Search…
Database Quick Start Guide

Database Quick Start Guide

Setting up database (DB) access via SSH tunnel with ephemeral keys can be completed in five easy steps as outlined below.

Step 1/5: Deploy a Target with Network Connectivity To Your Database

BastionZero uses local port forwarding to reach your database. The client will make a secure connection using MrZAP to the target. The target will then reach the database using the forwarding parameters, Hostname/IP, and port, specified when the port forward was created. See our guide on how to onboard a target here.

Step 2/5: Set Up Your Target Access Policy To Allow Tunnels

With your target identified, the next step is to set up a target access policy to allow tunnel access. Because this is a database, we suggest making a policy with specific users or groups that specify the target rather than an environment. As for the Linux user, any user will suffice, but we suggest using the lowest access privilege possible. Your database credentials are maintained by you so there is no need for any elevated access on this Linux target.
Example of a BastionZero database access policy

Step 3/5: Configure BastionZero Command Line Tunneling

Now that your target and policy are deployed, the next step is configuring SSH to tunnel to BastionZero. We make this simple by tunneling through the BastionZero service any host that begins with bzero-.
Go ahead and execute the command zli ssh-proxy-config at the shell prompt. Your output should look similar to this, where USERNAME is your username:
host bzero-* IdentityFile /Users/USERNAME/Library/Preferences/bastionzero-zli-nodejs/bzero-temp-key ProxyCommand zli ssh-proxy -s %h %r %p /Users/USERNAME/Library/Preferences/bastionzero-zli-nodejs/bzero-temp-key
These 3 lines will be added to your ~/.ssh/config file. Go ahead, use your favorite shell editor and add those lines. If your config file or .ssh directory does not exist, go ahead and create them.
We've now told SSH to tunnel any host starting with bzero- to BastionZero. You can validate this by creating a shell to the target. If your target name was dogfood and the Linux user in your policy was WeUseOurStuff, you would simply type: ssh [email protected].\
Go ahead and try it with your Linux user and target name.

Step 4/5: Set Up a Local Port Forward To BastionZero

We're almost there. The next step is easy! Just decide what local port to use and follow one of these examples.
  • Example One: Database and target running on the same host
    Let's assume we have a Postgres database running on an Ubuntu server. The target name is Postgres-server and the Linux user on the target is Postgres. The tunnel will initiate on local port (the end user's machine) 6100 and connect to the Postgres debug port. The BastionZero zli example is:
    ssh -L 6100:localhost:5432 -TNf [email protected]
    The ssh parameters instruct this process to run in the background. Without those parameters the command would run the local port forward and return a shell.
  • Example Two: AWS RDS database
    In this example, we wish to connect to a remote RDS instance. Let's assume the same targetUser and targetHost are installed in the VPC of the RDS instance with network ACLs that allow a connection. We simply replace the remote hostname with the RDS instance name:
    ssh -L 6101:myRDStest.randomSubName.us-east-1.rds.amazonaws.com:5432 -TNf [email protected]
Once we get something working at BastionZero we look for ways to automate or simplify the process. Instead of entering the local port forward commands each time, structure you SSH config file to be able to tunnel through BastionZero and create any forwards you need. Using the above example a simple configuration would look like:
Example of SSH config to simplify a database SSH tunnel with BastionZero
Now simply type ssh bzero-postgres-server and your port forwards are all created! Note, the file is always read top down so at the end of any specific target call out, we've left the generic BastionZero tunnel capability in the file.

Step 5/5: Connect Using a Database Client

Finally, the step you've been waiting for. With your local port forwards established, you can now use any client to connect to your database through BastionZero. At BastionZero, we've used DBeaver, Tableplus, DataGrip, and psql, just to name a few.
Your database authentication scheme is private to you. BastionZero secures your connection by ensuring it is authenticated with a user in your organization and authorized via policy. Once completed, an end user can then connect to and authenticate to the database.
Here's a set up using our local port forward example to the Ubuntu Postgres server through DBeaver. Note we've entered the server and authentication schemes here. The server is localhost, the port is the local port you've chosen to forward to BastionZero and database is your database name. You can continue to use your database authentication scheme but know the connection is only established with BastionZero AuthN and AuthZ.
DBeaver configuration example of connecting to a database secured through BastionZero
You can also use command line tools like psql. Here's the same connection scheme using psql specifying the username (U), host (h) and port (p):
psql -U postgres -h localhost -p 6101

Demo

Last modified 20d ago