Quick Start Guide

Last modified on December 2, 2022

Overview

This Quick Start Guide shows you how to create a gateway and connect to your first datasource through StrongDM.

Prerequisites

Before you begin, the following requirements should be met:

  • Server (to host the gateway): You can repurpose an existing bastion or jump host for testing purposes; for production-ready deployments, we recommend a server reserved exclusively for use as a gateway.
  • Specifications: The StrongDM gateway can be installed on any Linux distribution; we recommend servers with 2 CPUs and 4 GBs of memory.
  • Network Settings: To get live quickly, the server hosting the gateway needs to be able to connect to the datasource you’ll set up; this may require modifying the security group on the server or database itself. You’ll also need SSH access to the server.

Create a Gateway

  1. Go to the StrongDM Admin UI. Click Gateways and then click Add gateway.
Add Gateway
Add Gateway
  1. Define the advertised host for the server (for example, sdm-gw0.yourcompany.com, 111.222.333.444, or ec2-nn-nnn-nnn-nnn.us-east-2.compute.amazonaws.com). It must be an IP or hostname accessible to your StrongDM clients. Enter the port that you left open for the gateway to interact with StrongDM clients (by default, 5000). If you need to use another port, choose any one above 1024, as StrongDM runs as a non-privileged daemon.

  2. Click create. This generates a token that is shown only once. Carefully copy the token and save it for later use.

  3. Establish an SSH connection to the server that will be hosting the gateway.

  4. Download the StrongDM binary:

    curl -J -O -L https://app.strongdm.com/releases/cli/linux
    
  5. Unzip it.

    unzip sdmcli_VERSION_NUMBER_linux_amd64.zip
    
  6. Install the gateway.

    sudo ./sdm install --relay
    

    When prompted for the token created earlier, paste it in and hit enter. Note that the token won’t echo back to you.

  7. Return to the Admin UI. On the Gateways page, the gateway just created should be online and the heart icon should be intact.

Add a Datasource

  1. Navigate to the Datasources page in the Admin UI and click add datasource.

    Add Datasource
    Add Datasource
  2. Type in a Display Name. This name appears for those who are granted access.

  3. Select the Datasource Type from the dropdown.

  4. Enter the Hostname. This address must be resolvable from the perspective of the gateway. One way to verify this is by SSHing to the gateway, and using netcat: nc -zv <YOUR_HOSTNAME> <YOUR_PORT> (for example, nc -zv testdb-01.fancy.org 3306 or nc -zv 111.222.333.444 3306).

  5. StrongDM prepopulates the port field with a read-only database default. Feel free to change it later in Port Overrides settings if your database is set to listen on a different port.

  6. Enter the username, password, and default database name to complete the connection.

  7. Click the Create button.

  8. The Admin UI then updates and the added datasource should show a positive, green status momentarily. If the datasource does not display a positive status, click its name to go to the Diagnostics tab and check for errors. The Admin UI indicates if there is a network or credentialing error.

If you have problems, contact StrongDM Support.

Connect to a Datasource

  1. Go to the Roles page in the Admin UI. If you already have a role created, you can update the role’s access rules to allow users with that role to access your new datasource. If you don’t have an existing role and need a role specifically for testing purposes, you can easily create a role and assign this particular resource to it with a static rule.

  2. Go to the Users page in the Admin UI. Click your username. Then click Roles and select the newly created role to assign yourself to it and get access.

  3. Install the StrongDM client, which is available from the Admin UI’s Download & Install page.

  4. Open the desktop app and log in. The datasource should appear in the list of available resources.

  5. Click the datasource name to connect. The lightning bolt turns green and you can see that you are connected. Being connected means that the local client is listening on that port.

  6. Open your preferred SQL client (in this example, TablePlus), and create a new connection. Enter 127.0.0.1 (for some clients, this needs to be localhost) and the port that was assigned within the local client (in this example, 5472). For most clients, the username and password may be left blank. Please read the Connecting to Databases guide for specific SQL connection requirements.

    TablePlus Client
    TablePlus Client
  7. Click connect, and start querying!

Top