This feature allows your users to spin up a fresh target, access the target, and then tear down the target once they are done accessing it. This way, you can encourage users to use ephemeral targets to access certain resources in your network, and then spin down those resources once they've been "polluted" by a user access. (For instance, you might require that hands-on-keyboard any database migration be performed from a fresh target container that is then killed once the migration is complete.)
The feature uses an API integration, where BastionZero (as client) requests that you (as server) to (1) spin up a fresh container and (2) tear it down. That way BastionZero can drop your users into a fresh container, have them can do their stuff in there, and then the container gets killed when they are done. This architecture also allows for dynamic targets without requiring BastionZero to have privileged access or special roles in your cloud.
Details on the API, including a python flask reference implementation of the server you could operate in your cloud, is available here: https://github.com/cwcrypto/
Here is how an admin can configure a dynamic access target:
As shown above, each dynamic access target must be placed in an environment. The environment determines what policies apply to the target, and therefore, which users can access the target. There are also three webhooks, which allow BastionZero to request that you spin up ("start") a new instance, spin in down ("stop") and check its health. The Base64 shared secret allows BastionZero to connect to your API. The full API specification is here.
To connect to a dynamic access target, a user simply uses the usual flow for connecting to a target, as shown below.
Once this connection is made, BastionZero will call the "start" webhook and request that a fresh target be spun up. The user will then open a connection to that fresh target. She may open multiple connections to that target from BastionZero. Once she closes her last connection to that target, BastionZero will call the "stop" webhook and that target will be spun down.