AWS Registration and Cleanup
In AWS environments, EC2 instances are often created and destroyed via automated processes.
By following this recipe, these instances may be automatically registered and de-registered in strongDM.
EC2 User Data Script
EC2 User Data scripts can perform EC2 instance initialization tasks.
In the script below, the sdm
binary is used to self-register via the sdm admin ssh add
command.
The -p
argument to the add
command will result in an SSH public key to be printed. The key is then appended to $TARGET_USER/.ssh/authorized_keys
.
SDM_ADMIN_TOKEN
should be generated with only the Datasources & Servers > List, Grant, Create and Roles > List permissions via the Admin Token section of the admin UI.
This script is designed for Ubuntu AMIs; change update commands and TARGET_USER
as needed for your environment.
#!/bin/bashexport SDM_ADMIN_TOKEN=XXXexport TARGET_USER=ubuntuapt updateapt install -y unzipcurl -o sdm.zip -L https://app.strongdm.com/releases/cli/linuxunzip sdm.zip./sdm admin ssh add \-p `curl http://169.254.169.254/latest/meta-data/instance-id` \$TARGET_USER@`curl http://169.254.169.254/latest/meta-data/public-hostname` \| tee -a "/home/$TARGET_USER/.ssh/authorized_keys"./sdm admin roles grant `curl http://169.254.169.254/latest/meta-data/instance-id` Engineersrm sdm.zip
Cleanup Script
The following script can automatically remove terminated EC2 instances from the list of available strongDM servers.
SDM_ADMIN_TOKEN
should be generated with only the Datasources & Servers > List, Delete permissions via the Admin Token section of the admin UI.
#!/bin/bash# ec2-gc-demo sandbox environment garbage collection demo keyexport AWS_ACCESS_KEY_ID=XXXexport AWS_SECRET_ACCESS_KEY=XXXexport SDM_ADMIN_TOKEN=XXX# garbage collect any servers by instance IDaws ec2 describe-instances --region us-west-2 --output json \--query 'Reservations[*].Instances[*].[InstanceId]' \--filters "Name=instance-state-name,Values=[terminated,shutting-down]" \| jq 'add' | jq 'flatten | .[]' \| while read -r instid; do eval sdm admin servers delete $instid; done