Skip to main content

Overview

Connections define the target systems your workflows interact with — SSH servers, Kubernetes clusters, Slack workspaces, Jira projects, databases, and more. EasyAlert splits connection data into two parts for security: configuration (host, port, namespace) lives in the SaaS, while credentials (passwords, API tokens, private keys) stay encrypted on the agent.

13 Connection Types

SSH, HTTP, Kubernetes, Slack, Jira, Email, Teams, Database, WinRM, Script, OS, Notification, and Custom

Secure Credential Vault

Credentials encrypted with AES-256-GCM, stored only on the agent — never in the SaaS database

Test Connectivity

One-click connectivity tests that verify both network access and authentication

Guided Setup

Step-by-step creation wizard with type-specific configuration forms

How Connections Work

┌─────────────────────────────────────┐
│           SaaS (EasyAlert)          │
│                                     │
│  Connection Config:                 │
│  • name, type                       │
│  • host, port, namespace            │
│  • auth method, SSL settings        │
│  (NO secrets)                       │
└──────────────┬──────────────────────┘
               │ Job dispatched with
               │ connection config

┌─────────────────────────────────────┐
│       Agent (Your Infrastructure)   │
│                                     │
│  Encrypted Vault:                   │
│  • passwords, API tokens            │
│  • SSH private keys                 │
│  • service account credentials      │
│                                     │
│  Agent combines config + credentials│
│  and executes the action            │
└─────────────────────────────────────┘
This split architecture means that even if the SaaS database were compromised, your credentials remain safe — they only exist in the agent’s encrypted vault on your infrastructure.

Creating a Connection

1

Choose Connection Type

Go to Automation > Connections and click Create Connection. Select the connection type (SSH, Kubernetes, Slack, etc.) from the dropdown.
2

Configure Settings

Fill in the type-specific configuration fields — hostname, port, namespace, authentication method, etc. These settings are stored in the SaaS.
3

Select Agent

Choose which agent (or agent pool) will execute actions using this connection. The agent must be able to reach the target system on the network.
4

Deliver Credentials

Enter the credentials (password, API token, SSH key, etc.) and click Deliver. The credentials are encrypted and sent to the agent’s local vault — they are never stored in the SaaS.
After creating a connection, click Test to verify connectivity. The test runs on the assigned agent and checks both network access and authentication.

Connection Types

Connect to Linux/Unix servers for remote command execution and script deployment.
ParameterDescriptionExample
HostHostname or IP addressweb-01.prod.internal
PortSSH port22
UsernameSSH usernamedeploy
Auth Methodpassword or privateKeyprivateKey
Credentials: Password or SSH private key (delivered to agent vault)Available Actions: ssh.executeCommand, ssh.executeScript
Connect to any HTTP/HTTPS API endpoint for making web requests.
ParameterDescriptionExample
Base URLAPI base URLhttps://api.example.com
Auth Typenone, basic, bearer, or apiKeybearer
TimeoutRequest timeout in seconds30
Verify SSLValidate SSL certificatetrue
Credentials: API token, username/password, or API key (depending on auth type)Available Actions: http.request
By default, HTTP connections block requests to private IP ranges (10.x, 172.16.x, 192.168.x) to prevent SSRF attacks. Set ALLOW_PRIVATE_NETWORK=true on the agent to allow private network access.
Connect to Kubernetes clusters for deployment management, pod operations, and log retrieval.
ParameterDescriptionExample
Contextkubectl context nameprod-eu-west
NamespaceDefault namespacedefault
Kubeconfig PathPath to kubeconfig on the agent/home/deploy/.kube/config
Credentials: Kubeconfig file or service account token (delivered to agent vault)Available Actions: kubernetes.restartDeployment, kubernetes.scaleDeployment, kubernetes.deletePod, kubernetes.rollbackDeployment, kubernetes.getLogs
Connect to Slack workspaces for sending messages and reactions.
ParameterDescriptionExample
Default ChannelChannel ID for messagesC01234ABCDE
Credentials: Bot token (xoxb-...) delivered to agent vaultAvailable Actions: slack.sendMessage, slack.updateMessage, slack.addReaction
Use the Slack channel ID (starts with C), not the channel name. You can find it in Slack by right-clicking a channel and selecting “View channel details”.
Connect to Jira for creating issues, updating tickets, and managing workflows.
ParameterDescriptionExample
Server URLJira instance URLhttps://mycompany.atlassian.net
EmailJira account emaildeploy@company.com
Credentials: API token delivered to agent vaultAvailable Actions: jira.createIssue, jira.updateIssue, jira.addComment, jira.transitionIssue
Connect to SMTP servers for sending email notifications.
ParameterDescriptionExample
SMTP HostMail server hostnamesmtp.gmail.com
SMTP PortMail server port587
Use TLSEnable TLS encryptiontrue
From AddressSender email addressalerts@company.com
Credentials: SMTP password delivered to agent vaultAvailable Actions: email.sendEmail
Connect to Microsoft Teams for sending messages and adaptive cards.
ParameterDescriptionExample
Webhook URLIncoming webhook URLhttps://outlook.office.com/webhook/...
Credentials: Webhook URL contains the authentication tokenAvailable Actions: teams.sendMessage, teams.sendAdaptiveCard
Connect to SQL databases for running queries.
ParameterDescriptionExample
HostDatabase hostnamedb.prod.internal
PortDatabase port5432
DatabaseDatabase nameproduction
DriverDatabase driverpostgresql
Credentials: Username and password delivered to agent vaultAvailable Actions: database.executeQuery
Connect to Windows servers for remote PowerShell execution.
ParameterDescriptionExample
HostWindows server hostnamewin-server-01.internal
PortWinRM port5985 (HTTP) or 5986 (HTTPS)
Use SSLEnable HTTPS transporttrue
Auth MethodAuthentication methodntlm
Credentials: Username and password delivered to agent vaultAvailable Actions: winrm.executeCommand, winrm.executeScript
Execute local scripts on the agent without a remote connection.No connection-level configuration required — scripts run directly on the agent host.Available Actions: script.bash, script.powershell, script.python
Manage operating system services on the agent host.No connection-level configuration required — service commands run locally.Available Actions: os.restartService, os.stopService, os.startService, os.restartOS
Send notifications via EasyAlert’s built-in notification channels (email, SMS, webhook).No agent credentials required — notifications are routed through the SaaS.Available Actions: notification.sendNotification
For connection types not covered by the built-in types. Store arbitrary key-value configuration.
ParameterDescription
Custom fieldsAny key-value pairs needed by your workflow
Credentials: Any secrets needed, delivered to agent vault

