19414`. 4. Click the **Generate SAML Bookmark URL** to create a link to the completed form. The link is copied to your clipboard for you to save in a convenient place, such as your browser bookmarks, and use in the future to automatically complete the login details. 5. Click **Sign in**. From 53cbcbe72fa7c026cffe9ad2a91393c6282bd2fc Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 12:30:41 -0600 Subject: [PATCH 04/12] docs: align Read permission formatting in SRA index --- docs/Secure Remote Access/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure Remote Access/index.md b/docs/Secure Remote Access/index.md index c84d6b876..0e16872df 100644 --- a/docs/Secure Remote Access/index.md +++ b/docs/Secure Remote Access/index.md @@ -42,7 +42,7 @@ Akeyless Secure Remote Access provides a robust set of features designed to supp 3. Support for Various Protocols: Akeyless supports a variety of protocols, including SSH, RDP, SQL, kubectl, and more. 4. Request for Access: Admins have the ability to enable an option for users to [request access](https://docs.akeyless.io/docs/request-access) for a specific resource on-demand, using a built-in approval workflow. 5. Audit and Session Management: Akeyless provides full session management with auditing and recording capabilities to keep you compliant. Session recordings and transcripts can be automatically exported to remote storage systems for long-term retention. **Note:** Session recording is not available for tunnel-based connections (including the Desktop Application), because end-to-end encryption prevents the bastion from inspecting the traffic. -6. Granular RBAC: Access can be tightly scoped so that each user is granted only the necessary permissions to the specific targets or resources they need (Users are restricted from accessing anything beyond their defined scope). For portal-based connections, users only need SRA permissions to initiate connections—without requiring any _Read_ access to the underlying secrets. **Note:** Secretless access does not apply to tunnel-based connections; those connections require explicit _Read_ permission on the secret item. +6. Granular RBAC: Access can be tightly scoped so that each user is granted only the necessary permissions to the specific targets or resources they need (Users are restricted from accessing anything beyond their defined scope). For portal-based connections, users only need SRA permissions to initiate connections—without requiring any `Read` access to the underlying secrets. **Note:** Secretless access does not apply to tunnel-based connections; those connections require explicit `Read` permission on the secret item. 7. Native SSO integrations: SRA supports authentication by way of SSO protocols such as OIDC, SAML, and LDAP. 8. Multiple connection interfaces: WebUI, CLI, Desktop app From 79166cf1dedde2cdcf7e3ca59796adb18f9db757 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 13:15:50 -0600 Subject: [PATCH 05/12] DOCS-729: integrate docs updates into SRA pages --- .../how-to-create-dynamic-secret/gcp-dynamic-secrets.md | 2 ++ .../sra-session-management/sra-rdp-recordings.md | 8 +++++--- .../sra-setup/sra-web-access-on-k8s/index.md | 4 ++++ 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/Secrets Management/how-to-create-dynamic-secret/gcp-dynamic-secrets.md b/docs/Secrets Management/how-to-create-dynamic-secret/gcp-dynamic-secrets.md index d2c924cbf..12613450e 100644 --- a/docs/Secrets Management/how-to-create-dynamic-secret/gcp-dynamic-secrets.md +++ b/docs/Secrets Management/how-to-create-dynamic-secret/gcp-dynamic-secrets.md @@ -188,6 +188,8 @@ akeyless dynamic-secret get-value --name 3. Define a **Name** of the dynamic secret, and specify the **Location** as a path to the virtual folder where you want to create the new dynamic secret, using slash `/` separators. If the folder does not exist, it will be created together with the dynamic secret. + The Location determines where the dynamic secret appears in the Items hierarchy, so use the path that matches the folder structure you want users to see. + 4. Define the remaining parameters as follows: * **Delete Protection:** When enabled, it protects the secret from accidental deletion. diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md index ff8cfadf5..603474b53 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md @@ -12,6 +12,8 @@ next: --- RDP Session Recording is managed entirely through your Gateway's console under the **Remote Access** section in the Gateway settings. These sessions generate video recordings that can be uploaded to **AWS S3**, **S3-compatible object storage** (for example, NetApp StorageGRID), or **Azure Blob Storage** for secure storage, or can be saved locally. +Current releases support configurable recording quality, compression, and encryption for stored sessions. + ## Session Recording SRA supports the recording of RDP sessions. You can choose to store RDP Session Recordings by clicking **Remote Access -> Session Recording -> RDP Recordings**, clicking the slider to Enable, and then choosing the location to keep the recordings of those sessions. @@ -32,11 +34,11 @@ Optionally compress the encoded video file using `GZIP`. * **When to use:** Enable compression to reduce storage footprint, especially for long sessions. -#### Encryption (AES) +#### Encryption -Protect recordings at rest with AES-based encryption. +Protect recordings at rest with encryption. -* **Algorithm:** **AES** (Akeyless