CLI for port forwarding sessions with private AWS RDS and EC2 instances.
Project description
aws-ssh-tunnel
aws-ssh-tunnel is a CLI tool used to set up port forwarding sessions with public and private AWS instances that support SSH, such as EC2 and RDS.
This is done by piping stdin and stdout through a secured AWS SSM Session Manager session, removing the need to publicly expose bastion servers.
Supports SSH tunnels with instances in both public and private subnets, including instances that can only be accessed from within a designated VPC or security group.
How it works
+-------------------------+
|AWS VPC |
|+-----------------------+|
6. establish ||private subnet || 5. SSH request verified by
tunnel with || +-----+ +-----+ || jump server using public key
remote RDS || | RDS +------| EC2 |------------------------------------+
instance || | | | |------------------------+ |
|| +-----+ +-----+ || 3. Session Manager | |
|+-----------------|-----+| connects to EC2 | |
+------------------|------+ | |
+--------------------+ +-----------------------+
|EC2 Instance Connect| |AWS SSM Session Manager|
+----------|---------+ +-----------------------+
| | |
| 2. establish session | |
1. generate public/private +------+ with SSM Session Manager | |
keypair and send public | USER |-----------------------------+ |
key to jump server using | |-----------------------------------------+
EC2 Instance Connect API +------+ 4. proxy SSH tunnel to AWS SSM session manager
Installation
Clone the project:
git clone https://github.com/binxio/aws-ssh-tunnel.git
Install dependencies and set PATH variables:
python3 -m pip install .
Usage
config
Set up your local config with aws-ssh-tunnel config.
You are prompted to fill in the following details:
aws_region: the aws region in which your instances are located.
aws_profile: the aws profile to use.
ssh_instance_user: user on the (jump) instance that will be used to set up the SSH session. For AWS AMIs, the default user is `ec2-user`.
ssh_instance_tag: tag used to identify the (jump) instance that will be used to set up the SSH session. If multiple instances are identified, a random one will be chosen.
run
Usage: aws-ssh-tunnel run [OPTIONS]
Start the CLI.
Example: aws-ssh-tunnel run --remote_host mydb.123456789012.eu-west-1.rds.amazonaws.com --port 5432 --tag application=jump_server
Options:
-r, --remote_host TEXT Remote host endpoint to to jump to. Omit or set to
'localhost' to set up a direct tunnel with the
instance defined in '--tag' [default: localhost]
-p, --port INTEGER Listening port on the remote host. The same port
will be opened on the local machine. [default: 80]
-t, --tag TEXT tag (format: KEY=VALUE) of the (jump) instance that
will be used to set up the SSH session. If tunneling
to RDS or services which only allow internal
vpc traffic, pass the tag of a dedicated jump
instance. Omit to use the ssh_instance_tag
environment variable in the local configuration
file. [default: (ssh_instance_tag environment
variable in aws-ssh-tunnel.cfg)]
--help Show this message and exit.
TODO
- Add support for tunnels to Fargate containers by integrating AWS ECS Exec sessions into the CLI.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws_ssh_tunnel-0.2.1-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c12d8055b942e5041b51ad300a83f839b338de27210aff788286d0d15ccca3ce |
|
| MD5 | 7d777ddd21601a60e319d21eaf3c221a |
|
| BLAKE2b-256 | 264cf2e039d6856c56bc1a04904d47e1d720c6ad1372fdb6f525913760b96ee3 |