Credential Security

Credentials follow a strict security model: 
Agent API Key

PBKDF2-HMAC-SHA256 (600,000 iterations, random 16-byte salt)

AES-256 Encryption Key

AES-256-GCM encrypts each credential with a unique 12-byte nonce

Stored in vault.json (0600 permissions)
Key principles:
PrincipleDetail
Credentials never in SaaSOnly connection config (host, port) stored server-side
AES-256-GCM encryptionIndustry-standard authenticated encryption
Key tied to API keyEncryption key derived from agent’s API key via PBKDF2
Per-credential nonceEach credential gets a unique 12-byte random nonce
File permissionsVault file restricted to 0600 (owner read/write only)
If you rotate an agent’s API key, the vault encryption key changes. All existing credentials become unreadable and must be re-delivered. Always back up and plan for credential re-delivery before rotating keys.

Testing Connections

After creating a connection, click the Test button to verify it works. The test dispatches a lightweight job to the assigned agent that verifies:
Connection TypeWhat the Test Checks
SSHTCP connection + SSH handshake + authentication
HTTPHTTP request to base URL + auth validation
Kuberneteskubectl cluster-info with configured context
Slackauth.test API call to validate bot token
JiraGET /myself to validate credentials
EmailSMTP connection + STARTTLS + authentication
DatabaseConnection + simple query (SELECT 1)
Test results include latency, timestamp, and any error messages.

Managing Connections

Edit Configuration

Update connection settings (host, port, namespace, etc.) from the connection detail page. Configuration changes take effect on the next job dispatch — no agent restart required.

Re-deliver Credentials

If credentials change (e.g., rotated password, new API token), re-deliver them from Connections > [Connection] > Deliver Credentials. The old credentials are overwritten in the agent’s vault.

Enable / Disable

Disabled connections are not available for selection in workflow actions. Existing workflows using a disabled connection will fail at execution time.

Delete

Deleting a connection removes it from the SaaS and marks the credential for deletion in the agent’s vault on the next sync.

Best Practices

Create dedicated service accounts with minimal permissions for each connection. This limits blast radius if a credential is compromised and ensures workflows don’t break when someone changes their personal password.
Always test a connection after creating it or updating credentials. A test takes seconds and catches configuration errors before they cause workflow failures at 3 AM.
Don’t reuse a single SSH connection for multiple servers. Create separate connections for each target system so you can manage credentials independently and track connectivity per system.
Name connections by their target and purpose: prod-web-01-ssh, staging-k8s-cluster, slack-incidents-channel. This makes it obvious which connection to select when building workflows.
Credentials expire. Set calendar reminders to rotate service account passwords and API tokens. After rotation, re-deliver credentials and test the connection.

Troubleshooting

Cause: Agent cannot reach the target system on the network.Steps:
  1. Verify the agent can reach the target host: ping <host> or curl <host>:<port> from the agent machine
  2. Check firewall rules between the agent and the target
  3. Verify the hostname resolves correctly from the agent’s network
  4. Check if a VPN or proxy is required
Cause: Credentials in the vault don’t match the target system.Steps:
  1. Re-deliver credentials from the connection settings
  2. Verify the username/email is correct in the connection config
  3. Check if the service account is locked or expired on the target system
  4. For SSH, verify the key format is correct (PEM, not PPK)
Cause: Credentials haven’t been delivered to the agent yet.Steps:
  1. Click Deliver Credentials on the connection detail page
  2. Verify the assigned agent is online (check agent health)
  3. Check agent logs for vault write errors
Cause: The workflow action may use different parameters than the test.Steps:
  1. Check the action parameters in the workflow designer — are template variables resolving correctly?
  2. Verify the action timeout is long enough for the operation
  3. Check the execution detail page for the exact error message
  4. Run the same command manually on the agent to reproduce