When working with an Amazon DocumentDB cluster in a Virtual Private Cloud (VPC) from the internet, an SSH port forwarding tunnel is required to reach the cluster inside the VPC.
There are two ways to create an SSH tunnel:
- Using the command line SSH application using an SSH tunnel to connect to DocumentDB
- Using the connection string options.
In either case, if you want to take advantage of strict checking of the SSH tunnel host key, you will need to maintain the known hosts file.
By default, the SSH command, will prompt you the first time it encounters the SSH tunnel IP address or hostname.
$ ssh -i ~/.ssh/private-key.pem -N -L 27019:docdb.cluster-xxxx.us-east-2.docdb.amazonaws.com:27017 [email protected]
The authenticity of host '254.254.254.254 (254.254.254.254)' can't be established.
ED25519 key fingerprint is SHA256:vHtm ... .
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
By typing yes and pressing Enter, the SSH application will create one or more entries in the
~/.ssh/known_hosts for the SSH tunnel IP address or hostname.
If you don't intend on using the Amazon DocumentDB JDBC driver connection properties to create an internal SSH port-forwarding tunnel, then you can use the SSH-KEYSCAN application to maintain the known hosts file.
In this example we'll create three entries for each hash algorithm (ecdsa, ed25519, and rsa
for the host 123.454.321.123 and appending the entries to the end of the known_hosts file.
$ ssh-keyscan -t ecdsa,ed25519,rsa 123.454.321.123 >> ~/.ssh/known_hosts
To obtain and install SSH on Windows follow these instructions. Note: You'll only need the OpenSSH Client.
Mac OS X already has the SSH client installed and available from the command prompt.