Managing Sessions in Bastion

Describes how to create and manage bastion sessions.

For information about how to connect to bastion sessions, see Connecting to Sessions in Bastion. For information about creating and managing bastions, see Managing Bastions.

Before you begin, decide which type of session you want to create: Managed SSH session, SSH port forwarding session, or Dynamic port forwarding (SOCKS5) session. See Session Types.

Bastions are essential in tenancies with stricter resource controls. For example, you can use a bastion session to access Compute instances in compartments that are associated with a security zone . Instances in a security zone can't have public endpoints. To learn more, see Security Zones.

You can perform the following session management tasks:

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

To use all Bastion features, you must have the following permissions:

  • Manage bastions, sessions, and networks
  • Read compute instances
  • Read compute instance agent (Oracle Cloud Agent) plugins
  • Inspect work requests
Example policy:
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
See Bastion IAM Policies for detailed policy information and more examples.

If you're new to policies, see Getting Started with Policies and Common Policies.