Add feature to forward to remote port, i.e. having the SSM agent connect to a remote host/IP rather than localhost. This would allow ssm session manager to use an instance as a TCP proxy to reach other instances or endpoints in the VPC, akin to ssh -R local_port:remote_ip:remote_port.
Forward to local port was added in fb514243, and it seems it would be fairly straight forward to add forwarding to remote port, too, using the same approach?
@sveniu Would/Could ssh over ssm using ProxyCommand accomplish this?
Good point, seems like it would indeed.
@sveniu let me know if that doesn't work for you and i can brainstorm some options. It seems like you are making a bastion host with SSM correct?
I am interested in this feature as well. Would be useful for forwarding ports to RDS instances.
+1 for me as well, to forward to RDS instances. ProxyCommand works, but still requires a valid user/keypair for the tunneled ssh -L. Ideally I would like to control access via IAM and not have to distribute keypairs.
First, I agree that this feature would be awesome.
ProxyCommand works, but still requires a valid user/keypair for the tunneled ssh -L.
As a workaround, use this as your ProxyCommand: https://gist.github.com/qoomon/fcf2c85194c55aee34b78ddcaa9e83a1
It copies your public key to to the EC2 using SSM run commands, eliminating the need to manually manage/distribute keypairs.
Agree
Another option, if your client is linux is ssm-tunnel https://github.com/mludvig/aws-ssm-tools
It requires you install the ssm-tunnel-agent on the ssm-managed host
and changes your client networking setup to forward traffic for AWS private CIDR over the tunnel
I've also had some luck with e.g. socat -v TCP4-LISTEN:9999,fork,reuseaddr TCP4:172.16.8.56:80 on the ssm-managed host, then aws ssm --document-name AWS-StartPortForwardingSession ... to that
but it's not super-nice :)
I'd really like to get the source for the AWS-StartPortForwardingSession Document to see if I could easily wrap this method in such & distribute for easy use.
This would be very handy. When developing on local machine, I could install MySQL, locally. But so would tens of other developers. Alternatively, via SSM port forwarding, we can route our local 3306 port to some RDS instance, saving a bit of time for everyone. We can spin up a bastion per RDS, or have one bastion and forward different ports to different RDS instances ....
Also interested. This is useful in case you have application running bound to private IP instead of localhost/loopback IP, in which case port forward doesn't work.
Interested as well for the same reasons already presented.
I was able to do it (my workstation -> rds in a private subnet) using ssm! this is what @candrews mentioned in his answer.
https://medium.com/@clearwaterstream/recipe-connect-to-an-rds-database-in-a-private-subnet-from-your-workstation-over-https-c66db6ead9f0
I'm so far content with the solution, but yes if I did not have to do an SSH tunnel: event better!
===========================
P.S. Currently after doing the step above, our developers have zero assets on their local machine. Everything is in AWS (we run on lambdas/serverless stack + React). So no Apache, no nginx, no IIS, no databases -- nada. Just .NET Core, Visual Studio and we are good to go. When the lambds are debugged locally on developers workstations, they use the assets in our dev environment in AWS. Onboarding developers has gotten much easier!
I tried doing this way with no luck..
https://unix.stackexchange.com/questions/579173/timeout-when-connecting-aws-rds-instance-using-amazon-session-manager-with-ec2-i
So I did something like this and kind of worked for me.
I created the following scripts
so what they do is that the socksproxy.sh file you pass it with 2 arguments (your username) and your MFA token. it then gets an sts token, and then opens a ssh via ssm proxy command.
Then, you can use something like dbeaver and you can use proxy command and put 127.0.0.1 and port 2001 and simply point to your RDS without any problem.
Obviously you need the of the RDS to accept traffic from the SG of the SSM Proxy Instance(s)
Hopefully this helps someone, but this helped the team to do things like proxying to an RDS, EC2 instance and even Redshift (with limitations) and also allowed us to have a proxy to use with Foxy Proxy with the right config in the EC2 instance with some DNS servers
requirement you need to have your username and key in the EC2 instance, which we bake before deploying to the only ssm locations, this is for security concerns and auditing concerns
@xrage you need to use AWS-StartSSHSession instead (see one of my posts above).
This has been published recently by AWS also: here
However, this feature is still required if creating instances without key pair, so you can use tunnels in bastions that are also only accessible via Session manager and not SSH
+1 for this feature request. I'd love to switch off sshd on instances entirely
+1, right now need to use socat to bind RDS remote port to ssh step server. The solution with startSSHsession does not work for me since I want to use a SSO to connect to instances and not the pem files.
This feature is definitely still needed.
We shouldn't require an EC2 key pair.
My specific use case...
Access DocumentDB (which is in a private subnet) from laptop.
I have a "jump" (or "bastion") ec2 instance.
The only way to make this work is with this approach:
https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ssh-vpc-resources/
Which requires a key pair... like so...
ssh -i {key}.pem ec2-user@i-{instance} -L 27017:ddb-cluster.cluster-blah.blah.docdb.amazonaws.com:27017 -N
I really would prefer not to manage keys.
Thanks for your feedback! We have noted your requests.
Hi @nitikaaws, was this closed because it's already released?
Hey @nitikaaws I see you've noted everyone's feedback and closed this issue but is this feature request actually being implemented?
This would really help us out. (forwarding to remote ports in a VPC, with no need to put keys on a bastion)
Need this feature as well as it will simplify accessing RDS.
I've opened PR #389 to implement support for this, it was actually really simple to do.
If you are willing to jump through some hoops(compiling your own ssm-agent, creating our own session documents), you could use it now.
Most helpful comment
+1 for me as well, to forward to RDS instances. ProxyCommand works, but still requires a valid user/keypair for the tunneled ssh -L. Ideally I would like to control access via IAM and not have to distribute keypairs.