How to tunnel to RDS without needing ec2 keypair

Goals
  • Don’t require using ec2 keypair (ec2-user)
  • Securely connect to your RDS database using a desktop client
  • Solution
  • Install and run the “socat” tool on one of your application’s ec2 hosts
  • Use SSM to forward the socat port to your local machine
  • Run your desktop client and connect to your RDS database
  • Details
    a. Setting up socat on ec2
  • SSH to appls ec2
  • AWS_PROFILE=<saml-profile> aws ssm start-session — target “i-015b2a998123dsdsa4”
  • Test connectivity (SG ingress) is correct for your ec2 server

  • Using release DNS record for your RDS database (release your builds!)

  • curl -v telnet://<app-host>:1521
    
    # Use socat to open a port up on i-015b2a998123dsdsa4
    
    sudo yum install -y socat
    sudo nohup socat tcp-l:9521,fork,reuseaddr tcp:<app-host>:1521 &
    
    # Tunnel using socat + ssm port forward
    
    AWS_PROFILE=<saml-profile> aws ssm start-session — target i-015b2a998123dsdsa4 \
     — document-name AWS-StartPortForwardingSession \
     — parameters ‘{“portNumber”:[“9521”],”localPortNumber”:[“9521”]}’
    b. Get your credentials from AWS Secrets Manager (using your app ec2):
    aws secretsmanager get-secret-value --region ap-southeast-1 --secret-id <secret-name> | jq -r .SecretString | jq
    {
    "password": "samplepwd",
    "dbname": "demo-db",
    "engine": "oracle",
    "port": 1521,
    "host": <db-host>,
    "username": "root"
    }
    c. Test using SQL Developer.
    Note: In your terminal, you’ll see a few log lines when you open/connect to your forwarded port:
    Starting session with SessionId: botocore-session-1579056167-0c76865253a1232e
    Port 9521 opened for sessionId botocore-session-1579056167-0c76865253a1232e.
    Connection accepted for session botocore-session-1579056167-0c76865253a1232e.
    And there you go. You can now see the data in SQL Developer !

    37

    This website collects cookies to deliver better user experience

    How to tunnel to RDS without needing ec2 keypair