supported key types). +* **Algorithm:** Encryption uses Akeyless supported key types. * **Scope:** Entire video payload is encrypted after encoding (and after optional compression). * **Access:** Only authorized users with the appropriate permissions can decrypt and access the file. diff --git a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md index cf463f599..c84bd9a76 100644 --- a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md +++ b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md @@ -14,6 +14,8 @@ Akeyless Zero Trust Web Access Bastion provides Secure Remote Access to internal This deployment can route sessions through an isolated remote browser or directly to the target server, based on secret configuration and policy. +Current releases also keep the non-privileged deployment model intact, so you do not need to add a port `80` binding for the chart to run. + This chart bootstraps the `Akeyless-Web-Access-Bastion` deployment on Kubernetes with Helm. ## Before you begin @@ -109,6 +111,8 @@ The chart exposes resource requests and limits for workload and init containers. The chart templates also configure non-root execution for Web Dispatcher and Web Worker containers. +Current releases also support recording workflows with configurable quality, compression, and encryption for stored sessions. + Do not override default user or group security context values unless directed by Akeyless Support. Use this baseline for environments with strict Kubernetes admission policies: From dce1de7e14defb8010a3f807473adcd586f67413 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 13:19:03 -0600 Subject: [PATCH 06/12] docs(sra): refine wording for clarity in RDP recordings and web access documentation --- .../sra-session-management/sra-rdp-recordings.md | 2 +- .../sra-setup/sra-web-access-on-k8s/index.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md index 603474b53..e44eccbf0 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md @@ -12,7 +12,7 @@ next: --- RDP Session Recording is managed entirely through your Gateway's console under the **Remote Access** section in the Gateway settings. These sessions generate video recordings that can be uploaded to **AWS S3**, **S3-compatible object storage** (for example, NetApp StorageGRID), or **Azure Blob Storage** for secure storage, or can be saved locally. -Current releases support configurable recording quality, compression, and encryption for stored sessions. +RDP recordings support configurable quality, compression, and encryption for stored sessions. ## Session Recording diff --git a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md index c84bd9a76..b3e4fb8ac 100644 --- a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md +++ b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md @@ -14,7 +14,7 @@ Akeyless Zero Trust Web Access Bastion provides Secure Remote Access to internal This deployment can route sessions through an isolated remote browser or directly to the target server, based on secret configuration and policy. -Current releases also keep the non-privileged deployment model intact, so you do not need to add a port `80` binding for the chart to run. +The non-privileged deployment model is supported, so you do not need to add a port `80` binding for the chart to run. This chart bootstraps the `Akeyless-Web-Access-Bastion` deployment on Kubernetes with Helm. @@ -111,7 +111,7 @@ The chart exposes resource requests and limits for workload and init containers. The chart templates also configure non-root execution for Web Dispatcher and Web Worker containers. -Current releases also support recording workflows with configurable quality, compression, and encryption for stored sessions. +Recording workflows support configurable quality, compression, and encryption for stored sessions. Do not override default user or group security context values unless directed by Akeyless Support. From 552bb19deeeab4773c9d39a1cc86beb55a5178ff Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 16:25:44 -0600 Subject: [PATCH 07/12] docs(sra): distinguish RDP and web access session recording --- .../sra-admin-guides/sra-session-management/index.md | 6 +++++- .../sra-setup/sra-web-access-on-k8s/index.md | 4 +++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md index dbc2b73a6..bfad39233 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md @@ -12,7 +12,7 @@ next: --- Session Management provides users with full control over how session activities are recorded, stored, and forwarded for auditing and analysis. Through the platform’s UI, users can enable session recording and configure how session data is forwarded to external systems. -Key actions include enabling session recording for various types of remote access sessions, configuring log forwarding for CLI-based sessions, and managing video recordings for RDP sessions. +Key actions include enabling session recording for various types of remote access sessions, configuring log forwarding for CLI-based sessions, and managing video recordings for RDP and web-access sessions. ## Session Recording @@ -22,6 +22,10 @@ Key actions include enabling session recording for various types of remote acces SRA allows you to automatically upload and store these video recordings in secure locations such as AWS S3 or Azure Blob Storage for long-term retention and review, or you can store them locally on the server. +### Web Access Session Recording + +[Web access session