Using AWS CLI and AWS SSM (Systems Manager) to connect to RDS instance


At the end of this article, you will be able to connect to RDS and EC2 instances without using a bastion host or have any public facing infrastructure. We will be using AWS CLI, AWS SSM and SSH to perform tunneling.



AWS System Manager IAM Users and Groups

First we will need to create an EC2 Instance

Launch instance
Select the free tier AMI
Select t2.Mirco
This is important — select the SSM IAM Role which you have created before. FYI[]
So by default we will see a SSH rule — remove it because we wont be using it
Make sure the security group is empty.
Launch your EC2 Instance

Next up we will create our RDS instance

Create database
Create a free tier RDS
After creating the DB — click on the security group under [ VPC Security Groups ]
Click in, we will need to edit the inbound rules
Select edit inbound rules
Make sure to add the custom TCP with ur EC2 instance private IPv4 addresses

Checkpoint 🎉

So right now we have

  1. Private EC2 instance
  2. Private RDS instance which accept inbound traffic from EC2

Now we need to add user & ssh key to the EC2 instance

Open terminal — follow me closely as it get messy along the way

Open a new terminal and start another SSM session

Note: The terminal will kinnda freeze as it is maintaining a tunnelling connection from port 9999 on localhost to port 22 on EC2_INSTANCE_ID

Open another terminal and SSH in

Note: The terminal will freeze as well but its normal because it is maintaining a tunnelling connection from port 8888 on localhost to port 22 on EC2_INSTANCE_ID

Try to connect to your database now, the connection details will be

  • Host: localhost
  • Port: 8888
  • Username / Password: as per the the database credential

You should now have access to your RDS instance.

Some error which I encountered along the way:

  • The IAM role is different from your AWS CLI user role
  • The region is different from your AWS CLI user account
  • did not configure security group properly for RDS to accept connection from EC2
  • ssh key in different user folder in EC2 instance


There are simpler way to upload the SSH public key to the server such as using ec2-instance-connect send-ssh-public-key function but i faced numerous error while using that so i did a workaround which is to upload the SSH key to the server.

I will revisit this issue again and update this article, or let me know if you know how to upload ssh public key to the instance in a more seamless way.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rebecca Goh

Rebecca Goh

1 Follower

Developer | Tech Enthusiast | Traveller | Animal lovers