Quick Start Guide with AWS
This Quick Start Guide will walk you how to create a gateway and connect to your first datasource through strongDM, on AWS.
If you'd like to use Terraform to set up a test installation of strongDM on AWS, read our strongDM Playground documentation.
- Server (to host the gateway): You can repurpose an existing bastion or jump host for testing purposes; for production-ready deployments, we recommend a server reserved exclusively for use as a gateway.
- Specifications: The strongDM gateway can be installed on any Linux distribution; we recommend servers with 2 CPUs and 4 GBs of memory.
- Network Settings: To get live quickly, the server hosting the gateway needs to be able to connect to the datasource you’ll set up; this may require modifying the security group on the server or database itself. You’ll also need SSH access to the server.
Create a gateway
Go to the strongDM Admin UI. Click Gateways, followed by add gateway.
Define the advertised host for the server (e.g.
ec2-nn-nnn-nnn-nnn.us-east-2.compute.amazonaws.com). It must be an IP or hostname accessible to your strongDM clients. Enter the port that you left open for the gateway to interact with strongDM clients (by default,
5000). If you need to use another port, choose any one above 1024, as strongDM runs as a non-privileged daemon.
Click create. This generates a token which is shown only once. Carefully copy the token and save it for later use.
Establish an SSH connection to the server that will be hosting the gateway.
Download the strongDM binary:$ curl -J -O -L https://app.strongdm.com/releases/cli/linux
Unzip it.$ unzip sdmcli_VERSION_NUMBER_linux_amd64.zip
Install the gateway.
$ sudo ./sdm install --relay
The installer must be run by a user that exists in the
If you typically set up servers with SELinux on, make sure it is turned off while installing the strongDM binary.
You will be prompted for the token created earlier; paste it in and hit enter. Note that the token won't echo back to you.
Return to the Admin UI. In the Gateways section, the gateway just created should show a status of "online," and the heart icon should be intact.
If the gateway does not appear to be online, it's possible the webpage is cached. Please perform a hard refresh of your browser.
If the gateway is still not online, verify that the strongDM daemon is running by typing in
ps aux|grep sdmon the server and looking for a line that says
If you run into any problems, please contact strongDM support.
Add a datasource
Navigate to the Datasources page in the Admin UI and click add datasource.
Type in a Display Name. This name will appear for those who are granted access.
Select the Datasource Type from the dropdown.
Enter the Hostname. This address must be resolvable from the perspective of the gateway. One way to verify this is by SSHing to the gateway, and using netcat:
nc -zv <YOUR_HOSTNAME> <YOUR_PORT>(for example,
nc -zv testdb-01.fancy.org 3306or
nc -zv 111.222.333.444 3306).
strongDM prepopulates the PORT field with the database default. Feel free to change it if your database is set to listen on a different port.
Enter the username, password, and default database name to complete the connection.
Click the create button.
The Admin UI will update and the added datasource should turn green momentarily. If it doesn’t, click the edit pencil, click the Diagnostics tab, and hit ‘check now’. The Admin UI will indicate if there is a network or credentialing error.
If you have problems, contact strongDM support.
Connect to a datasource! (Yay!)
Go to the Users page in the Admin UI. Click your username, then Datasources, then the newly-created datasource to grant yourself access.
Open the installed local client and log in. The datasource should appear in the list of available resources.
At the top of the GUI, there is a cloud. If the icon is white, you’re good!
If the icon is in a reconnecting / yellow state, the local client is unable to resolve the address of the gateway.
- Check that the same port (5000 by default) that the gateway listens on for inbound traffic is open within the firewall or AWS security group.
- If you’ve given the gateway a private IP or put it behind a VPN, you’ll need to make sure the local client can resolve the hostname of the gateway.
For more tips on what the problem might be, run
sdm doctor -v, which gives you a status report and information about issues that strongDM might be encountering.
If you have any problems, please contact strongDM support.
Click the datasource; a green lightning bolt will appear. This indicates that the local client is listening on that port.
Open your preferred SQL client (in this example, TablePlus), and create a new connection. Enter
127.0.0.1(for some clients, this needs to be
localhost) and the port that was assigned within the local client (in this example,
5472). For most clients, the username and password may be left blank. Please read the Connecting to Databases guide for specific SQL connection requirements.
Click connect, and start querying!