recording](https://docs.akeyless.io/docs/sra-web-access-on-k8s) refers to the process of capturing browser-based web access sessions in Zero Trust Web Access (ZTWA). These recordings preserve the interactive web session and can be stored with the ZTWA deployment configuration. + ### Terminal-Based Sessions For terminal-based sessions (such as SSH, DB, and Kubernetes), the system records a full transcript of the commands entered and their corresponding outputs. This data can be forwarded to external systems like Splunk, Elasticsearch, or by way of Syslog for monitoring and archiving. See more [here](https://docs.akeyless.io/docs/sra-session-forwarding). diff --git a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md index b3e4fb8ac..64fa7a833 100644 --- a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md +++ b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md @@ -16,6 +16,8 @@ This deployment can route sessions through an isolated remote browser or directl The non-privileged deployment model is supported, so you do not need to add a port `80` binding for the chart to run. +ZTWA session recording captures browser-based web access sessions and supports configurable quality, compression, and encryption for stored recordings. + This chart bootstraps the `Akeyless-Web-Access-Bastion` deployment on Kubernetes with Helm. ## Before you begin @@ -111,7 +113,7 @@ The chart exposes resource requests and limits for workload and init containers. The chart templates also configure non-root execution for Web Dispatcher and Web Worker containers. -Recording workflows support configurable quality, compression, and encryption for stored sessions. +ZTWA session recordings support configurable quality, compression, and encryption for stored sessions. Do not override default user or group security context values unless directed by Akeyless Support. From 884565f942b8ce30db9337c346f01e7ec3af5e48 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 16:28:35 -0600 Subject: [PATCH 08/12] docs(sra): document full ZTWA session recording configuration --- .../sra-session-management/index.md | 2 + .../sra-setup/sra-web-access-on-k8s/index.md | 71 +++++++++++++++++++ 2 files changed, 73 insertions(+) diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md index bfad39233..496841c54 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md @@ -26,6 +26,8 @@ SRA allows you to automatically upload and store these video recordings in secur [Web access session recording](https://docs.akeyless.io/docs/sra-web-access-on-k8s) refers to the process of capturing browser-based web access sessions in Zero Trust Web Access (ZTWA). These recordings preserve the interactive web session and can be stored with the ZTWA deployment configuration. +For full recording configuration options (quality, upload destination, compression, encryption, watchdog controls, and service-level overrides), see [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s). + ### Terminal-Based Sessions For terminal-based sessions (such as SSH, DB, and Kubernetes), the system records a full transcript of the commands entered and their corresponding outputs. This data can be forwarded to external systems like Splunk, Elasticsearch, or by way of Syslog for monitoring and archiving. See more [here](https://docs.akeyless.io/docs/sra-session-forwarding). diff --git a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md index 64fa7a833..fd040d103 100644 --- a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md +++ b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md @@ -232,6 +232,77 @@ env: value: "https://vault.akeyless.io" ``` +### Web access session recording configuration + +Use the `sessionRecording` block to configure browser-based session recording for ZTWA. + +```yaml +sessionRecording: + enabled: true + quality: "360p" # 144p | 240p | 360p | 480p | 720p | 1080p + upload: + enabled: true + s3Bucket: "" + s3Region: "" + s3Prefix: "" + s3Endpoint: "" + compress: false + sse: + type: "" # "" | sse-s3 | sse-kms + kmsKeyId: "" + existingSecretNames: + s3: "" + s3AccessKeyIdKey: "access-key-id" + s3SecretAccessKeyKey: "secret-access-key" +``` + +When enabled, the worker captures the browser session and the dispatcher prepares the upload artifact and uploads it to S3 or S3-compatible storage. + +#### Recording quality + +Set `sessionRecording.quality` to one of: + +* `144p` +* `240p` +* `360p` +* `480p` +* `720p` +* `1080p` + +#### Upload and encryption options + +Use `sessionRecording.upload` to control destination and storage behavior: + +* `enabled`: Turn upload on or off. +* `s3Bucket`, `s3Region`, `s3Prefix`: Destination bucket and object path. +* `s3Endpoint`: Optional custom endpoint for S3-compatible platforms. +* `compress`: Gzip-compress before upload. +* `sse.type`: Server-side encryption mode (`sse-s3` or `sse-kms`). +* `sse.kmsKeyId`: KMS key ID or ARN when `sse-kms` is used. + +#### Credentials source + +Provide S3 credentials by using `sessionRecording.upload.existingSecretNames.s3`. + +If the secret is not set, the deployment falls back to the AWS default credential chain. + +#### Worker lifecycle watchdog controls + +Use `sessionRecording.watchdog` to tune long-running recording behavior: + +* `clientConnectTimeoutSeconds`: Timeout for initial browser websocket connection. +* `intervalSeconds`: How often watchdog checks run. +* `maxDurationSeconds`: Maximum wall-clock duration for one recording. + +#### Service-specific recording overrides + +For advanced