Centralized SSH Access Management with Warpgate, SSO, and IaC
In environments with multiple isolated infrastructures managed by a shared engineering team, the old-school approach of using Ansible playbooks to distribute SSH keys across 100+ VMs becomes a bottleneck. Access was tied to key possession rather than corporate roles, leading to manual onboarding, delays in revoking permissions, and audit headaches. The new setup leverages Warpgate as a transparent proxy with SSO and RBAC for automated access control—no agents needed on servers.
Key Limitations of the Legacy Approach
Manual user management via Ansible created major pain points:
- No SSO integration: Corporate status didn't affect access.
- Manual playbook runs for project changes.
- Revocation delays: Offline hosts kept stale keys.
- Decentralized audit logs scattered across servers.
Requirements for a replacement: Corporate SSO integration, declarative IaC management, Kubernetes resilience, and agentless support for SSH/HTTPS/DB/K8s.
Warpgate Features
Warpgate is an open-source bastion host that proxies connections after authenticating users and checking roles. It supports OIDC SSO, 2FA, session recording, and command auditing. It works without modifying target resources and offers a web UI for connection history.
Comparison with Alternatives
| Feature | Warpgate | Jump Host | VPN | Teleport |
|---------|----------|-----------|-----|----------|
| Precise service binding | ✅ | No | No | ✅ |
| No client required | ✅ | No | No | ✅ |
| 2FA | ✅ | PAM | Varies | ✅ |
| SSO | ✅ | PAM | Varies | Paid |
| Command auditing | ✅ | No | No | ✅ |
| Session recording | ✅ | No | No | ✅ |
| Non-interactive connections | ✅ | Limited | ✅ | Wrapper |
| Self-hosted | ✅ | ✅ | Varies | SaaS |
Advantages for multi-project setups: No licensing costs, IaC configuration, and seamless scalability.
Architecture with Keycloak and Terraform
SSO Integration
OIDC provider Keycloak maps groups to Warpgate roles. Example warpgate.yaml:
sso_providers:
- name: keycloak
label: "Login with Keycloak"
auto_create_users: true
provider:
type: custom
client_id: warpgate
client_secret: $OIDC_CLIENT_SECRET
issuer_url: $ISSUER_URL
scopes: ["openid", "email"]
role_mappings:
'/teams/devops/warpgate-admin': 'warpgate:admin'
'/teams/devops/project-A': 'project-A'
'/teams/devops/project-B': 'project-B'
Group /teams/devops/project-A grants access to Project A resources. Keycloak changes take effect instantly.
IaC with Terraform Provider
Terraform defines roles, resources, and gateways. Structure: Root Warpgate + per-project folders. For internal networks, use an inner Warpgate as a gateway. This keeps things declarative across 100+ VMs, skipping manual UI tweaks.
Kubernetes deployment with replicas eliminates single points of failure.
Limitations and Compatibility
Warpgate doesn't fully replace Ansible: VMs need a single technical user for proxied connections. Engineering permissions are enforced at the bastion—no personal keys on hosts. It scales effortlessly to new projects without playbooks.
Practical Changes
- Onboarding: Add to Keycloak group.
- Revocation: Remove from group.
- Auditing: Centralized session logs.
- Scaling: Multi-tenant without orphan access risks.
Cuts operational overhead by 80% on access management.
Key Takeaways
- Role-based access from SSO, no server agents.
- Declarative Terraform config for 100+ resources.
- Full session recording and command-level auditing.
- Self-hosted, license-free, Kubernetes-ready.
- Proxy for SSH/HTTPS/DB/K8s with non-interactive support.
— Editorial Team
No comments yet.