LogoLogo
Ockam.ioOpen Source CodeContact usSign up
  • Intro to Ockam
  • Ockam's core concepts
  • Get started demo
  • Quickstarts
    • Add secure connectivity to your SaaS product
    • Snowflake federated queries to Postgres
    • Postgres to Snowflake
    • Snowflake to Postgres
    • Kafka to Snowflake
    • Snowflake to Kafka
    • Snowflake stage as SFTP server
    • Snowflake stage as WebDAV file share
    • Snowflake hosted private APIs
    • Federated queries from Snowflake
  • ENCRYPTED PORTALS TO ...
    • Databases
      • PostgreSQL
        • Docker
        • Kubernetes
        • Amazon RDS
        • Amazon Aurora
      • MongoDB
        • Docker
        • Kubernetes
        • Amazon EC2
      • InfluxDB
        • Amazon Timestream
    • APIs
      • Nodejs
      • Python
    • AI
      • Amazon Bedrock
      • Amazon EC2
      • Azure OpenAI
    • Code Repos
      • Gitlab Enterprise
    • Kafka
      • Apache Kafka
        • Docker
      • Redpanda
        • Self Hosted
      • Confluent
        • Cloud
      • Warpstream
        • Cloud
      • Instaclustr
        • Cloud
      • Aiven
        • Cloud
  • Reference
    • Command
      • Nodes and Workers
      • Routing and Transports
      • Relays and Portals
      • Identities and Vaults
      • Secure Channels
      • Verifiable Credentials
      • Guides
        • AWS Marketplace
          • Ockam Node
          • Ockam Node for Amazon MSK
          • Ockam Node for Amazon RDS Postgres
          • Ockam Node for Amazon Timestream InfluxDB
          • Ockam Node for Amazon Redshift
          • Ockam Node for Amazon Bedrock
      • Manual
    • Programming Libraries
      • Rust
        • Nodes and Workers
        • Routing and Transports
        • Identities and Vaults
        • Secure Channels
        • Credentials and Authorities
        • Implementation and Internals
          • Nodes and Workers
        • docs.rs/ockam
    • Protocols
      • Nodes and Workers
      • Routing and Transports
      • Keys and Vaults
      • Identities and Credentials
      • Secure Channels
      • Access Controls and Policies
Powered by GitBook
On this page
  • Run
  • Walkthrough
  • Administrator
  • Bank Corp
  • Analysis Corp
  • Recap
  • Cleanup

Was this helpful?

Edit on GitHub
Export as PDF
  1. ENCRYPTED PORTALS TO ...
  2. Databases
  3. PostgreSQL

Amazon Aurora

PreviousAmazon RDSNextMongoDB

Last updated 11 months ago

Was this helpful?

Let's connect a nodejs app in one Amazon VPC with an Amazon RDS managed Postgres database in another Amazon VPC.

Each company’s network is private, isolated, and doesn't expose ports. To learn how end-to-end trust is established, please read: “”

Run

Then run the following commands:

# Clone the Ockam repo from Github.
git clone --depth 1 https://github.com/build-trust/ockam && cd ockam

# Navigate to this example’s directory.
cd examples/command/portals/databases/postgres/amazon_aurora/aws_cli

# Run the example, use Ctrl-C to exit at any point.
./run.sh

If everything runs as expected, you'll see the message: The example run was successful 🥳

Walkthrough

Administrator

  • In a typical production setup an administrator or provisioning pipeline generates enrollment tickets and gives them to nodes that are being provisioned. In our example, the run function is acting on your behalf as the administrator of the Ockam project.

Bank Corp

First, the bank_corp/run.sh script creates a network to host the database:

Then, the bank_corp/run.sh script creates an Aurora database:

We are now ready to create an EC2 instance where the Ockam outlet node will run:

When the instance is started, the run_ockam.sh script is executed:

  • We then create an Ockam node:

Analysis Corp

First, the analysis_corp/run.sh script creates a network to host the nodejs application:

We are now ready to create an EC2 instance where the Ockam inlet node will run:

The instance is started and the run_ockam.sh script is executed:

  • We then create an Ockam node:

We finally wait for the instance to be ready and install the nodejs application:

Once the nodejs application is started:

Recap

We connected a nodejs app in one virtual private network with a postgres database in another virtual private network over an end-to-end encrypted portal.

