Managing Sessions

This topic describes how to create and manage bastion sessions.

For information specifically about how to connect to bastion sessions, see Connecting to Sessions. For information about creating and managing bastions, see Managing Bastions.

Before you begin, decide which type of session you want to create: Managed SSH session or SSH port forwarding session. See Session Types.

Bastions are essential in tenancies with stricter resource controls. For example, you can use a bastion session to access Compute instances in compartments that are associated with a security zone . Instances in a security zone cannot have public endpoints. To learn more, see Security Zones.

Session management tasks include the following:

  • Creating a session
  • Terminating a session

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

To use all Bastion features, you must have the following permissions:

  • Manage bastions, sessions, and networks
  • Read compute instances
  • Read compute instance agent (Oracle Cloud Agent) plugins
  • Inspect work requests
Example policy:
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
See Bastion IAM Policies for detailed policy information and more examples.

If you're new to policies, see Getting Started with Policies and Common Policies.

Using the Console

To create a session

Before you begin, decide which type of session you want to create: Managed SSH session or SSH port forwarding session. See Session Types.

Before creating a Managed SSH session, verify that:

You must have the following information about the target resource you intend to create a session for:
  • Valid credentials to sign into the target resource (operating system, database, and so on)
  • One of the following:
    • The name and compartment of the target compute instance 
    • The IP address and port of the target resource

Ensure that you have the public key file of the SSH key pair that you plan to use to connect to the session. To learn more, see Managing Key Pairs on Linux Instances.

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where you want to create a bastion session.
  3. Click the name of the bastion.
  4. Click Create session.
  5. Choose a Session type.
    Session TypeDescription
    Managed SSH session

    Connect to a compute instance that has a running OpenSSH server and has Oracle Cloud Agent and enabled.

    1. Enter a valid operating system Username for the target instance.

      The default username on most platform images is opc.

    2. Select the target Compute instance. If needed, change the compartment to find the instance. Only active instances are listed.

    SSH port forwarding session

    Create an SSH tunnel to a specific port on the target resource. This type of session doesn't require an OpenSSH server or the Oracle Cloud Agent to be running on the target resource, such as an Autonomous Transaction Processing database.

    Choose from one of these options:

    • Enter the IP Address of the target resource.
    • Select the target compute Instance name. If needed, change the compartment to find the instance. Only active instances are listed.

    Enter the Port number you want to connect to on the target resource. Examples:

    • SSH server on a Linux instance: 22 (default)
    • Remote Desktop Protocol (RDP) server on a Windows instance: 3389
    • Autonomous Transaction Processing database: 1521
    • MySQL DB System: 3306
  6. Enter a display name for the new session.

    Avoid entering any confidential information in this field.

  7. Under Add SSH Key, provide the public key file of the SSH key pair that you want to use for the session.

    Later, when you connect to the session, you must provide the private key of the same SSH key pair.

  8. (Optional) To change the maximum amount of time that the session can remain active, click Show Advanced Options, and then enter a value for Maximum session time-to-live.

    Provide a value that is at least 30 minutes, but does not exceed the maximum TTL of the bastion (default is 180 minutes or 3 hours).

    You can also terminate a session before it expires.

  9. (Optional) If you chose to create a Managed SSH session, change the specific port or IP address to connect to on the target compute instance.

    By default, the session uses the primary IP address of the instance and port 22.

    1. Click Show Advanced Options.
    2. Update the Target compute instance port.
    3. Select a Target compute instance IP address.
  10. When you are finished, click Create session.

After creating a session, you can connect to the session using SSH.

To view a session's details
  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion that hosts the session you want to view.
  4. Click Sessions.
  5. From the table, locate the name of your session.
To edit a session

You can update the display name of a session only.

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion that hosts the session you want to update.
  4. Click Sessions.
  5. In the Actions menu for the session you want to update, click Edit session name.
  6. Modify the Name of the session.

    Avoid entering any confidential information in this field.

  7. Click Update.
To delete a session
  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion that hosts the session you want to delete.
  4. Click Sessions.
  5. Click the Action item for the session you want to delete, and then select Delete session.
  6. Enter the name of this session.
  7. Click Delete.

Using the Command Line Interface (CLI)

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see the Command Line Reference.

To create a managed SSH session

Before creating a Managed SSH session, verify that:

To create a new managed SSH session on a bastion, open a command prompt and run oci bastion session create-managed-ssh:

oci bastion session create-managed-ssh --bastion-id <target_bastion_OCID> --display-name <session_display_name> --ssh-public-key-file <key_filename> --key-type PUB --target-resource-id <instance_OCID> --target-os-username <instance_username>

For example:

oci bastion session create-managed-ssh --bastion-id ocid1.bastion.oc1..exampleuniqueID --display-name newbastionsession --ssh-public-key-file mykey.pub --key-type PUB --target-resource-id ocid1.instance.oc1..exampleuniqueID --target-os-username janelee
To create a port forwarding session

To create a new port forwarding session, open a command prompt and run oci bastion session create-port-forwarding:

oci bastion session create-port-forwarding --bastion-id <target_bastion_OCID> --display-name <session_display_name> --ssh-public-key-file <key_filename> --key-type PUB --target-private-ip <target_IP_address> --target-port <target_port_number>

For example:

oci bastion session create-port-forwarding --bastion-id ocid1.bastion.oc1..exampleuniqueID --display-name newbastionsession --ssh-public-key-file mykey.pub --key-type PUB --target-private-ip 192.168.0.10 --target-port 22
To view a session's details

To view a bastion session's details, open a command prompt and run oci bastion session get:

oci bastion session get --session-id <bastion_session_OCID>

For example:

oci bastion session get --session-id ocid1.session.oc1..exampleuniqueID
To view a list of sessions

To view a list of sessions on a bastion, open a command prompt and run oci bastion session list:

oci bastion session list --bastion-id <bastion_OCID> --all

For example:

oci bastion session list --bastion-id ocid1.bastion.oc1..exampleuniqueID --all
To update a session's details

To update a bastion session's details, open a command prompt and run oci bastion session update

oci bastion session update --session-id <bastion_session_OCID> --display-name <new_session_display_name>

For example:

oci bastion session update --session-id ocid1.bastion.oc1..exampleuniqueID --display-name new-session-name
To delete a session
To delete a session from a bastion, open a command prompt and run oci bastion session delete
oci bastion session delete --session-id <target_session_OCID>

For example:

oci bastion session delete --session-id ocid1.session.oc1..exampleuniqueID