We are looking to connect dbt to Postgres using SSH bastion.
I followed the comments left under this issue, but I get a timeout error.
A few questions:
How should the profiles.yml be configure to connect via SSH? I added ssh-host but that did not get it working.
Is there any other configurations that I'd need to set up?
I just hacked my way through figuring this out and the steps listed in the above comment were very helpful for someone with zero experience in this realm who still needs to use dbt with a bastion host. Here is specifically how I did this and some helpful resources I came across. Hopefully others will find these examples helpful.
You register a public SSH key with the remote location, tied to a
private key that lives on your machine
Github has a helpful guide for how to do this: https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
Add keys to ~/.ssh/config: Adding an RSA key without overwriting.
I also had to add IgnoreUnknown UseKeychain to ~/.ssh/config
You use a CLI tool (e.g. ssh, autossh) to "forward" a local port to
the remote location (bastion host)
To forward the local port to the bastion host, save your user/bastion host/db host into environment variables. I used Postgres so it looked like this.
ssh -l $BASTION_USER $BASTION_HOST -p 22 -N -C -L "5432:${POSTGRES_HOST}:5432";
In profiles.yml, instead of putting the host/port of a remote
database, you put localhost and the number of the "forwarding" port
Then in my ~/.dbt/profiles.yml looks includes this:
dev:
type: postgres
threads: 1
host: localhost
port: 5432
user: POSTGRES_USER
pass: POSTGRES_PWD
dbname: POSTGRES_DB_NAME
schema: dbt_tmp
Voila! Your connection is forwarded to the bastion host, authenticated
via SSH, and passed along to the database
At that point I ran dbt debug against my target and it connected with all checks passed.
I think you need to follow Jeremy's instructions from this comment:
The basic idea, as I remember it:
You register a public SSH key with the remote location, tied to a
private key that lives on your machine
You use a CLI tool (e.g. ssh,
autossh) to "forward" a local port to the remote location (bastion
host)
In profiles.yml, instead of putting the host/port of a remote
database, you put localhost and the number of the "forwarding" port
Voila! Your connection is forwarded to the bastion host, authenticated
via SSH, and passed along to the database
To be fair, he was also asking for definitive walkthroughs and included the caveat that this has had varying levels of success based on the particulars of the client, host, environment etc.
Related
I am trying to access a postgres server that has limited IP access in pg_hba.conf file.
I am trying to use dbeaver to access it.
I am - computer A
postgres server - computer C
server i can access postgres server from - computer B
In my computer I have this view.
As far as I understand I need to trick my computer into using the computer B.
So when i write postgreserver.blaah.com into host/ip and port 5432. It will ssh to computer B and then access it from there.
So in my ssh config file i wrote this:
LocalForward 5432:postgreserver.blaah.com:5432 myuser#server.b.com
Well this didn't work.
Any suggestions?
I don't think you should do anything in your ssh config (and which computer's ssh config was it?). DBeaver's SSH tab is an alternative to manually setting up your own tunnel.
If you have already manually set up your own tunnel, then you would just point DBeaver to it, you wouldn't tell DBeaver that it is using a tunnel. It doesn't need to know.
If you want DBeaver to set up the tunnel, then "computer_B" would go in the Host/IP field of the SSH tab. "computer_C" would go in the Host field of the Main tab.
I ended up using
ssh -L5432:databasehostname:5432 intermediatehostname
So this is running in a random shell somewhere on my screen while i am working with the database.
In DBeaver the hostname is localhost and port is 5432
and i am using Main connection tab not ssh tunnel.
Ubuntu 16.04 LTS
I have followed the guides which all say the same thing; to enable remote connection to a postgres server, update the postgresql.conf file, update the pg_hba.conf file and make sure the port (5432) is open and firewall is not blocking.
When I attempt to connect to my server from the remote machine using the following command, I receive no response (for example, 'Connection refused...'). It hangs as if the firewall has DROP policy, but I checked and the host's firewall is ACCEPT all. Here is the command:
psql -h 45.67.82.123 -U postgres -p 5432 -d mydatabase
I have googled extensively and can't find anyone else who's psql request sits with no response from the host server.
Edit: I should mention I have been connecting locally on the host machine. I should also mention that the data directory on the host machine is in a non-default location. I have my cluster on a mounted drive, in case this could affect the remote connection.
Solution:
It is my first AWS instance and I didn't know they have their own firewall rules on the platform. So I was highly confused by the fact all my policies were ACCEPT on my server. Turns out you are behind AWS firewall and you have to go onto the platform to add/change security groups etc. In the past when I've used Digital Ocean droplets or Linodes, the firewall policy on the vps is all I need to change. AWS threw me another curveball there.
I am running openerp(odoo) application from amazon cloud server using putty and it is ubuntu Headless(NO GUI) server. PostgreSQL is the database used for this application. Right now I am only able to access it in command mode as there is no gui in Putty. In Windows, I have installed pgadmin3. Is it possible to access it from here by configuring?
