Allow SSH tunnelling to other VPC resources about aws-gate HOT 9 CLOSED

I believe the use-case is already supported.

Follow the instructions in the "SSH ProxyCommand support" section in README

But instead of issuing the command:

ssh ssm-test.eu-west-1.default

Then instead issue:

ssh -N -L 5000:rds-endpoint.example.org:3306 ssm-test.eu-west-1.default

Now your localhost port 5000 is tunneling through your EC2 instance all the way to rds-endpoint.example.org port 3306.

from aws-gate.

@mbp , thanks for explaining that.

I'll be honest, I didn't understand the SSH ProxyCommand documentation when I first read it.

I've understood it now and made it work, but there are some things I found confusing.

I don't like how the SSH host name is used as a proprietary way of specifying the region and profile for the AWS commands. I prefer to use the standard AWS_PROFILE and AWS_DEFUALT_REGION parameters or the standard --region and --profile options on the command line.

Since creating this issue I've submitted a PR that adds the option aws-gate ssh -L which solves my use case without proprietary syntax or requiring an SSH config file. I think it's simpler than the current solution with equivalent power.

#713

Would you consider this way of supporting the use case?

from aws-gate.

I'm not the maintainer, I think we have to wait for @xen0l :-)

from aws-gate.

Hello folks,

thanks for the issue. I am generally opposed in extending aws-gate ssh with additional flags because it is just function duplication of aws-gate ssh-proxy and native ssh client. However, I am willing to make an exception as I see it's quite handy to be able to forward ports to resources in AWS. With this, I think it makes sense to also add support for -D and -R.

I will also revamp the documentation on this explaining when to use aws-gate ssh and ProxyCommand support (it's much more superior).

from aws-gate.

I don't like how the SSH host name is used as a proprietary way of specifying the region and profile for the AWS commands. I prefer to use the standard AWS_PROFILE and AWS_DEFUALT_REGION parameters or the standard --region and --profile options on the command line.

It exists because not all applications support connecting to AWS resource via native API and this naming add convevience method (maybe opinionated) if you are using multiple regions with multiple AWS accounts for those cases as it allows to use ssh(1) transparently with aws-gate underneath.

from aws-gate.

@xen0l , thanks for your response.

I am generally opposed in extending aws-gate ssh with additional flags because it is just function duplication of aws-gate ssh-proxy and native ssh client.

I understand the desire to avoid duplication. Maybe we could consider the aws-gate ssh command the "easy mode" for common use cases and the aws-gate ssh-proxy the "advanced mode" for more flexibility.

However, I am willing to make an exception as I see it's quite handy to be able to forward ports to resources in AWS. With this, I think it makes sense to also add support for -D and -R.

Whatever the solution, I think concrete examples in the documentation would help a lot to make it clearer what aws-gate can do. I attempted to do this in my PR. Even if you don't merge it as is, maybe you can take the same use cases and show how to support them.

With this, I think it makes sense to also add support for -D and -R.

I haven't used the -D or -R flags. Could you give an example of how they could be useful in this context?

from aws-gate.

I will also revamp the documentation on this explaining when to use aws-gate ssh and ProxyCommand support (it's much more superior).

@xen0l opened #719 for this.

from aws-gate.

PR merged @iainelder, thanks for contrribution. I went on and added -R/-D support. -D is defintiely useful, -R for some specific cases as well. I will continue with #719. Once finished, would you be able to proofread it and provide feedback it's clearer?

from aws-gate.

I went on and added -R/-D support.

I found it here: #722

I will continue with #719. Once finished, would you be able to proofread it and provide feedback it's clearer?

Of course, happy to give feedback! We can continue the conversation in #719.

from aws-gate.