setups, service-level `recording` blocks can override part of the top-level `sessionRecording` config: + +* `dispatcher.config.recording`: upload-related override fields for the dispatcher. +* `webWorker.config.recording`: capture-related override fields (`enabled`, `quality`) for workers. + +Use these only when you need per-service behavior that differs from the shared `sessionRecording` defaults. + ### HTTP proxy mode To enable HTTP proxy mode for remote access, set `WEB_PROXY_TYPE` in dispatcher `env`. From 8c25d751de08b59483be31c5df19949f91b52f84 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 16:34:47 -0600 Subject: [PATCH 09/12] docs(sra): add dedicated recording pages for RDP and web access --- .../sra-session-management/_order.yaml | 2 + .../sra-session-management/index.md | 10 +- .../sra-rdp-recordings.md | 4 + .../sra-rdp-session-recording.md | 108 ++++++++++++++++++ .../sra-web-access-session-recording.md | 104 +++++++++++++++++ .../sra-setup/sra-web-access-on-k8s/index.md | 2 + 6 files changed, 227 insertions(+), 3 deletions(-) create mode 100644 docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-session-recording.md create mode 100644 docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml index 014cb33d2..6ef1f26ba 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml @@ -1,3 +1,5 @@ - sra-sessions-overview - sra-session-forwarding - sra-rdp-recordings +- sra-rdp-session-recording +- sra-web-access-session-recording diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md index 496841c54..e284b47e5 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md @@ -18,20 +18,24 @@ Key actions include enabling session recording for various types of remote acces ### RDP Session Recording -[RDP session recording](https://docs.akeyless.io/docs/sra-rdp-recordings) refers to the process of capturing and storing the activities that occur during a Remote Desktop Protocol (RDP) session. These recordings create a video file of the entire session, preserving all user interactions within the remote desktop environment. +[RDP session recording](https://docs.akeyless.io/docs/sra-rdp-session-recording) refers to the process of capturing and storing the activities that occur during a Remote Desktop Protocol (RDP) session. These recordings create a video file of the entire session, preserving all user interactions within the remote desktop environment. SRA allows you to automatically upload and store these video recordings in secure locations such as AWS S3 or Azure Blob Storage for long-term retention and review, or you can store them locally on the server. ### Web Access Session Recording -[Web access session recording](https://docs.akeyless.io/docs/sra-web-access-on-k8s) refers to the process of capturing browser-based web access sessions in Zero Trust Web Access (ZTWA). These recordings preserve the interactive web session and can be stored with the ZTWA deployment configuration. +[Web access session recording](https://docs.akeyless.io/docs/sra-web-access-session-recording) refers to the process of capturing browser-based web access sessions in Zero Trust Web Access (ZTWA). These recordings preserve the interactive web session and can be stored with the ZTWA deployment configuration. -For full recording configuration options (quality, upload destination, compression, encryption, watchdog controls, and service-level overrides), see [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s). +For full recording configuration options (quality, upload destination, compression, encryption, watchdog controls, and service-level overrides), see [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording). ### Terminal-Based Sessions For terminal-based sessions (such as SSH, DB, and Kubernetes), the system records a full transcript of the commands entered and their corresponding outputs. This data can be forwarded to external systems like Splunk, Elasticsearch, or by way of Syslog for monitoring and archiving. See more [here](https://docs.akeyless.io/docs/sra-session-forwarding). +> ℹ️ **Note:** +> +> Session recording and terminal session forwarding are different features. Use [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-session-recording) for RDP video capture and [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording) for browser-based ZTWA video capture. + ## Secret Locking and Rotation Timing For sessions that use **Static Secret** and **Rotated Secret** items, Session Management supports the following controls: diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md index cdbdbd353..928e31c84 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md @@ -12,6 +12,10 @@ next: --- RDP Session Recording is managed entirely through your Gateway's console under the **Remote Access** section in the Gateway settings. These sessions generate video recordings that can be uploaded to **AWS S3**, **S3-compatible object storage** (for example, NetApp StorageGRID), or **Azure Blob Storage** for secure storage, or can be saved locally. +> ℹ️ **Note:** +> +> For the complete, current RDP recording reference, use [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-session-recording). If you are working with browser-based Zero Trust Web Access recordings, use [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording). + RDP recordings support configurable quality, compression, and encryption for stored sessions. ## Session Recording diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-session-recording.