Hi, i am starting to use ory kratos. and I saw the danger pop-up on this page https://www.ory.sh/docs/kratos/install. I was wondering about what is exposed cause is not clear to me from this alert. Can someone explain?

Open source Kratos has nothing built in protecting the admin APIs from unauthorised access. You need to either make sure the admin APIs (port 4434) are not accessible from the internet, or you need to place some kind of proxy in front of them that performs authorisation

thanks for the clarification

Hi @dazzling-napkin-4938, possibility to share how you configured it on ECS without having to expose sensitive information? Also going for the ECS approach, would be nice to check how you did it

yeah so when you run Kratos’s docker image on ECS, you have two ports listening to requests: 4433 is the public frontend API, and 4434 is the admin API that needs to be private. Assuming you have your ECS instances running in a VPC with a reasonable security group settings, these APIs will be inaccessible by default. We use Service Connect to allow other services running on ECS (eg our rest API) to connect to the Kratos admin API, without having to expose it outside the cluster. We then use an Application Load Balancer to make the frontend API available publicly.

I'm using Terraform to deploy my resources. But do you also use an internal load balancer for your services that need to reach these endpoints?

if you’re using ServiceConnect on ECS, it does it’s own load balancing using a round-robin approach. So you don’t need to setup your own Application Load Balancer for internal services: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html

Interesting! Thanks for the information