Connect to Datasources

This page provides instructions on how to configure everyday client applications (such as database clients) to connect to Resources via strongDM.

The Connection Process

  1. Open your strongDM GUI by clicking on the SDM icon in your menu bar located in the top right of your screen (macOS) or in the taskbar in the bottom right (Windows). If you are already logged in to strongDM, the GUI displays a list of Resources that are available to you. Click the name of the desired Resource in the list. If you wish to connect to a Resource using the command-line interface (CLI) instead of the GUI, open the Command Prompt or Terminal and run sdm connect <RESOURCE_NAME>, being sure to replace the placeholder with the actual Resource name (e.g., sdm connect test-mysql-db).
  2. In the GUI, ensure that there is a green lightning bolt next to the Resource name (green means there is a healthy connection). If you are using the CLI instead, run sdm status to ensure that the Resource is listed as connected.
  3. Open your client application and enter the connection details. Note that the connection valuessuch as hostname, username, password, and otherswill be different than usual because of the connection that strongDM has already set up to your computer. For most clients, the required hostname will be localhost and the username and password fields can be left empty. The known exceptions are described on this page. The reason for these exceptions is often that a graphical client's form validation requires fields to have some value in them, rather than be left empty, even if the fields are not actually going to be used to make the connection.
  4. Once you have filled in the appropriate connection details, if any, initiate the connection within your client and then interact with your Resource as you normally would.

Specific Client Connection Information

This section lists some of the clients that require connection values that differ from the defaults. When the indicated value for a given field is empty, simply leave the field empty. For any string, enter anything you want. The client's form validation requires something to be written in that field, but the contents do not actually matter because the value is not used to make the connection.

Aurora MySQL, Clustrix, MariaDB, MySQL, SingleStore

For some versions of MySQL, you may need to specify that you do not wish to use SSL if SSL/No SSL is asked for by the client.

ClientHostnameUsernamePasswordInitial DB
DBeaverlocalhostemptyemptyexisting database name
DbVisualizerlocalhostemptyemptyexisting database name
MySQL Workbench127.0.0.1any stringemptyempty
Sequel Pro127.0.0.1emptyemptyempty
SQLPro Studiolocalhostany stringemptyempty
SQLyoglocalhostany stringemptyempty
TeamSQLlocalhostany stringemptyempty

Aurora PostgreSQL, Citus, Greenplum, PostgreSQL

ClientHostnameUsernamePasswordInitial DB
Navicat (Mac)localhostany stringemptyempty
pgAdminlocalhostany stringemptyany string
Posticolocalhostemptyemptyexisting database name
SQLPro Studiolocalhostany stringemptyempty
Tableaulocalhostany stringemptyany string
TablePluslocalhostemptyemptyexisting database name
TeamSQLlocalhostany stringemptyany string
SQL Workbench/Jlocalhostany stringany stringempty
For DataGrip, the **Authentication** field should be set as `User & Password`, not `pgpass`.

Microsoft SQL Server

ClientHostnameUsernamePasswordInitial DBAdditional Settings
Access127.0.0.1any stringemptyempty
Alteryx Designer127.0.0.1any stringany stringemptyUse system ODBC connection and SQL Server 10.x driver
Azure Data Studio127.0.0.1any stringemptyemptySDM port should be separated by a comma with no spaces (e.g.,,11433); under Advanced... > Security set Trust server certificate to true
Excel127.0.0.1any stringemptyempty
Navicatlocalhostany stringemptyempty
SQL Server Management Studio127.0.0.1any stringemptyemptyChange Network Protocol to TCP/IP; Server Name should be the IP address; SDM port should be separated by a comma with no spaces (e.g.,,11433)
Tableau127.0.0.1any stringemptyempty


ClientHostnameAdditional Settings
Gremlin ConsolelocalhostConfigure the client not to use TLS. In addition, configure the client to use GraphSON instead of Gryo.
Gremlin cURLlocalhostConfigure the client not to use TLS.
Gremlin SDKlocalhostConfigure the client not to use TLS. In addition, configure the client to use GraphSON instead of Gryo.
SPARQL cURLlocalhostConfigure the client not to use TLS.

Gremlin Console with Neptune

To use Gremlin Console with Neptune, you will need to edit a configuration file for Neptune (neptune-remote-sdm-graphson.yaml) to match the the following:

hosts: []
port: 18182
connectionPool: { enableSsl: false }
serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0 }

Then, start Gremlin:

$ bin/

Use the edited config to connect via TinkerPop, and then open Gremlin Console:

gremlin> :remote connect tinkerpop.server neptune-remote-sdm-graphson.yaml
gremlin> :remote console


See the JDBC Drivers section for information on how to use the Redshift JDBC driver.