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-session-recording.md new file mode 100644 index 000000000..c8b62a2c9 --- /dev/null +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-session-recording.md @@ -0,0 +1,108 @@ +--- +title: RDP Session Recording +excerpt: '' +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +next: + description: '' +--- +RDP Session Recording captures interactive Remote Desktop Protocol (RDP) sessions as video for auditability, investigation, and long-term retention. + +> ℹ️ **Note:** +> +> If you are looking for browser-based Zero Trust Web Access recordings, use [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording). + +## Feature Scope + +RDP Session Recording covers: + +* Video capture of RDP sessions. +* Storage to local disk or cloud/object storage. +* Recording quality selection. +* Optional gzip compression. +* Optional encryption before upload. + +This feature is configured from Gateway **Remote Access** settings and by way of Gateway CLI commands. + +## Configuration Surfaces + +Use one of the following: + +* Console UI: **Gateway Manager → Remote Access → Session Recording → RDP recordings**. +* CLI: `akeyless gateway update remote-access-rdp-recording`. + +For CLI flags and command syntax, see [CLI Reference - Gateway Secure Remote Access](https://docs.akeyless.io/docs/cli-reference-sra). + +## Configuration Reference + +### Required Base Controls + +* `rdp-session-recording`: Enables or disables RDP recording. +* `rdp-session-storage`: Recording destination (`local`, `aws`, `azure`). + +### Quality, Compression, and Encryption + +* `rdp-session-recording-quality`: Recording quality (`low`, `medium`, `high`). +* `rdp-session-recording-compress`: Compress recordings before upload. +* `rdp-session-recording-encryption-key`: Encrypt recordings by using an Akeyless key. + +### AWS Storage Settings + +* `aws-storage-region` +* `aws-storage-bucket-name` +* `aws-storage-bucket-prefix` +* `aws-storage-access-key-id` (optional when identity-based auth is used) +* `aws-storage-secret-access-key` (optional when identity-based auth is used) +* `aws-storage-endpoint-url` (for S3-compatible platforms) + +### Azure Storage Settings + +* `azure-storage-account-name` +* `azure-storage-container-name` +* `azure-storage-client-id` (optional when managed identity is used) +* `azure-storage-client-secret` (optional when managed identity is used) +* `azure-storage-tenant-id` (optional when managed identity is used) + +## Storage Workflows + +### Local Storage + +Set storage to `local` to keep recordings on the Gateway host under `/home/akeyless/recordings`. + +### AWS S3 or S3-Compatible Storage + +Set storage to `aws` and configure bucket, region, and optional prefix. For S3-compatible platforms, add a custom endpoint URL. + +Authentication can use either: + +* Gateway identity. +* Explicit access key and secret key. + +### Azure Blob Storage + +Set storage to `azure` and configure account and container. + +Authentication can use either: + +* Gateway identity (for example, managed identity). +* Explicit client ID, secret, and tenant ID. + +## End-to-End Workflow + +1. Enable RDP recording. +2. Select storage type (`local`, `aws`, or `azure`). +3. Configure storage authentication. +4. Set quality, compression, and encryption options. +5. Save configuration. +6. Start an RDP session and verify that the recording artifact is created in the selected destination. + +## Related Pages + +* [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording) +* [Session Management](https://docs.akeyless.io/docs/sra-session-management) +* [Session Log Forwarding](https://docs.akeyless.io/docs/sra-session-forwarding) +* [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s) diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md new file mode 100644 index 000000000..e9a83fa97 --- /dev/null +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md @@ -0,0 +1,104 @@ +--- +title: Web Access Session Recording +excerpt: '' +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +next: + description: '' +--- +Web Access Session Recording captures browser-based Zero Trust Web Access (ZTWA) sessions for review, compliance, and incident investigation. + +> ℹ️ **Note:** +> +> If you are looking for Remote Desktop Protocol recordings, use [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-session-recording). + +## Feature Scope + +Web Access Session Recording covers: + +* Browser session video capture. +* Recording quality selection. +* Upload to S3 or S3-compatible storage. +* Optional gzip compression before upload. +* Optional server-side encryption options. +* Lifecycle watchdog controls for recording duration and client-connect timing. + +This feature is configured in the Zero Trust Web Access chart `values.yaml`. + +## Configuration Surfaces + +Use these surfaces: + +* Primary: `sessionRecording` in `values.yaml`. +* Advanced overrides: + * `dispatcher.config.recording` + * `webWorker.config.recording` + +Deployment guidance: [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s). + +## Configuration Reference + +### Base Recording Controls + +* `sessionRecording.enabled`: Enables worker-side recording capture. +* `sessionRecording.quality`: Recording quality (`144p`, `240p`, `360p`, `480p`, `720p`, `1080p`). + +### Upload Controls + +* `sessionRecording.upload.enabled` +* `sessionRecording.upload.s3Bucket` +* `sessionRecording.upload.s3Region` +* `sessionRecording.upload.s3Prefix` +* `sessionRecording.upload.s3Endpoint` (optional