Database Access
Secure remote access to a MySQL, MSSQL, MongoDB, Redshift, Oracle, PostgreSQL or Snowflake Database
You can enable secure remote access to a database using a Dynamic Secret item that generates ephemeral credentials for that database or using a Rotated Secret. Users can then access the database from the Secure Remote Access Portal either over the web (using Adminer) or using the native database CLI.
Note
Use the
akeyless connect
command from Akeyless CLI to access databases from any UNIX terminal to work with your database native CLI.
Prerequisites
To enable secure remote access to a database you need:
- The Secure Remote Access Bastion deployed.
In addition, for users to access the database using native CLI, you need:
- An SSH Certificate Issuer for certificate authentication.
Create a Database Secret
If you don't already have a database secret, see the following docs to either create a Dynamic Secret or Rotated Secret that specifies the database details and access credentials.
If you already have a database secret, continue below.
Set Up Remote Access to a Database from the Akeyless CLI
Let's set up remote access to a database using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Console instead.
Run the relevant command to define the following fields to the secret that specifies the database details and access credentials:
akeyless dynamic-secret update <mongodb/mssql/mysql/oracledb/postgresql/redshift/snowflake> \
--name <dynamic secret name> \
--secure-access-enable true \
--secure-access-db-name <database name> \
--secure-access-host <database host:port> \
--secure-access-db-schema <schema-name> \
--secure-access-bastion-issuer </Path/to/SSH/Cert/Issuer>
akeyless rotated-secret update <mongodb/mssql/mysql/oracledb/postgresql/redshift/snowflake> \
--name <rotated secret name> \
--secure-access-enable true \
--secure-access-db-name <database name> \
--secure-access-host <database host:port> \
--secure-access-db-schema <schema-name> \
--secure-access-bastion-issuer </Path/to/SSH/Cert/Issuer>
--rotate-after-disconnect <true|false>
where:
- secure-access-db-name: The database name as defined in the dynamic secret.
- secure-access-host: The hostname (or IP address) and port for accessing the database as defined in the dynamic secret.
- secure-access-db-schema: Optional, only supported for MSSQL and PostgreSQL database dynamic secrets.
- secure-access-bastion-issuer: Optional, only required to enable CLI access to the database. The path to the SSH Certificate Issuer that should be used for certificate authentication for CLI access.
- rotate-after-disconnect: Optional for Rotated Secret. Rotate the secret value when the SRA session ends.
Set Up Remote Access to a Database from the Akeyless Console
Let's set up remote access to a database from the Akeyless Console. If you'd prefer, see how to do this from Akeyless CLI instead.
-
Log in to the Akeyless Console and go to Items.
-
Select the Dynamic Secret or Rotated Secret that specifies the database details and access credentials.
-
Click on the Secure Remote Access tab, select the pencil icon and enable Secure Remote Access, then fill in the following fields:
Host(s)
: The hostname (or IP address) and port for accessing the database as defined in the dynamic secret.Rotate after disconnection
: Optional for Rotated Secret. Rotate the secret value when the SRA session ends.
For Web Access, define the following fields:
DB Name
: The name of the database as defined in the dynamic secret.Schema
: Optional, only supported for MSSQL and PostgreSQL database dynamic secrets.
For CLI Access, define the following field:
Bastion Issuer
: The path to the SSH Certificate Issuer that should be used for certificate authentication.
- To the right of the Enable Secure Remote Access field, select the tick mark icon to save your changes.
Access a Database over the Web from the Secure Remote Access Portal
-
Log in to the Secure Remote Access Portal and select the database type to which you want to connect.
-
Select the database hostname or IP address, then select Web.
Adminer opens in a new tab, from which you can interact with the database according to your permissions.
Access a Database Using CLI from the Secure Remote Access Portal
-
Log in to the Secure Remote Access Portal and select the database type to which you want to connect.
-
Select the database hostname or IP address, then select CLI.
A new tab opens, showing that you are connected to the database.
Access a Database using Akeyless connect command
Akeyless Connect command enables application native CLI access:
akeyless connect -t <mysql-server>:3306 -v <via-ssh-sra-bastion>:<port> -n "Path/to/Secret"
Note
Make sure your Access ID is specified in the
Allowed Access IDs
field of your bastion settings, to get access. Access IDs that are not listed, will not be authorized to get access.
Tutorial
Check out our tutorial video on Accessing a Database from the Portal with a Dynamic Secret.
Updated 4 months ago