Skip to content

Accessing VPC-isolated databases

In order to access network-isolated databases created inside your VPC, first you will need SSH access to the Jumphost.

Getting connection properties

You can find the RDS connection properties (endpoint, port, user, password) in the AWS console or using AWS CLI:

  • To find Aurora RDS endpoint and port (replace BoxAppName and BoxEnvironment values with your application name and environment):
aws rds describe-db-clusters \
  --filters Name=db-cluster-id,Values=$(aws resourcegroupstaggingapi get-resources --resource-type-filters rds:cluster \
    --tag-filters 'Key=BoxAppName,Values=devopsbox-io/example-backend-app' 'Key=BoxEnvironment,Values=dev' 'Key=BoxManaged,Values=true' \
    --query 'ResourceTagMappingList[*].ResourceARN' \
    --output text | sed -e 's/\s\+/,/g') \
  --query 'DBClusters[*].[Endpoint, Port]' \
  --output text | sed -e 's/\s\+/:/g'
  • To find non-Aurora RDS endpoint and port (replace BoxAppName and BoxEnvironment values with your application name and environment):
aws rds describe-db-instances \
  --filters Name=db-instance-id,Values=$(aws resourcegroupstaggingapi get-resources --resource-type-filters rds:db \
    --tag-filters 'Key=BoxAppName,Values=devopsbox-io/example-backend-app' 'Key=BoxEnvironment,Values=dev' 'Key=BoxManaged,Values=true' \
    --query 'ResourceTagMappingList[*].ResourceARN' \
    --output text) \
  --query 'DBInstances[*].Endpoint.[Address, Port]' \
  --output text | sed -e 's/\s\+/:/g'
  • The application user default name is app, the admin user default name is awsadmin. Both can be customized in your box.yaml file.
  • Passwords are stored in the SSM Parameter Store AWS service as secure strings. The parameter name format is /box/ENVIRONMENT/APPLICATION_NAME/backing_service.BACKING_SERVICE_KEY.db_password ( e.g. /box/dev/devopsbox-io/example-backend-app/backing_services.aurora.db_password) for the application user or /box-internal/ENVIRONMENT/APPLICATION_NAME/backing_service.BACKING_SERVICE_KEY.master_user_password ( e.g. /box-internal/dev/devopsbox-io/example-backend-app/backing_services.aurora.master_user_password) for the admin user. You can retrieve them in the AWS console or using AWS CLI e.g.:
aws ssm get-parameter \
    --name "/box/dev/devopsbox-io/example-backend-app/backing_services.aurora.db_password" \
    --with-decryption \
    --query 'Parameter.Value' \
    --output text

Connecting via the Jumphost

You can connect to the database using your favourite SQL client - please refer to the documentation of your client and find how to access a database via an SSH tunnel. Below you will find more general instructions: how to create an SSH tunnel and connect using the mysql command line client.

To create an SSH tunnel use:

ssh -i ~/.ssh/id_rsa-devopsbox-jumphost -fN -L 3336:YOUR_RDS_ENDPOINT:YOUR_RDS_PORT your_user@jumphost.YOUR_DOMAIN_NAME

Replace:

  • your_user with your user name
  • YOUR_RDS_ENDPOINT and YOUR_RDS_PORT using the values retrieved with Getting connection properties
  • YOUR_DOMAIN_NAME with the domain name you are using in the DevOpsBox installation

To connect to the RDS Aurora cluster using the mysql command line interface use (replace MYSQL_USER with your user name):

mysql -h 127.0.0.1 --port 3336 -u MYSQL_USER -p

The command will ask you for the MYSQL_USER's password.