S3-compatible endpoint) +* `sessionRecording.upload.compress` + +### Encryption Controls + +* `sessionRecording.upload.sse.type` (`""`, `sse-s3`, `sse-kms`) +* `sessionRecording.upload.sse.kmsKeyId` + +### Credentials and Secret Wiring + +* `sessionRecording.upload.existingSecretNames.s3` +* `sessionRecording.upload.existingSecretNames.s3AccessKeyIdKey` +* `sessionRecording.upload.existingSecretNames.s3SecretAccessKeyKey` + +If no secret is set, upload can use the AWS default credential chain. + +### Watchdog Controls + +* `sessionRecording.watchdog.clientConnectTimeoutSeconds` +* `sessionRecording.watchdog.intervalSeconds` +* `sessionRecording.watchdog.maxDurationSeconds` + +These settings help bound long-running recordings and clean up stalled sessions. + +### Service-Level Overrides + +Dispatcher upload override fields can be set in `dispatcher.config.recording`. + +Worker capture override fields (`enabled`, `quality`) can be set in `webWorker.config.recording`. + +Use overrides only when service-specific behavior must differ from the shared `sessionRecording` block. + +## End-to-End Workflow + +1. Enable recording in `sessionRecording.enabled`. +2. Set desired recording quality. +3. Enable upload and configure destination bucket and region. +4. Configure credential secret references or identity-based authentication. +5. Optionally configure compression and encryption. +6. Optionally tune watchdog values for long-running workloads. +7. Deploy or upgrade the chart. +8. Start a ZTWA browser session and verify the recording artifact in the configured storage destination. + +## Related Pages + +* [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-session-recording) +* [Session Management](https://docs.akeyless.io/docs/sra-session-management) +* [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s) +* [Session Log Forwarding](https://docs.akeyless.io/docs/sra-session-forwarding) diff --git a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md index fd040d103..d33fb3c7d 100644 --- a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md +++ b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md @@ -18,6 +18,8 @@ The non-privileged deployment model is supported, so you do not need to add a po ZTWA session recording captures browser-based web access sessions and supports configurable quality, compression, and encryption for stored recordings. +For a dedicated recording guide that covers end-to-end configuration and workflow, see [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording). + This chart bootstraps the `Akeyless-Web-Access-Bastion` deployment on Kubernetes with Helm. ## Before you begin From 8ae1b5527ae63d50578f68dfa2c0d613ec2f9a76 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 16:38:45 -0600 Subject: [PATCH 10/12] docs(sra): merge RDP recording pages and restore web-access recording as dedicated page --- .../sra-session-management/_order.yaml | 1 - .../sra-session-management/index.md | 8 +- .../sra-rdp-recordings.md | 8 +- .../sra-rdp-session-recording.md | 108 ------------------ .../sra-web-access-session-recording.md | 4 +- .../sra-setup/sra-web-access-on-k8s/index.md | 2 - 6 files changed, 13 insertions(+), 118 deletions(-) delete mode 100644 docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-session-recording.md diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml index 6ef1f26ba..2dd8d075d 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml @@ -1,5 +1,4 @@ - sra-sessions-overview - sra-session-forwarding - sra-rdp-recordings -- sra-rdp-session-recording - sra-web-access-session-recording diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md index e284b47e5..9261253e9 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md @@ -18,15 +18,15 @@ Key actions include enabling session recording for various types of remote acces ### RDP Session Recording -[RDP session recording](https://docs.akeyless.io/docs/sra-rdp-session-recording) refers to the process of capturing and storing the activities that occur during a Remote Desktop Protocol (RDP) session. These recordings create a video file of the entire session, preserving all user interactions within the remote desktop environment. +[RDP session recording](https://docs.akeyless.io/docs/sra-rdp-recordings) refers to the process of capturing and storing the activities that occur during a Remote Desktop Protocol (RDP) session. These recordings create a video file of the entire session, preserving all user interactions within the remote desktop environment. SRA allows you to automatically upload and store these video recordings in secure locations such as AWS S3 or Azure Blob Storage for long-term retention and review, or you can store them locally on the server. ### Web Access Session Recording -[Web access session recording](https://docs.akeyless.io/docs/sra-web-access-session-recording) refers to the process of capturing browser-based web access sessions in Zero Trust Web Access (ZTWA). These recordings preserve the interactive web session and can be stored with the ZTWA deployment configuration. +[Web access session recording](https://docs.akeyless.io/docs/sra-web-access-on-k8s) refers to the process of capturing browser-based web access sessions in Zero Trust Web Access (ZTWA). These recordings preserve the interactive web session and can be stored with the ZTWA deployment configuration. -For full