Push-to-Warehouse Setup: SSH Bastion Server (AWS)

📘

This guide describes how to set up a connection to a data warehouse destination you own. Reach out to your Customer Success Manager or [email protected] to confirm that your Modern Treasury plan includes the Push to Warehouse capability.

Prerequisites

  • A public SSH key to add to the bastion machine to authenticate the SSH connection. Ask your Modern Treasury contact if they have not already provided one to you.
  • Please reference our Push to Warehouse IP Address documentation.

Step 1: Provision a bastion server

If using SSH tunneling to connect to your database, we recommend using a standalone bastion server. This step will walk through provisioning the standalone bastion server. If you are using an existing server, skip to step 2.

  1. Navigate to the EC2 Instances page, and click Launch instances.
  2. Select an image. We recommend a default Amazon Linux image, such as the 64-bit (x86) Amazon Linux 2 AMI (the default option).
  3. Select a type. We recommend the t3.nano. Because this bastion server will be used exclusively for SSH tunneling, Network Performance is the primary consideration. The t3.nano default configuration comes with Network Performance of up to 5 Gigabit, as well as minimal Memory (1 GiB), vCPUs (2) and Storage (8 GB SSD) for about $5/mo depending on region and market rates.
  4. Click Review and launch. Consider modifying the default security group according to your security policies to enable configuration (e.g., creating the moderntreasury user in Step 2). Click Launch. We will further modify the default security group in Step 2. (The remaining default options are sufficient.)

Step 2: Configure the server

Allow SSH port access

In the AWS console, complete the steps below:

  1. Navigate to the EC2 Instances page, and click the instance ID of the server to be used as the bastion host.
  2. In the Security tab, click the link to one of the security groups. (E.g., the default security group). Make note of this security group, as you will need to allow inbound access to your source DB as part of Step 3.
  3. In the Inbound rules tab, click "Edit inbound rules".
  4. Click Add rule. Add an inbound rule of type SSH and whitelist the Modern Treasury's static IP, 52.36.3.49. Optionally, add a description. Note: you will not be able to SSH into this machine to configure the moderntreasury user unless you also whitelist your machine's IP in the inbound rules. Consider temporarily adding that IP to facilitate the next step.

Create the SSH user

Login to the bastion server and complete the steps below.

  1. Create group moderntreasury:
sudo groupadd moderntreasury
  1. Create user moderntreasury:
sudo useradd -m -g moderntreasury moderntreasury
  1. Switch to user moderntreasury:
sudo su - moderntreasury
  1. Create .ssh directory:
mkdir ~/.ssh
  1. Set its permissions:
chmod 700 ~/.ssh
  1. Create the authorized_keys file:
touch ~/.ssh/authorized_keys
  1. Set its permissions:
chmod 600 ~/.ssh/authorized_keys
  1. Add the public key to the authorized_keys file. The key - including the "ssh-key" and comment - should be all on one line in the file, without linebreaks.:
echo "ssh-key <ssh_public_key_beginning_with_AAAA> modern-treasury-transfer-agent-key" > authorized_keys

Step 3: Grant DB access to the bastion server

  1. Within the Inbound rules of the database security group, click Add rule. Add the security group noted in Step 2, and click Save rules.