Allow SSH tunnelling to other VPC resources

[iainelder]

My use case: I have a MySQL RDS instance and an EC2 Amazon Linux 2 instance in a private subnet in a VPC. The EC2 instance can connect to the RDS instance. I want to connect to the RDS instance from my desktop so I can query it using familiar GUI tools such as DBeaver.

The EC2 instance is enabled for EC2 instance connect and Session Manager, so I can use aws-gate ssh to connect to it automatically. However, this only gets me halfway.

I would like to create an SSH tunnel through the EC2 instance from a port on my desktop to the RDS instance. I don't see a way to set that up with aws-gate.

Charlie Belmer published a script that allows me to do what I need. As far as I can tell, it uses the same AWS APIs as aws-gate does to solve the problem, and extends the solution by using ssh's -L option to create a tunnel over which database tools can connect. I've pasted the code from the article below.

Would it be possible to add the -L option to aws-gate ssh?

ssh-keygen -t rsa -f temp -N ''
aws ec2-instance-connect send-ssh-public-key --instance-id i-07cec3c515bcb2e61 --availability-zone us-east-1b --instance-os-user ssm-user --ssh-public-key file://temp.pub
ssh -i temp -N -f -M -S temp-ssh.sock -L 3306:echodb-dev.cju92986bx4i.us-east-1.rds.amazonaws.com:5432 ssm-user@i-07cec3c515bcb2e61 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -o ProxyCommand="aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p"
read -rsn1 -p "Press any key to close session."; echo
ssh -O exit -S temp-ssh.sock *
rm temp*

$ psql -h localhost -p 3306 -U master postgres
Password for user master: 
psql (12.2 (Ubuntu 12.2-1.pgdg19.10+1), server 10.6)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=> \q

[mbp]

I believe the use-case is already supported.

Follow the instructions in the "SSH ProxyCommand support" section in README

But instead of issuing the command:

ssh ssm-test.eu-west-1.default

Then instead issue:

ssh -N -L 5000:rds-endpoint.example.org:3306 ssm-test.eu-west-1.default

Now your localhost port 5000 is tunneling through your EC2 instance all the way to rds-endpoint.example.org port 3306.

[iainelder]

@mbp , thanks for explaining that.

I'll be honest, I didn't understand the SSH ProxyCommand documentation when I first read it.

I've understood it now and made it work, but there are some things I found confusing.

I don't like how the SSH host name is used as a proprietary way of specifying the region and profile for the AWS commands. I prefer to use the standard AWS_PROFILE and AWS_DEFUALT_REGION parameters or the standard --region and --profile options on the command line.

Since creating this issue I've submitted a PR that adds the option aws-gate ssh -L which solves my use case without proprietary syntax or requiring an SSH config file. I think it's simpler than the current solution with equivalent power.

#713

Would you consider this way of supporting the use case?

[mbp]

I'm not the maintainer, I think we have to wait for @xen0l :-)

[xen0l]

Hello folks,

thanks for the issue. I am generally opposed in extending aws-gate ssh with additional flags because it is just function duplication of aws-gate ssh-proxy and native ssh client. However, I am willing to make an exception as I see it's quite handy to be able to forward ports to resources in AWS. With this, I think it makes sense to also add support for -D and -R.

I will also revamp the documentation on this explaining when to use aws-gate ssh and ProxyCommand support (it's much more superior).

[xen0l]

I don't like how the SSH host name is used as a proprietary way of specifying the region and profile for the AWS commands. I prefer to use the standard AWS_PROFILE and AWS_DEFUALT_REGION parameters or the standard --region and --profile options on the command line.

It exists because not all applications support connecting to AWS resource via native API and this naming add convevience method (maybe opinionated) if you are using multiple regions with multiple AWS accounts for those cases as it allows to use ssh(1) transparently with aws-gate underneath.

[iainelder]

@xen0l , thanks for your response.

I am generally opposed in extending aws-gate ssh with additional flags because it is just function duplication of aws-gate ssh-proxy and native ssh client.

I understand the desire to avoid duplication. Maybe we could consider the aws-gate ssh command the "easy mode" for common use cases and the aws-gate ssh-proxy the "advanced mode" for more flexibility.

However, I am willing to make an exception as I see it's quite handy to be able to forward ports to resources in AWS. With this, I think it makes sense to also add support for -D and -R.

Whatever the solution, I think concrete examples in the documentation would help a lot to make it clearer what aws-gate can do. I attempted to do this in my PR. Even if you don't merge it as is, maybe you can take the same use cases and show how to support them.

With this, I think it makes sense to also add support for -D and -R.

I haven't used the -D or -R flags. Could you give an example of how they could be useful in this context?

[iainelder]

I will also revamp the documentation on this explaining when to use aws-gate ssh and ProxyCommand support (it's much more superior).

@xen0l opened #719 for this.

[xen0l]

PR merged @iainelder, thanks for contrribution. I went on and added -R/-D support. -D is defintiely useful, -R for some specific cases as well. I will continue with #719. Once finished, would you be able to proofread it and provide feedback it's clearer?

[iainelder]

I went on and added -R/-D support.

I found it here: #722

I will continue with #719. Once finished, would you be able to proofread it and provide feedback it's clearer?

Of course, happy to give feedback! We can continue the conversation in #719.