recording configuration options (quality, upload destination, compression, encryption, watchdog controls, and service-level overrides), see [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording). +For full recording configuration options (quality, upload destination, compression, encryption, watchdog controls, and service-level overrides), see [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s). ### Terminal-Based Sessions @@ -34,7 +34,7 @@ For terminal-based sessions (such as SSH, DB, and Kubernetes), the system record > ℹ️ **Note:** > -> Session recording and terminal session forwarding are different features. Use [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-session-recording) for RDP video capture and [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording) for browser-based ZTWA video capture. +> Session recording and terminal session forwarding are different features. Use [RDP Recordings](https://docs.akeyless.io/docs/sra-rdp-recordings) for RDP video capture and [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s) for browser-based ZTWA video capture. ## Secret Locking and Rotation Timing diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md index 928e31c84..19957fb70 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md @@ -14,7 +14,7 @@ RDP Session Recording is managed entirely through your Gateway's console under t > ℹ️ **Note:** > -> For the complete, current RDP recording reference, use [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-session-recording). If you are working with browser-based Zero Trust Web Access recordings, use [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording). +> If you are working with browser-based Zero Trust Web Access recordings, use [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s). RDP recordings support configurable quality, compression, and encryption for stored sessions. @@ -110,6 +110,12 @@ Use the following values: SRA uses the standard S3 API for this flow. This allows recording uploads to compatible object storage providers without requiring AWS-specific identity integration. +## Related Pages + +* [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording) +* [Session Management](https://docs.akeyless.io/docs/sra-session-management) +* [Session Log Forwarding](https://docs.akeyless.io/docs/sra-session-forwarding) + ### Azure Blob Storage For storing RDP session recordings in Azure Blob Storage, the user can also select between two options: diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-session-recording.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-session-recording.md deleted file mode 100644 index c8b62a2c9..000000000 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-session-recording.md +++ /dev/null @@ -1,108 +0,0 @@ ---- -title: RDP Session Recording -excerpt: '' -deprecated: false -hidden: false -metadata: - title: '' - description: '' - robots: index -next: - description: '' ---- -RDP Session Recording captures interactive Remote Desktop Protocol (RDP) sessions as video for auditability, investigation, and long-term retention. - -> ℹ️ **Note:** -> -> If you are looking for browser-based Zero Trust Web Access recordings, use [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording). - -## Feature Scope - -RDP Session Recording covers: - -* Video capture of RDP sessions. -* Storage to local disk or cloud/object storage. -* Recording quality selection. -* Optional gzip compression. -* Optional encryption before upload. - -This feature is configured from Gateway **Remote Access** settings and by way of Gateway CLI commands. - -## Configuration Surfaces - -Use one of the following: - -* Console UI: **Gateway Manager → Remote Access → Session Recording → RDP recordings**. -* CLI: `akeyless gateway update remote-access-rdp-recording`. - -For CLI flags and command syntax, see [CLI Reference - Gateway Secure Remote Access](https://docs.akeyless.io/docs/cli-reference-sra). - -## Configuration Reference - -### Required Base Controls - -* `rdp-session-recording`: Enables or disables RDP recording. -* `rdp-session-storage`: Recording destination (`local`, `aws`, `azure`). - -### Quality, Compression, and Encryption - -* `rdp-session-recording-quality`: Recording quality (`low`, `medium`, `high`). -* `rdp-session-recording-compress`: Compress recordings before upload. -* `rdp-session-recording-encryption-key`: Encrypt recordings by using an Akeyless key. - -### AWS Storage Settings - -* `aws-storage-region` -* `aws-storage-bucket-name` -* `aws-storage-bucket-prefix` -* `aws-storage-access-key-id` (optional when identity-based auth is used) -* `aws-storage-secret-access-key` (optional when identity-based auth is used) -* `aws-storage-endpoint-url` (for S3-compatible platforms) - -### Azure Storage Settings - -* `azure-storage-account-name` -* `azure-storage-container-name` -* `azure-storage-client-id` (optional when managed identity is used) -* `azure-storage-client-secret` (optional when managed identity is used) -* `azure-storage-tenant-id` (optional when managed identity is used) - -## Storage Workflows - -### Local Storage - -Set storage to `local` to keep recordings on the Gateway host under `/home/akeyless/recordings`. - -### AWS S3 or S3-Compatible Storage - -Set storage to `aws` and configure bucket, region, and optional prefix. For S3-compatible platforms, add a custom endpoint URL. - -Authentication can use either: - -* Gateway identity. -* Explicit access