Aptible PaaS logoDocs
Search
⌘K
Docs
Product
AppsDatabasesPlatformSecurity & Compliance
PricingCustomersCompany
Install CLI
Log In
Getting Started
Starter Templates
Deploy an Example App
Is my App a good fit for Aptible?
Core Concepts
Apps
Deploying Apps
Connecting to Apps
App Endpoints
Ephemeral SSH Sessions
Outbound IP Addresses
Managing Apps
Databases
Platform Internals
Scaling
Logs
Metrics
Security & Compliance
Network Integrations
Billing & Payments
Reference
Aptible CLI
Aptible Terraform
Aptible Roadmap
Aptible Metadata Variables
Feature Support Matrix
Division of Responsibility
How-to Guides
App Guides
Database Guides
Metrics & Monitoring Guides
Logging Guides
Best Practices Guides
Business Continuity Guides
Security & Compliance Guides
Account & General Guides
Troubleshooting
Aptible Support
Common Errors & Issues

Ephemeral SSH Sessions

🏳️ Concurrent SSH Sessions are only available on the Growth, Scale and Enterprise plans.

Aptible provides access to ephemeral App Containers via the aptible ssh command.

Those sessions create an ephemeral Container configured identically to your App Containers, so they're convenient for accessing a management console, run ad-hoc jobs, etc.

❗️Ephemeral Containers are not the same size as your App Container. By default, ephemeral Containers are scaled to 1024 MB.

However, keep in mind that these Containers are ephemeral in nature. Unlike regular Containers, they won't be restarted when they crash. Also, if your connection to Aptible drops, the remote Container will be terminated.

SSH sessions expire after seven days by default. Contact Aptible Support to reduce the default SSH session duration for Dedicated Stacks. Please note that this setting takes effect regardless of whether the session is active or idle.

❗️ When you create a SSH session using aptible ssh, you're logging in to an ephemeral container. You are not logging to one of your running app containers.
This means that running commands like ps won't reflect what's actually running in your App Containers, and that files that exist in your App Containers will not be present in the ephemeral session.

Logging

❗️If you have PHI (or, more broadly speaking, sensitive information) in your app or database, it's very likely that PHI will at some point leak in your SSH session logs.
So, make sure you have the appropriate agreements in place with your logging provider before sending your SSH logs there. For PHI, you'll need a BAA.

Logs from Ephemeral SSH Sessions can be routed to Log Drains.

Note that for interactive sessions, Aptible allocates a TTY for your container, so your Log Drain will receive exactly what the end user is seeing. This has two benefits:

  • You see the user's input as well.
  • If you’re prompting the user for a password using a safe password prompt that does not write back anything, nothing will be sent to the Log Drain either. That prevents you from leaking your passwords to your logging provider.

Metadata

For Log Drains that support embedding metadata in the payload (HTTPS Log Drains and Self-Hosted Elasticsearch Log Drains), the following keys are included:

  • operation_id: The ID of the Operation that resulted in the creation of this Ephemeral Session.
  • operation_user_name: The name of the user that created the Operation.
  • operation_user_email: The email of the user that created the Operation.

For Log Drains that don't support embedding metadata (i.e., Syslog Log Drains), the ID of the Operation that created the session is included in the logs.

Ephemeral SSH Sessions
Aptible logo
Product
Resources
Support
Company
548 Market St #75826 San Francisco, CA 94104
© 2023. All rights reserved. Privacy Policy