Quick Start Guide with AWS
If you'd like to try out strongDM by using Terraform to spin up AWS resources and your strongDM Admin UI and test datasources ready to try things out in minutes, read the strongDM Playground documentation.
A walkthrough which covers creating a gateway server with AWS
strongDM gateways create secure tunnels to access your servers, databases, and internal website resources. This allows your team to connect to infrastructure without managing credentials for each, or worse, sharing them. This Quick Start Guide will walk you through the steps to connect to your first datasource through strongDM.
You will need a Linux server to host the strongDM gateway, as well as root or sudo access to it.
- New server: We recommend that you set up a new server to host the gateway.
- Specifications: The strongDM gateway works with any Linux distribution and any server with two CPUs and four gigabytes of memory.
- SELinux: If you typically set up servers with SELinux on, make sure it is turned off while installing the strongDM binary in the steps below.
- Network Settings: Network settings are the area most likely to cause issues when setting up strongDM. The following tips may help ensure that your gateway has the access it needs:
- This server will need to be able to access the datasource that you set up below.
- You will also need to be able to access the server yourself remotely via SSH. By default, this will require port 22 to be open.
- We recommend leaving the inbound port at its default value (5000). If you need to use another port, it must be above 1024, as strongDM runs as a non-privileged daemon.
- If you're using AWS, this will involve modifying the Security Group for the server.
Create a gateway
Navigate to the strongDM Admin UI. Select the Gateways tab and click add gateway.
Define the advertised host for the server (e.g.
ec2-nn-nnn-nnn-nnn.us-east-2.compute.amazonaws.com). It must be an IP or hostname accessible to your strongDM clients. Enter the port that you left open for the gateway to interact with strongDM clients (by default,
Click create. This generates a token which is only shown to you one time that you'll need to use later in the installation process. Carefully copy the token and save it somewhere for later use.
Log in to the server you created to host your gateway.
Download the strongDM binary:$ curl -J -O -L https://app.strongdm.com/releases/cli/linux
Unzip it (if this is a new server, you may need to install a package to unzip archives, such as with
sudo apt-get install unzipon Ubuntu distributions):$ unzip sdmcli_VERSION_NUMBER_linux_amd64.zip
Install the gateway:$ sudo ./sdm install --relay
You will be prompted for the token you created above; paste it in and hit enter. Note that the token won't show in the terminal for security purposes, similar to the masking of a password.
The installer must be run by a user that exists in the
/etc/passwdfile. Any users remotely authenticated, such as with LDAP or an SSO service, may fail to complete the installation.
Log in to the strongDM Admin UI. In the Gateways tab, the gateway you created should appear to be online, and have a heartbeat. If it doesn't appear online, perform a hard refresh of your browser. Within a couple of minutes, if it is still not online, verify that the strongDM daemon is running by running
ps aux|grep sdmon the server and looking for a line that says
sdm relay. If you have problems, contact strongDM support.
Set up a datasource
A database within strongDM is referred to as a "datasource". This entity represents the combination of both a logical database and a set of permissions. Note that, as previously mentioned, you must ensure that the datasource you’re attempting to add is accessible from the gateway you created.
Navigate to the Datasources tab in the strongDM Admin UI and click the add datasource button. You will be prompted to fill out information about the datasource.
Type in a Display Name. This is the name that will appear for all end users who are granted access.
Select the Datasource Type from the available list. Enter the Hostname. It’s imperative that the entry you choose for the hostname is one that the gateway server can connect to. To verify this, hop on the gateway server and use Netcat:
nc -zv <YOUR_HOSTNAME> <YOUR_PORT>(for example,
nc -zv testdb-01.fancy.org 3306or
nc -zv 111.222.333.444 3306). If your gateway server can connect to this hostname, proceed.
Netcat is an easy tool to check various hostnames and ports by either sending data (a ping) or checking for listeners on the ports. The commands above use -z to check for listeners without sending data and -v to show verbose output. If you don't have Netcat, you can install the
netcatpackage with whatever package manager you are using, such as
apt-get install netcat.
Unless your database is set to listen on a different port, accept the pre-populated port assignment and port override assignment.
Type in the name of the database you will be connecting to with this datasource, the username that the gateway will use to connect to the database, and the password of the database user.
By default, for PostgreSQL and its derivative DBMS (e.g. Greenplum), strongDM will limit all connections to the configured database only. If you would like to change that, uncheck the Override Database option.
Click the create button. Once this is done, the Admin UI will update. Within a few moments, the state will appear green, and the process is complete. If it doesn't turn green, this may indicate a problem. Click on the Diagnostics tab to look at error messages, which may indicate where the connection is failing. If you have problems, contact strongDM support.
Connect to a datasource
Navigate to the Users tab in the strongDM Admin UI. Select your username, then the Datasources tab that appears below. Select the datasource you just created to grant yourself access.
If you haven't already set up your strongDM client, click Download in the top bar and complete the installation steps relevant to your OS:
Open the strongDM client you installed on your local machine and log in. Upon authentication, the datasource you created and assigned to yourself should appear in the list of available resources.
Click the datasource and a green lightning bolt will appear. This indicates that a tunnel has been opened between the strongDM client and the destination datasource.
If the status at the top of the GUI panel says "reconnecting" instead of "online" and does not change, it means that your client is not capable of connecting to your gateway server. You should ensure that you have the same port (5000 by default) set as the gateway listening port and opened for inbound traffic in your firewalls (or AWS security group, etc). For tips on what the problem might be, you can run
sdm doctor -v, which will give you a status report and information about problems that strongDM might be encountering.
Open your preferred database client (in this example, TablePlus), and create a new connection. Enter
127.0.0.1(for some clients, this will need to be
localhost) and the port that was assigned in your strongDM client (in this example,
5472). For most clients, leave the username and password blank as all authentication occurs through strongDM. Check the Connecting to Databases documentation for specific connection requirements for your preferred database client.
Now all you have to do is connect, and start executing queries - without ever needing database credentials from the client's perspective.