Analysis Corp. does not get unfettered access to Bank Corp.’s network. It gets access only to run queries on the postgres server. Bank Corp. does not get unfettered access to Analysis Corp.’s network. It gets access only to respond to queries over a tcp connection. Bank Corp. cannot initiate connections.

Cleanup

To delete all AWS resources:

./run.sh cleanup

This example requires Bash, Git, and AWS CLI. Please set up these tools for your operating system. In particular you need to with aws sso login.

The , that you ran above, and its are full of comments and meant to be read. The example setup is only a few simple steps, so please take some time to read and explore.

The calls the which invokes the to create an new identity, sign into Ockam Orchestrator, set up a new Ockam project, make you the administrator of this project, and get a project membership .

The run function then . The tickets are valid for 10 minutes. Each ticket can be redeemed only once and assigns to its redeemer. The is meant for the Ockam node that will run in Bank Corp.’s network. The is meant for the Ockam node that will run in Analysis Corp.’s network.

The run function passes the enrollment tickets as variables of the run scripts provisioning and .

We and tag it.

We and attach it to the VPC.

We and to the Internet via the gateway.

We , and associated to the route table.

We finally so that there is:

,

And from within our two subnets.

This requires .

Once the subnet group is created, we create a an a .

Finally .

We .

We above and a start script based on run_ockam.sh where:

created by the administrator and given as a parameter to run.sh.

that we previously saved.

We and .

The .

The .

With .

A . The policy authorizes identities with a credential containing the attribute postgres-inlet="true".

With capable of forwarding the TCP traffic to the TCP outlet.

We and tag it.

We and attach it to the VPC.

We and to the Internet via the gateway.

We , and associated to the route table.

We finally so that there is:

,

And to download and install the nodejs application.

We .

We above and a start script based on run_ockam.sh where:

created by the administrator and given as a parameter to run.sh.

The .

The .

With .

A . The policy authorizes identities with a credential containing the attribute postgres-outlet="true".

The is (this uses the previously created key.pem file to identify).

We can then and:

.

.

.

It will .

It to check that the connection with the Postgres database works.

Sensitive business data in the postgres database is only accessible to Bank Corp. and Analysis Corp. All data is with strong forward secrecy as it moves through the Internet. The communication channel is and . Keys and credentials are automatically rotated. Access to connect with postgres can be easily revoked.

All are secure-by-default. Only project members, with valid credentials, can connect with each other. NAT’s are traversed using a relay and outgoing tcp connections. Bank Corp. or Analysis Corp. don’t expose any listening endpoints on the Internet. Their networks are completely closed and protected from any attacks from the Internet.

login to your AWS account
run.sh script
accompanying files
Bank Corp.'s network
Analysis Corp.'s network
create a VPC
create an Internet gateway
create a route table
create a route
create two subnets, located in two distinct availability zones
create a security group
One TCP egress to the Internet
one ingress to Postgres
a subnet group
database cluster
database instance
the address of the database is saved in an environment variable
select an AMI
start an instance using the AMI
ENROLLMENT_TICKET is replaced by the enrollment ticket
POSTGRES_ADDRESS is replaced by the database address
tag the created instance
wait for it to be available
ockam executable is installed
enrollment ticket is used to create a default identity and make it a project member
a TCP outlet
policy associated to the outlet
a relay
create a VPC
create an Internet gateway
create a route table
create a route
create a subnet
create a security group
One TCP egress to the Internet
One SSH ingress
select an AMI
start an instance using the AMI
ENROLLMENT_TICKET is replaced by the enrollment ticket
ockam executable is installed
enrollment ticket is used to create a default identity and make it a project member
a TCP inlet
policy associated to the inlet
app.js file
copied to the instance
SSH to the instance
Install nodejs
Install the Postgres client library
Start the nodejs application
connect to the Ockam inlet at port 12345
creates a database table and runs some SQL queries
encrypted
mutually authenticated
authorized
access controls
How does Ockam work?
run.sh script
run function
enroll command
generates two new enrollment tickets
first ticket
second ticket
credential
attributes