You can configure your security group to open up the postgres port accessible from your IP address (I would highly recommend the access to be limited that way). After that you can just point your GUI client the external IP address of your instance using the port where the service is running on.
I suggest you to use pgadmin gui tool to access postgres database.
You can set up an SSH tunnel in putty and use that to access the remote database with your local pgadmin3. This is a very good and secure way to do things.
First, in Putty (Connection / SSH / Tunnels) add a source port of your choice, 5000 for example. Then enter localhost:5432 for Destination (providing postgres is running on port 5432 on the server). Press Add and save your session. Next time you open your ssh connection with Putty, the tunnel will be active.
After this, set up a new connection in pgadmin3, Host: localhost and Port: 5000 (and your username and pasword, of course). Now, if the putty session is active, you should be able to connect.
In postgresql.conf file, find a line called
listen_addresses = 'localhost' and change it to '*'
Next in pg_hba.conf add this line in IPV4 local connections,
host all all (Your external ip address in CIDR format) trust
Finally restart the database using this command,sudo service postgresql restart
I have configured an RDS Postgres micro instance for testing but am having problem connecting. I have created a security group and allow all hosts (0.0.0.0/0) by default to port 5432 but for some reason I am not able to connect. I tried connecting to the port 5432 on the machine but it appears to be closed. Any ideas? I have verified that the security group is using the correct security group.
This is my configuration
TCP
Port (Service) Source Action
5432 0.0.0.0/0 Delete
Here is how I am trying to connect to the rds service
psql -p 5432 -h example.cs945smhrv09.us-west-2.rds.amazonaws.com -U example example
UPDATE
OK feel a little silly after figuring out that rds starts up on a private 172 subnet. I was able to connect from my ec2 instance.
Question now is there a way to put that on a public address that I can connect to? I would like to configure it with a security group that limits the source ip but then be able to connect to it with psql from my desktop.
Update 2
I don't remember all the details when I originally posted this question but it is no longer an issue. We now have a management vpc that we connect to using a vpn server. The management vpc network is trusted by the prod and devel security groups for the rds instances. We have no problem communicating with them without adding any public ips.
Step 4 of the RDS setup wizard ("Additional Config") lets you select whether the DB is Publicly Accessible or not (if it's not, access is limited to within your VPC, regardless of your security group settings). I'd imagine that determines whether the hostname resolves to 54.* vs 172.* .
Your first instance may have been set to private - as far as I can tell this can't be changed after initialization. I had a similar issue and creating a new instance set to be publicly accessible solved it for me.
My company's firewall had blocked outgoing traffic to the default postgres port, 5432. I didn't realise this until I tested the port using netcat in a terminal window, as follows:
nc -zv portquiz.net 5432
Hopefully this saves someone half a day of messing around with AWS security groups.
Absolutely there is. I have pgadmin loaded on my local machine connected to my RDS instance. |
I just confirmed that I can connect using the same syntax you used for psql, although the -U was not necessary for me (I still included both "example" parameters though)
I did edit the "default" security group and added my IP (Ip of the machine I'm connecting from)/32 to be allowed, although I'm sure you could get less restrictive than that, but I'd start there and see if it helps.
This is likely caused by your outbound firewall rules. If you're behind a corporate firewall, they will often block outbound ports above a certain number. You need to setup an SSH tunnel of some kind to avoid this.
http://conoroneill.net/accessing-amazon-rds-instances-from-your-desktop/
I had this problem. This isn't a direct solution but might work for some. I set the Postgres security group to accept connections coming from the server that will be using it (same VPC). I then set up my Postgres client to use ssh tunneling. If I need to use the command line, I simply SSH into that server and then psql from there.
You can simply use workbench recommended by aws but make sure your all postgres availibily is set to everywhere..while adding PostgrSQL 5432
https://aws.amazon.com/getting-started/tutorials/create-connect-postgresql-db/
I have been using rockmongo as my client for mongodb on localhost for testing.
For prodction i DONT want a client online as this might reduce security.
Is there a client which will allow me to connect SSH? kind of like MySql Workbench?
or
Can rockmongo stay on my local computer and i connect to EC2 instance which has mongodb for production viewing?
or
Is there a better alternative to all of this?
My setup is a standard LAMP stack. willing to make any changes necessary.
MongoHub has the option to connect over ssh, but the app kind of sucks. It crashes a lot.
A more generic approach would be to just create your own ssh tunnel to your production server, and then connect over that through whatever client you want. The client won't care as long as it can make the connection.
On OSX/Linux, creating an ssh tunnel might look like this:
ssh -L 8080:127.0.0.1:27017 -f -C -q -N username#domain.com
This would open a local port 8080 which will forward the traffic to the localhost interface at the mongodb default port 27017 on the remote side. You would point your client at 127.0.0.1:8080 as if mongodb were running there locally.
Check some of these out - http://www.mongodb.org/display/DOCS/Admin+UIs
One workaround would be to set that file in a separate folder and make a .htaccess file that restricts access to only your ip address. Any requests not from your ip address would get denied access...