dbeaver
Native SSH tunnel over AWS SSM
Is your feature request related to a problem? Please describe. Currently, I'm connecting to my RDS instances through jump hosts over AWS SSM. Since there's no AWS SSM support yet on dbeaver, I'm creating the SSH tunnel separately on terminal, and then on my dbeaver connection settings, I connect to the databases on localhost. This is far less than ideal and not scalable when working with multiple databases and drivers.
Describe the solution you'd like I would like a native support for SSH tunnel over AWS SSM.
Describe alternatives you've considered
Perhaps having dbeaver to read from local ssh config? That way we could still make use of ProxyCommand to invoke aws ssm to start a session.
The solution to this doesn't need to be as complex as supporting AWS SSM. SSM already supports SSH, so all DBeaver needs to do is allow the use of the native SSH agent. On macOS for example my ~/.ssh/config is all setup and working for SSH to proxy via SSM, so if DBeaver used that everything would just work. Alas, unfortunately it doesn't.
DBeaver using the system-wide SSH setup would benefit from all the SSH tooling (ssh-agent, ssh_config, known_hosts, etc) and the feature here requested would be available for free.
I am lacking some context on why DBeaver uses its own separate SSH stack. I'd be interested in the topic if anyone can share some links.
Will add, that AWS SSM SSH tunnel, also, makes possibe to connect to DBs that located in private subnets with no need to create bastion host in public. So yes - we are waiting for this feature too
You can use your existing SSH config for SSM just fine with DBeaver, simply open an SSH tunnel with the proper ports:
ssh [SSM-PROFILE-NAME] -L 5432:[RDS_SERVER_ADDRESS_IN_AWS_PRIVATE_SUBNET]:5432
Then connect to your localhost port 5432 to access your AWS RDS instance behind SSM
simply open an SSH tunnel with the proper ports
@bm-jacob Obviously you can do that. We are speaking about using SSM within network profiles manged by DBeaver.
Although you can't use SSM or EC2 Instance Connect in the SSH tab, you can use Shell Commands to setup SSM or EC2 Instance Connect and then tunnel through that. With this the entire connection will be handled within DBeaver, but managing this through the SSH tab directly would be greatly preferable. For instance, this workaround probably works best with unique ports for tunnels to different instances and every instance is identified as localhost so you either have to select Bypass host verification (under Advanced settings on the SSH tab) or manually check the host every time you connect to a different instance.
Here is how ive got it done without using "Before Connect" shell script and instead manually doing shell yourself:
-
Step 1 (shell) = SSO Login via shell (assuming sso profile already configured):
aws sso login --profile {loremIpsumProfile} -
Step 2 (shell) = Create a remote host tunnel via same shell you logged in at step 1:
aws ssm start-session --target {loremIpsumTarget} --profile {loremIpsumProfile} --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"portNumber":["22"],"localPortNumber":["9999"],"host":["loremIpsumHost"]}' -
Step 3 (dbeaver) = SSH into the tunnel via dbeaver. For this, use localhost and 9999 in the ssh tab.
As a follow up to my previous comment, to get around needing to use bypass host verification enter a unique host name for each instance that maps to 127.0.0.1. This can either be performed in the hosts file or by using a service that maps DNS names to IP addresses, e.g. db.127-0-0-1.nip.io.
Native AWS SSM tunnels support will be added in DBeaver 24.1 (PRO products). Unfortunately it is not possible to add this feature in Community (one of the reasons is dependency on AWS SDK and AWS CLI).
