strongDM Gateway AMI Installation Guide

The strongDM Gateway Amazon Machine Image (AMI) makes it easy to deploy gateways and relays when launching Amazon EC2 instances. The AMI comes with the strongDM Gateway pre-installed, so you don’t have to create a Gateway manually in the strongDM Admin UI—all you have to do is launch an EC2 instance and you are ready to connect to your datasource.

This guide describes how to attach the strongDM Gateway AMI to a new EC2 instance, set a strongDM token, and enable the correct security settings. When done, you will be able to connect to EC2 through strongDM.

Before You Begin

Ensure that you are an account administrator in strongDM.

Decide whether you want to install a Gateway or a Relay. If installing a Gateway, you will be using an admin token (SDM_ADMIN_TOKEN). Likewise, if installing a Relay, you will be using a relay token (SDM_RELAY_TOKEN).

An admin token can be used on multiple machines and it's allowed to create Relays and read the list of Relays. A relay token can be used on only one machine, and it’s only allowed to read.


These instructions explain how to launch an EC2 instance and get a strongDM admin token to configure your Gateway. We recommend that you keep AWS and the strongDM Admin UI open in separate browser tabs or windows, so you can easily switch between them.

Get a strongDM token

  1. In a new browser tab or window, log in to the strongDM Admin UI at
  2. If you will be setting up a self-registering Gateway:
    1. Go to Access > API & Admin Tokens, and click add token.
    2. On the Create Admin Token page:
      1. Enter a descriptive name (e.g., “Gateway AMI Creator"), so you can remember what this token is for later.
      2. Select the checkbox for Relays, and underneath that, select List and Create.
      3. Click Create to generate the SDM_ADMIN_TOKEN value.
      4. Copy the admin token value and save it somewhere safe.
  3. If you will be setting up a Relay:
    1. Go to Network > Relays and click add relay, then fill out the name of the relay and click create to generate the SDM_RELAY_TOKEN value.
    2. Copy the relay token value and save it somewhere safe.

Create a new EC2 instance

  1. In AWS, go to the EC2 Dashboard and click Launch instance.

  2. On the Choose an Amazon Machine Image (AMI) page:

    1. Click Community AMIs.
    2. Search for “strongDM” and then choose the latest AMI available.
    3. Click Select to attach the strongDM Gateway AMI to your EC2 instance root device volume.
  3. Choose your instance type and click Next.

    The strongDM Gateway is based on Ubuntu and works on any instance type with two CPUs and 4GB of memory. We recommend a t3.medium.

  4. On the Configure Instance Details page, set all properties the way you want. Then expand Advanced Details and configure User data:

    1. Select As text.

    2. In the User data box, enter the token variable and the token value in this specific format:

      1. If you are setting up a self-registering Gateway, enter SDM_ADMIN_TOKEN=<TOKEN>.

      Example: SDM_ADMIN_TOKEN=hU8sHfhdjgg6g43dgabba...7fdjjg.djs1stqjjdop90fjs946fmh

      1. If you are setting up a Relay, enter SDM_RELAY_TOKEN=<TOKEN>.

      Example: SDM_RELAY_TOKEN=cU2sHfasj5g9g11dgambv...3fdjjg.lks1qiqjjdxy90fjs946fll

      If using an admin token instead of relay token, you also have the option to set a custom listen address (the default is the AWS IP for the EC2 instance) and/or custom port (5000 by default). These can be added after the SDM_ADMIN_TOKEN variable by using the SDM_RELAY_PORT and SDM_LISTEN_ADDRESS variables, each separated by line breaks.

      Only define the SDM environment variables in this section, in the indicated format. Any further customization or additions in the User data section could break the AMI installation.

  5. Set up the instance the way you want on the Add Storage and Add Tags pages.

  6. On the Configure Security Group page, click Add Rule and set:

    1. Type: Custom TCP

    2. Port Range: 5000

    3. Source: Anywhere

      If you’re setting up a Gateway and you neglect the Configure Security Group step, clients won’t be able to connect.

  7. At the bottom of the page, click Review and Launch.

  8. On the Review Instance Launch page that opens, check that everything looks OK, and click Launch.

  9. You’ll be prompted to select an existing key pair or create a new key pair. Choose your key pair, check the acknowledgement box, and click Launch Instances.

Check launch status

It may take a few minutes to get your instance and Gateway or Relay up and running. You can check the instance’s launch status in both AWS and strongDM.


  1. Check launch status by going to the Instances page.
  2. Find the instance that you just launched. If it's up, it will be in the Running state.

In strongDM

If you set up a self-registering Gateway:

  1. Look on the Network > Gateways page.
  2. Because you gave the EC2 instance an admin token, the instance will register the strongDM Gateway when the instance comes online. You should now see a new Gateway in this section. (If you don’t, wait a few minutes and refresh the page.)
  3. The new Gateway may have a less than obvious name, like “stinky-fruit-123,” so if you don’t know which Gateway is for EC2, you can compare the Gateway’s Listen Address to the IP address in your EC2 instance. Once you identify the new Gateway, you may want to rename it with a more descriptive name (e.g., “aws-ec2-gateway”).
  4. You’ll know that the Gateway is live when its status shows that it’s online.

If you set up a relay:

  1. Look on the Network > Relays page, which should now display your new Relay.
  2. It is normal for the status to be offline or restarting at first. The state will soon change to online, and then you’ll know that your Relay is ready.

Now that installation is complete, you can use strongDM!

If you have any problems, contact strongDM Support.

Installation — Previous
Linux Gateways
Next — Installation
Configure AWS Cloud