strongDM Gateway AMI Installation Guide
The strongDM Gateway Amazon Machine Image (AMI) makes it easy to deploy gateways and relays when launching Amazon EC2 instances. The AMI comes with the strongDM gateway pre-installed, so you don’t have to create a gateway manually in the strongDM Admin UI—all you have to do is launch an EC2 instance and you are ready to connect to your resource.
This guide describes how to attach the strongDM Gateway AMI to a new EC2 instance, set a strongDM token, and enable the correct security settings in order to connect to EC2 through strongDM.
Ensure that you are an Account Administrator in strongDM.
Decide whether you want to install a gateway or a relay. If installing a gateway, you need an admin token (
SDM_ADMIN_TOKEN). Likewise, if installing a relay, you need a relay token (
An admin token can be used on multiple machines and it is allowed to create relays and read the list of relays. A relay token can be used on only one machine, and it is only allowed to read.
These instructions explain how to launch an EC2 instance and get a strongDM token to configure your gateway. We recommend that you keep AWS and the strongDM Admin UI open in separate browser tabs or windows, so you can easily switch between them.
Get a strongDM token
- In a new browser tab or window, log in to the strongDM Admin UI at app.strongdm.com.
- If you are setting up a self-registering gateway:
- Go to Access > API & Admin Tokens, and click add token.
- On the Create Admin Token page:
- Enter a descriptive name (e.g., “Gateway AMI Creator"), so you can remember what this token is for later.
- Select the checkbox for Relays, and underneath that, select List and Create.
- Click Create to generate the
- Copy the admin token value and save it somewhere safe.
- If setting up a relay:
- Go to Network > Relays and click add relay.
- Fill out the name of the relay and click create to generate the
- Copy the relay token value and save it somewhere safe.
Create a new EC2 instance
In AWS, go to the EC2 Dashboard and click Launch instance.
On the Choose an Amazon Machine Image (AMI) page:
- Click Community AMIs.
- Search for “strongDM” and then choose the latest AMI available.
- Click Select to attach the strongDM Gateway AMI to your EC2 instance root device volume.
Choose your instance type and click Next.
The strongDM gateway is based on Ubuntu and works on any instance type with two CPUs and 4 GB of memory. We recommend a t3.medium.
This step describes two different ways to configure user data. You can set it up with an admin token/relay token, or you can pull a password from a secrets store.
To configure user data with an admin token or relay token, do the following:
On the Configure Instance Details page, set all properties the way you want.
Expand Advanced Details and configure User data:
Select As text.
In the User data box, enter the token variable and the token value in this specific format:
If you are setting up a self-registering gateway, enter
If you are setting up a relay, enter
If using an admin token instead of relay token, you also have the option to set a custom listen address (the default is the AWS IP for the EC2 instance) and/or custom port (5000 by default). These can be added after the SDM_ADMIN_TOKEN variable by using the SDM_RELAY_PORT and SDM_LISTEN_ADDRESS variables, each separated by line breaks.
Only define the SDM environment variables in this section, in the indicated format. Any further customization or additions in the "User data" section could break the AMI installation.
To configure user data with a password from a secrets store (e.g., AWS Secrets Manager) in your strongDM Gateway AMI, you can structure your user data as follows:#!/usr/bin/env bash# Install any required packages (in this case, the AWS CLI and other helpers).sudo apt update && sudo apt install -y unzip awscli jq# Set the token variable by calling out to your secrets store (in this case, AWS Secrets Manager), being sure to replace the placeholders with the actual values.ADMIN_TOKEN=$(aws secretsmanager get-secret-value --secret-id YOUR_SECRET_ID --region YOUR_REGION | jq -r .SecretString | cut -d\" -f4)# Set the environment variable in a way that `systemctl` can use. If you are using a relay token instead of an admin token, you can also set the `SDM_RELAY_TOKEN` in this way.sudo systemctl set-environment SDM_ADMIN_TOKEN="$ADMIN_TOKEN"# Restart the setup script (i.e., the script included with the strongDM Gateway AMI).sudo systemctl restart sdm-relay-setupsudo systemctl enable sdm-proxysudo systemctl restart sdm-proxy
Set up the instance the way you want on the Add Storage and Add Tags pages.
On the Configure Security Group page, click Add Rule and set:
Type: Custom TCP
Port Range: 5000
If you are setting up a gateway and you neglect the Configure Security Group step, clients are not able to connect.
At the bottom of the page, click Review and Launch.
On the Review Instance Launch page that opens, check that everything looks OK, and click Launch.
When prompted to select an existing key pair or create a new key pair, choose your key pair, check the acknowledgement box, and click Launch Instances.
Check launch status
It may take a few minutes to get your instance and gateway or relay up and running. You can check the instance’s launch status in both AWS and strongDM.
- Check launch status by going to the Instances page.
- Find the instance that you just launched. If it is up, it is shown in the Running state.
If you set up a self-registering gateway:
- Look on the Network > Gateways page.
- Because you gave the EC2 instance an admin token, the instance registers the strongDM gateway when the instance comes online. You should now see a new gateway in this section. (If you do not, wait a few minutes and refresh the page.)
- The new gateway may have a less than obvious name, like “stinky-fruit-123,” so if you do not know which gateway is for EC2, you can compare the gateway’s Listen Address to the IP address in your EC2 instance. Once you identify the new gateway, you may want to rename it with a more descriptive name (e.g., “aws-ec2-gateway”).
- The gateway is live when its status shows that it is online.
If you set up a relay:
- Look on the Network > Relays page, which should now display your new relay.
- It is normal for the status to be offline or restarting at first. When the state changes to online, your relay is ready.
Now that installation is complete, you can use strongDM!
If you have any problems, contact strongDM Support.