ClientHostnameUsernamePasswordInitial DB
DbVisualizerlocalhostemptyemptyany string
SQLPro Studiolocalhostany stringemptyempty
SQL Workbench/Jlocalhostany stringany stringempty
Tableaulocalhostany stringany stringany string


ClientHostnameUsernamePasswordInitial DBAdditional Settings
DBeaverlocalhostemptyemptyemptySet any string for Account and false for SSL under Driver Properties


ClientHostnameUsernamePasswordInitial DB
DBeaverlocalhostany stringany stringany string
DbVisualizerlocalhostany stringany stringany string


ClientHostnameUsernamePasswordInitial DBAdditional Settings
DBeaverlocalhostany stringany stringany stringFrom the Driver Properties settings, portNumber must be set to the SDM port-override value.
DbVisualizerlocalhostany stringany stringany stringLoad a driver compatible with DB2 iseries, such as: jt400-10.4.jar. Once added go to the Driver Properties and set the portNumber to the SDM port-override value.

Sybase ASE, Sybase IQ

The known exceptions to both sets of values are as shown:

ClientHostnameUsernamePasswordInitial DB
DBArtisanlocalhostany stringany stringempty
DataGriplocalhostany stringany stringempty
Dbeaverlocalhostany stringany stringempty
DBVisualizerlocalhostany stringany stringempty
ERStudiolocalhostany stringany stringempty
RapidSQL127.0.0.1any stringany stringempty
SQL Workbench/Jlocalhostany stringany stringempty

Command-line Clients

Database typeSample connection string with portSample connection string with database
BigQuerybq --api http://localhost:20000 --disable_ssl_validation ls
Cassandracqlsh localhost port
DynamoDBdynamodb --endpoint-url http://localhost:port
Microsoft SQL Serversqlcmd -s,portsqlcmd -s -d <database>
mssql-cli -S,port -U sdm -P sdmmssql-cli -S -U sdm -P sdm -d <database>
MongoDBmongo --host localhost --port port
MySQL, Aurora MySQL, MariaDB, SingleStoremysql -h -P port
PostgreSQL, Aurora PostgreSQL, Citus, Greenplum, Redshiftpsql -h localhost -p portpsql -h localhost -d <database>
Redisredis-cli -h localhost -p port
SnowflakeSNOWSQL_PWD=none snowsql -u sdm -a sdm -d <database> -s <schema> -w <warehouse> -h localhost -p port -D protocol=http

Database Overrides

The SQL Server and PostgreSQL datasource types, as well as PostgreSQL derivatives like Greenplum and Redshift, have the option of database overrides. However, this option works differently between SQL Server and PostgreSQL.

Database override enabled

For PostgreSQL:

  • When a User connects to the Datasource, they are unable to change databases from the database configured in the Datasource.
  • If the User tries to change databases, the command appears to be successful but the User can only query the original Datasource.
  • In this configuration, the User does not need to specify a database when connecting to the Datasource via strongDM.

For SQL Server:

  • When a User connects to the Datasource, they automatically connect to the database specified in the datasource configuration.
  • In this configuration, the User does not need to specify a database when connecting to the Datasource via strongDM.

Database override disabled

For PostgreSQL and SQL Server:

  • If the Override Database option is not enabled, the User will be able to change databases as normal.
  • In this configuration, the user DOES need to specify a databaseany database that is accessible in the datasourcewhen connecting to the datasource via strongDM.

JDBC Drivers

Some JDBC drivers have very specific connection string requirements. When using the following JDBC drivers, we recommend entering the connection string directly. Replace <port> with the configured port. Where it says any you can replace with any string, but a string must be there for proper functionality.

DriverConnection string
Athena (driver versions 2.0.5, 2.0.6)jdbc:awsathena://UseResultsetStreaming=0;ProxyHost=localhost;ProxyPort=port;Protocol=http;AwsRegion=us-any-1;UID=any;PWD=any;S3OutputLocation=s3://any/

REST API Connections

Some database types allow REST API access. Druid requires it. To connect to these databases, replace the host and port in the URL with localhost and the configured port of your Resource in strongDM.

Example for Druid: http://localhost:18090/druid/indexer/v1/task

If you have trouble connecting with your database client, try the default values (hostname localhost and an empty username and password). If that does not work, check the tables on this page for values specific for your client. If you have any further issues, please contact with details.

User Guide — Previous
Ad Hoc Ports
Connect to SSH Servers