Push-to-Warehouse Setup: SSH Bastion Server (AWS)
This guide describes how to set up a connection to a data warehouse destination you own. Reach out to your Customer Success Manager or [email protected] to confirm that your Modern Treasury plan includes the Push to Warehouse capability.
Prerequisites
- A public SSH key to add to the bastion machine to authenticate the SSH connection. Ask your Modern Treasury contact if they have not already provided one to you.
- Please reference our Push to Warehouse IP Address documentation.
Step 1: Provision a bastion server
If using SSH tunneling to connect to your database, we recommend using a standalone bastion server. This step will walk through provisioning the standalone bastion server. If you are using an existing server, skip to step 2.
- Navigate to the EC2 Instances page, and click Launch instances.
- Select an image. We recommend a default Amazon Linux image, such as the 64-bit (x86) Amazon Linux 2 AMI (the default option).
- Select a type. We recommend the t3.nano. Because this bastion server will be used exclusively for SSH tunneling, Network Performance is the primary consideration. The t3.nano default configuration comes with Network Performance of up to 5 Gigabit, as well as minimal Memory (1 GiB), vCPUs (2) and Storage (8 GB SSD) for about $5/mo depending on region and market rates.
- Click Review and launch. Consider modifying the default security group according to your security policies to enable configuration (e.g., creating the
moderntreasury
user in Step 2). Click Launch. We will further modify the default security group in Step 2. (The remaining default options are sufficient.)
Step 2: Configure the server
Allow SSH port access
In the AWS console, complete the steps below:
- Navigate to the EC2 Instances page, and click the instance ID of the server to be used as the bastion host.
- In the Security tab, click the link to one of the security groups. (E.g., the default security group). Make note of this security group, as you will need to allow inbound access to your source DB as part of Step 3.
- In the Inbound rules tab, click "Edit inbound rules".
- Click Add rule. Add an inbound rule of type SSH and whitelist the Modern Treasury's static IP, 52.36.3.49. Optionally, add a description. Note: you will not be able to SSH into this machine to configure the
moderntreasury
user unless you also whitelist your machine's IP in the inbound rules. Consider temporarily adding that IP to facilitate the next step.
Create the SSH user
Login to the bastion server and complete the steps below.
- Create group
moderntreasury
:
sudo groupadd moderntreasury
- Create user
moderntreasury
:
sudo useradd -m -g moderntreasury moderntreasury
- Switch to user
moderntreasury
:
sudo su - moderntreasury
- Create
.ssh
directory:
mkdir ~/.ssh
- Set its permissions:
chmod 700 ~/.ssh
- Create the
authorized_keys
file:
touch ~/.ssh/authorized_keys
- Set its permissions:
chmod 600 ~/.ssh/authorized_keys
- Add the public key to the
authorized_keys
file. The key - including the "ssh-key" and comment - should be all on one line in the file, without linebreaks.:
echo "ssh-key <ssh_public_key_beginning_with_AAAA> modern-treasury-transfer-agent-key" > authorized_keys
Step 3: Grant DB access to the bastion server
- Within the Inbound rules of the database security group, click Add rule. Add the security group noted in Step 2, and click Save rules.
Updated about 11 hours ago