Enable SSH access to Postgres database

Since we never got a SQL Server Named Instance working with Metabase, I would like to connect to Postgres. We need an SSH tunnel, which would seem to be supported. I can't figure out where to enter the parameters though. Can anyone help?

This document states that I should be seeing some additional parameters (specifically Answer yes to the "Use an SSH-tunnel for database connections" parameter, which I don't see in the Database screen.

Can anyone help?

SSH tunneling has just been added in Metabase 0.24 today.

Thanks, we are trying to use the SSH tunneling feature. We started an AWS Elastic Beanstalk instance with 0.24.1 to test. Two comments:

  1. We use a key-based authentication mechanism. That functionality doesn’t seem to exist.
  2. We added a password-authenticated user to our data warehouse server (less secure!) but still can not connect, and now we can’t see whether the problem is with the SSH tunnel or with the database login. Is there a way to see more detailed granular logs? I’m able to ssh into our DWH server from the EC2 instance, using the same username/password I’m trying to use with Metabase, and connect to the database with the db username/password. Is there something I’m missing that Metabase is doing differently?

HI there, I implemented this feature recently and am happy to help figure it out. Could you start by including the error text that appears in red under the save button when you click save?

also make sure the host field has the actual db host, rather than the ssh server, and the ssh-tunnel-host field has the hostname of the ssh server. If possible it would be great to get a redacted screenshot of the settings you are using (avoiding any private information of course)

for #1 I haven’t added the UI parts yet for entering ssh private keys into metabase because I’m waiting to hear from people who use this feature what they would like that to look like. Should they be on the host (or linked into the docker container with “volumes”) or stored in the MB db. It’s important to think the security implications through carefully.

for #2 Metabase uses the Jsch java implementation of the ssh protocol because it’s cross platform and easier to work with from Clojure. There are some differences with putty and openssh though it’s been years since I have seen this break it for anyone. I need to change the code to get more detailed authentication logging out of Jsch.

when you are connecting through beanstalk there is the extra layer of docker between metabase and the DB so we should first test these scenarios:

  • ssh to the ec2 instance and open the ssh tunnel manually:

    ssh -L5432:localhost:5432 me@my-db-host.example.com

    and while that tunnel is sitting open try using metabase to connect to the DB using the ip address of the ec2 instance (not the word localhost) as the DB host and the username/password for the db. leave ssh-tunneling turned off for this step.

  • start a shell in the metabase docker container and from that shell attempt to connect to the ssh host on port 22 using the nc command. we are just checking to see if the connection can open and don’t need to actually authenticate

    nc -v ssh-host 22

    and see if it says it was connected successfully. If not it could be a problem of name resolution inside the container.