key and secret key. - -### Azure Blob Storage - -Set storage to `azure` and configure account and container. - -Authentication can use either: - -* Gateway identity (for example, managed identity). -* Explicit client ID, secret, and tenant ID. - -## End-to-End Workflow - -1. Enable RDP recording. -2. Select storage type (`local`, `aws`, or `azure`). -3. Configure storage authentication. -4. Set quality, compression, and encryption options. -5. Save configuration. -6. Start an RDP session and verify that the recording artifact is created in the selected destination. - -## Related Pages - -* [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording) -* [Session Management](https://docs.akeyless.io/docs/sra-session-management) -* [Session Log Forwarding](https://docs.akeyless.io/docs/sra-session-forwarding) -* [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s) diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md index e9a83fa97..84c88a3f8 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md @@ -14,7 +14,7 @@ Web Access Session Recording captures browser-based Zero Trust Web Access (ZTWA) > ℹ️ **Note:** > -> If you are looking for Remote Desktop Protocol recordings, use [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-session-recording). +> If you are looking for Remote Desktop Protocol recordings, use [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-recordings). ## Feature Scope @@ -98,7 +98,7 @@ Use overrides only when service-specific behavior must differ from the shared `s ## Related Pages -* [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-session-recording) +* [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-recordings) * [Session Management](https://docs.akeyless.io/docs/sra-session-management) * [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s) * [Session Log Forwarding](https://docs.akeyless.io/docs/sra-session-forwarding) diff --git a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md index d33fb3c7d..fd040d103 100644 --- a/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md +++ b/docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md @@ -18,8 +18,6 @@ The non-privileged deployment model is supported, so you do not need to add a po ZTWA session recording captures browser-based web access sessions and supports configurable quality, compression, and encryption for stored recordings. -For a dedicated recording guide that covers end-to-end configuration and workflow, see [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording). - This chart bootstraps the `Akeyless-Web-Access-Bastion` deployment on Kubernetes with Helm. ## Before you begin From d935c538897eaa94b7fffe360eded23ee78edef2 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 21:15:42 -0600 Subject: [PATCH 11/12] fix(sra): resolve CodeRabbit review comments - fix hyphenation and move Related Pages to end --- .../sra-session-management/sra-rdp-recordings.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md index 19957fb70..58b5821e0 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md @@ -42,7 +42,7 @@ Optionally compress the encoded video file using `GZIP`. Protect recordings at rest with encryption. -* **Algorithm:** Encryption uses Akeyless supported key types. +* **Algorithm:** Encryption uses Akeyless-supported key types. * **Scope:** Entire video payload is encrypted after encoding (and after optional compression). * **Access:** Only authorized users with the appropriate permissions can decrypt and access the file. @@ -110,12 +110,6 @@ Use the following values: SRA uses the standard S3 API for this flow. This allows recording uploads to compatible object storage providers without requiring AWS-specific identity integration. -## Related Pages - -* [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording) -* [Session Management](https://docs.akeyless.io/docs/sra-session-management) -* [Session Log Forwarding](https://docs.akeyless.io/docs/sra-session-forwarding) - ### Azure Blob Storage For storing RDP session recordings in Azure Blob Storage, the user can also select between two options: @@ -167,3 +161,9 @@ akeyless gateway update remote-access-rdp-recording \ --rdp-session-recording true \ --rdp-session-storage local ``` + +## Related Pages + +* [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording) +* [Session Management](https://docs.akeyless.io/docs/sra-session-management) +* [Session Log Forwarding](https://docs.akeyless.io/docs/sra-session-forwarding) From 08aa847ac04c7f785daca44ae175c45f7cb789d3 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Thu, 14 May 2026 09:58:31 -0600 Subject: [PATCH 12/12] docs(sra): clarify ZTWA values format as deployment defaults --- .../sra-web-access-session-recording.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md index 84c88a3f8..cf8836245 100644 --- a/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md +++ b/docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md @@ -27,7 +27,9 @@ Web Access Session Recording covers: * Optional server-side encryption options. * Lifecycle watchdog controls for recording duration and client-connect timing. -This feature is configured in the Zero Trust Web Access chart `values.yaml`. +This feature is configured with deployment-time defaults in the Zero Trust Web Access chart `values.yaml`. + +For ongoing Secure Remote Access session behavior, manage web and SSH settings through the Akeyless API by using the CLI or Console UI. ## Configuration Surfaces