DigitalOcean is loved by many, myself included, for its simplicity, cost-effectiveness, and ease of use. It's my go-to platform for personal projects and even smaller work-related tasks. However, as much as I enjoy using DigitalOcean, it does have its limitations, particularly in areas like granular access control and security features integrated with Single Sign-On (SSO) systems—capabilities typically found in larger cloud providers like AWS and Google Cloud. In this blog post, we'll explore how to add IAM and SSO-like access capabilities to DigitalOcean without the complexity or high costs of AWS, all using Border0.
The Challenge
While DigitalOcean excels in user-friendliness and affordability, it doesn't provide the robust Identity and Access Management (IAM) and security controls found in larger cloud providers like AWS and Google Cloud. There’s no built-in IAM, making it challenging to control access to Droplets (SSH), databases, or Kubernetes clusters using your single sign-on (SSO) identity. This often forces users to expose services more broadly than desired, which increases risks, especially for security sensitive production environments.
The Solution
With Border0, you can elevate your DigitalOcean workloads to meet the security and access management standards typically associated with platforms like AWS or GCP. Border0 provides the tools to control access to your DigitalOcean resources—whether it's SSH access to Droplets, database connections, or access to your Kubernetes cluster using your SSO credentials. Even if your resources live in a private DigitalOcean VPC, you can securely access them without the need for a VPN.
Demo time!
Sounds too good to be true? The best part is, it’s incredibly easy to set up and use. In the video below, we'll walk through an example.
Setup in Minutes: In the video above we installed the Border0 connector from the DigitalOcean Marketplace as a 1-click droplet, which, as you'll see, takes about a minute—the time it takes for the Droplet VM to boot and click the Border0 login link.
Once the connector is deployed, we can begin securing access to a Droplet (SSH), a MySQL database, and a Kubernetes cluster. These resources are all deployed in a private VPC, ensuring they are shielded from the public internet. Despite this lack of direct Internet connectivity, you can still access them easily using your SSO identity and without the need to configure a complex VPN.
SSH Access Example: In the video, you’ll see how we access a DigitalOcean Droplet VM deployed in a private VPC. Notice that there's no need for a VPN connection, and I'm logging in using my existing SSO account. This approach is not only convenient but also secure, as all access is tied to my identity—whether that’s a Gmail, GitHub, Azure, or even a corporate Okta account.
Fine-Grained SSH Control: Beyond this basic setup, Border0 enables us to enforce detailed SSH specific access policies. For example, you can configure policies to allow SSH access only as the ubuntu user while disallowing SFTP and TCP port forwarding. This ensures that access is restricted only to what’s necessary, minimizing potential attack surfaces.
Database Access Example: In the next part of the demo, you can see an example of database access. The video demonstrates how a user can securely access a DigitalOcean-managed MySQL database using their SSO credentials. This database is hosted within the same private VPC, ensuring it remains isolated from the internet while still allowing seamless access—as if it were right under our desk. Yay, no more wide open databases!
An added bonus with Border0 is that any database becomes accessible through our web-based database client. This WebAssembly-based client runs entirely in your browser, allowing you to access your databases from anywhere, on any device, without needing to install additional software. All you need is your SSO account.
Identity-Based Database Policies: Similar to SSH, Border0 enables fine-grained access control for databases based on identity, network location, time of day and more. You can specify who can access specific database schemas and define the types of queries they are allowed to execute. Essentially, Border0 provides you with an SSO-based database firewall and VPN, complete with full query recording for added security.
Kubernetes Access Example: Finally, the video demo illustrates how you can connect to your DigitalOcean Kubernetes cluster using kubectl
. Despite the Kubernetes API being isolated from the internet, Border0 makes it feel as though it’s right under your desk, providing secure and easy access with your SSO credentials.
As with the previous examples, you can create policies that specify who has access to which Kubernetes namespaces and define the actions they are allowed to perform. For instance, you can control who has permission to use kubectl exec.
Additionally, you’ll have access to complete session logs, enabling you to see exactly what Kubernetes actions were performed on which resources by whom, and for kubectl exec, you'll even have a session recording.
Wrap Up
With Border0, you get the best of both worlds: the simplicity and user-friendliness of DigitalOcean combined with enterprise-grade security and access management features. In just a few minutes, and with the ease of a 1-click Droplet deployment, you can secure your entire DigitalOcean environment using your existing SSO credentials. No need for complex VPNs or advanced configurations—just secure, streamlined access to your Droplets, databases, and Kubernetes clusters.
Whether you’re managing Droplets, databases, or Kubernetes clusters, Border0 makes it effortless to use your SSO credentials, such as your Gmail or GitHub account, for secure access. You retain the simplicity and ease of use that makes DigitalOcean so popular, while gaining the advanced security controls typically found in more complex cloud environments like AWS or GCP.
You don’t need to be a security expert—Border0 and DigitalOcean together make it easy and pleasant to secure and manage your cloud infrastructure. Ready to enhance your DigitalOcean experience with Border0? Get started today for free and enjoy the best of both worlds: simplicity and security.