Skip to content

docs: add port forwarding example #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

docs: add port forwarding example #61

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
db30a45
docs: add port forwarding example
westonplatter Oct 31, 2025
4456f96
fix: update ref env var
westonplatter Nov 4, 2025
4dada07
Merge branch 'main' into feat/docs-add-port-fowarding-example
westonplatter Nov 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,10 @@ module "subnets" {

### Connecting to your new SSM Agent

Prereqs:

- Your IAM users/role needs: `ssm:StartSession`, `ec2:DescribeInstances`

```bash
INSTANCE_ID=$(aws autoscaling describe-auto-scaling-instances | jq --raw-output ".AutoScalingInstances | .[0] | .InstanceId")
aws ssm start-session --target $INSTANCE_ID
Expand All @@ -77,6 +81,54 @@ OR

Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).

### Set up port forwarding through your SSM Agent

For example, set up port forwarding on `localhost` to connect to an RDS Postgres instance on private subnets that is not publicly accessible.

Prereqs:

- Your IAM user/role needs the following permissions: `ssm:StartSession`, `ec2:DescribeInstances`, `rds:DescribeDBInstances`
- Ensure the network architecture and Security Group permissions allow inbound traffic from the SSM Agent EC2 host.

```bash
AWS_REGION=us-east-1
# Partial match for RDS instance name (e.g., "polygon" matches "acme-prod-polygon-data")
DB_INSTANCE_SUBSTRING="polygon"
LOCAL_PORT=15432

# 1) Find the running SSM gateway instance ID by tag
INSTANCE_ID="$(
aws ec2 describe-instances \
--filters "Name=tag:Name,Values=*ssm*" "Name=instance-state-name,Values=running" \
--query 'Reservations[*].Instances[*].InstanceId' \
--region ${AWS_REGION} \
--output text)"

# 2) Find the RDS instance endpoint
RDS_ENDPOINT="$(
aws rds describe-db-instances \
--region ${AWS_REGION} \
--query "DBInstances[?contains(DBInstanceIdentifier, '${DB_INSTANCE_SUBSTRING}')].Endpoint.Address | [0]" \
--output text)"

# 3) Dynamically get the RDS port
RDS_PORT="$(
aws rds describe-db-instances \
--region ${AWS_REGION} \
--query "DBInstances[?contains(DBInstanceIdentifier, '${DB_INSTANCE_SUBSTRING}')].Endpoint.Port | [0]" \
--output text)"

echo "EC2 Instance ID: $INSTANCE_ID"
echo "RDS Endpoint: $RDS_ENDPOINT"
echo "Setting up port forwarding (ec2) ${RDS_PORT} -> (localhost) ${LOCAL_PORT}"

# 4) Start the port forwarding session
aws ssm start-session \
--target $INSTANCE_ID \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters "{\"host\":[\"$RDS_ENDPOINT\"],\"portNumber\":[\"$RDS_PORT\"],\"localPortNumber\":[\"$LOCAL_PORT\"]}"
```

<!-- prettier-ignore-start -->
<!-- markdownlint-disable -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Expand Down