![]() ![]() ![]() I am given the following instructions (I changed all the names and ports in the below)Īdd the following to your SSH config (~/.ssh/config): Host prod I am trying to establish a connection to a postgres DB with SSH tunnel. Please share any feedback, positive or negative, about this approach.I am new to pgAdmin and to SSH tunnels. Without the pem file, I face: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). pem file is still required, but if anyone has information as to whether that is not actually required, or another way to obscure this. This command creates an SSH tunnel from localhost:5000 on my laptop to the redis instance. I could then setup my first tunnel to redis. Prox圜ommand sh -c "aws ssm start-session -target %h -document-name AWS-StartSSHSession -parameters 'portNumber=%p'" I'm not entirely sure why this step is needed, but if someone has any clarification please add. ssh-public-key file://$HOME/.ssh/id_rsa.pub This guide helped me complete the remaining steps that included adding a public key to the ec2 instance using the following command: I was able to start a session to the EC2 instance in the private subnet by running:Īws ssm start-session -target i-xxxxxxxxxxxxxxxxx I configured aws credentials for the IAM user that I had created in step 4 (just run aws configure in the console) and you will be prompted to enter various values. I installed the SSM plugin for macosx (again my local machine) ( ) I installed the awscli package using pip3 for Python on my local machine I could not get AWS ssm console commands to work from my local machine without attaching policies AmazonSSMFullAccess and EC2InstanceConnect (can someone confirm if these are actually required?) to the IAM user that I created. Although I am using the root account for this "sandbox" account, I don't think it is possible to get API keys for the root user, so that is why I created a secondary account. I created an IAM user with programatic access only. ![]() Unsure if these components are super critical, but if anyone has input please share. Even following the above guide which provides kms encryption and logging, I did not see any logging being submitted to cloudwatch or s3. The role contains a policy called: AmazonSSMManagedInstanceCore, although the guide that I was reading explains to make your own IAM policy ( ), it's a bit fuzzy to me as I am not that experienced with IAM and I wasn't entirely sure how to set it up, although I do believe I created the policy correctly and attached it to the role which I attached to the EC2 instance. I created an IAM role which I assigned to the EC2 instance. I did not enable public access on the instance. I launched 1 EC2 instance using the Amazon Linux 2 AMI into the private subnet. I launched 1 redis instance into the private subnet I used the VPC Launch Wizard to launch a VPC with 1 public and 1 private subnet into (us-east-1c) The setup: first I'll go over the various steps that I took in this approach. Please let me know if you have a better solution, or a way to improve my approach. I'll list the steps that I took, but it does seem a bit cumbersome to run these steps each time I want to setup a tunnel to the services in the private subnet, where as some vpn services seem to integrate fairly easily without the added hassle. I can download temporary AWS CLI credentials, issue aws ssm console commands, and setup tunneling for the various services which reside behind the private subnet. The SSM approach seems to work nice for my sandbox environment, which is currently 1 VPC with 1 public and 1 private subnet in only 1 availability zone. Why did I go with the SSM approach over OpenVPN, Bastion host in the public subnet, or something else? 1) I don't have till the end of time to finish building my MVP, and 2) I read from various sources that placing a bastion host into a public subnet can lead to some vulnerabilities from a security perspective. Why exactly do I need to access my private subnet resources? I want to be able to test the RDS database, redis, and private API Gateway for an application that I am building. Hopefully this helps someone else since I spent hours trying to figure out how to connect from my local machine (macosx) over SSH to an ec2 instance in the private subnet which acts as a tunnel to other resources like redis, rds. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |