How to tunnel to RDS without needing ec2 keypair

Goals

  • Don’t require using ec2 keypair (ec2-user)
  • Securely connect to your RDS database using a desktop client

Solution

  • Install and run the “socat” tool on one of your application’s ec2 hosts
  • Use SSM to forward the socat port to your local machine
  • Run your desktop client and connect to your RDS database

Details

a. Setting up socat on ec2

  • SSH to appls ec2
AWS_PROFILE=<saml-profile> aws ssm start-session — target “i-015b2a998123dsdsa4”
  • Test connectivity (SG ingress) is correct for your ec2 server

  • Using release DNS record for your RDS database (release your builds!)

curl -v telnet://<app-host>:1521

# Use socat to open a port up on i-015b2a998123dsdsa4

sudo yum install -y socat
sudo nohup socat tcp-l:9521,fork,reuseaddr tcp:<app-host>:1521 &

# Tunnel using socat + ssm port forward

AWS_PROFILE=<saml-profile> aws ssm start-session — target i-015b2a998123dsdsa4 \
 — document-name AWS-StartPortForwardingSession \
 — parameters ‘{“portNumber”:[“9521”],”localPortNumber”:[“9521”]}’

b. Get your credentials from AWS Secrets Manager (using your app ec2):

aws secretsmanager get-secret-value --region ap-southeast-1 --secret-id <secret-name> | jq -r .SecretString | jq
{
"password": "samplepwd",
"dbname": "demo-db",
"engine": "oracle",
"port": 1521,
"host": <db-host>,
"username": "root"
}

c. Test using SQL Developer.

Note: In your terminal, you’ll see a few log lines when you open/connect to your forwarded port:

Starting session with SessionId: botocore-session-1579056167-0c76865253a1232e
Port 9521 opened for sessionId botocore-session-1579056167-0c76865253a1232e.
Connection accepted for session botocore-session-1579056167-0c76865253a1232e.

And there you go. You can now see the data in SQL Developer !

30