Ephemeral SSH Sessions

Enclave provides access to ephemeral Containers via the aptible ssh command.

Those sessions create an ephemeral Container configured identically to your App Containers, so they’re convenient to access a management console, run ad-hoc jobs, etc.

However, keep in mind that these Containers are ephemeral in nature. Unlike regular Containers, they won’t be restarted when they crash. Also, if your connection to Enclave drops, the remote Container will be terminated.

Warning

When you create a SSH session using aptible ssh, you’re logging in to an ephemeral container. You are not logging to one of your running app containers.

This means that running commands like ps won’t reflect what’s actually running in your App Containers, and that files that exist in you App Containers will not be present in the ephemeral session.

Logging

Warning

If you have PHI (or, more broadly speaking, sensitive information) in your app or database, it’s very likely that PHI will at some point leak in your SSH session logs.

So, make sure you have the appropriate agreements in place with your logging provider before sending your SSH logs there. For PHI, you’ll need a BAA.

Logs from Ephemeral SSH Sessions can be routed to Log Drains (select this option when creating the Log Drain).

What is logged

All the output from ephemeral containers is captured and routed to a Log Drain.

Note that for interactive sessions, Enclave allocates a TTY for your container, so your Log Drain will receive exactly what the end-user is seeing. This has two benefits:

  • You see the user’s input as well.
  • If you’re prompting the user for a password using a safe password prompt that does not write back anything, nothing will be sent to the Log Drain either. That prevents you from leaking your passwords to your logging provider.

Metadata

For Log Drains that support embedding metadata in the payload (HTTPS Log Drains and Self-Hosted Elasticsearch Log Drains), the following keys are included:

  • operation_id: The ID of the Operation that resulted in the creation of this Ephemeral Session.
  • operation_user_name: The name of the user that created the Operation.
  • operation_user_email: The email of the user that created the Operation.

For Log Drains that don’t support embedding metadata (i.e. Syslog Log Drains), the ID of the Operation that created the session is included in the logs.