Hacker News new | past | comments | ask | show | jobs | submit login

We still need bastion hosts to connect to RDS, but they're no longer accessible from the internet since we use SSM.

`ssh aws-bastion` invokes a ProxyCommand that:

1) finds an actual bastion host by tag using ec2 describe-instances

2) generates a short-lived ssh key and adds it to the ssh agent

3) sends the temporary key to the bastion using ec2-instance-connect send-ssh-public-key

4) starts the SSM/ssh session using AWS-StartSSHSession

Since it's SSH, we can port forward, use multiplexing, etc. We use Google as the IdP, via AWS SSO. Bastions periodically sync users from a Google group.




Someone on Reddit posted a shell script[1] that does all the connection setup, key-sending, etc that's a useful base to work from.

[1] https://www.reddit.com/r/aws/comments/df6uip/ssm_tunnelling_...


This may be of interest to you.

https://aws.amazon.com/about-aws/whats-new/2022/05/aws-syste...


It still requires the bastion host though, right? In which case I'd prefer to just use ssh since it's more familiar.

Also, intellij's built-in database tools support ssh tunneling, it 'just works' with the ProxyCommand method.


Yeah, just removes the need for SSH and keys mostly.


Why do you need steps 2 and 3? I’m able to use SSM with agent without any SSH keys. Also proxying to RDS. Only AWS credentials are required.


Yeah, SSM supports just opening a terminal on the remote host without ssh. We started with regular ssh bastions though so I just stuck with that. They're just no longer routeable from outside.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: