Hosted Redash SSH Tunnel API
SaaS Redash traffic always arrives from our public IP address:
We recommend directly whitelisting this address through your firewall.
Alternatively, you can set up an SSH tunnel using the API described below.
If the below instructions don’t work for you, contact Redash support using the
in-app chat box.
Two sets of details are needed to connect Redash with your database over SSH:
database access details and SSH access details.
Database access details are always entered into Redash directly, regardless
whether an SSH tunnel is required. Any member of the
admin group can do this
from the Settings > Data Sources tab. For tunneled connections, the
host for your data source will be the private hostname within your
VPC/intranet. Attempts to connect with this data source will fail unless your
firewall allows traffic from our IP or you configure an SSH tunnel.
When you set up the data source in Redash, you must enter the port that the
database listens on. Even if your database uses the default (5432 on Postgres
e.g.) you must explicitly enter it on the setup screen. Otherwise you will
receive an error that says: “SSH tunneling is not implemented for this query
SSH access details are supplied using Redash’s REST API because this feature
has not yet been added to our front-end user interface. The tunnel API uses
public key authentication to connect with
a bastion server in your network. Once connected to the bastion via SSH, Redash
sends the database access details to your database.
For this to work, your bastion host must be exposed over the internet. And you
should add our public key to
.ssh/authorized_keys within the home folder of the system user that Redash
will use to authenticate (on some systems the path is
recommend creating a dedicated user for this purpose.
Note: SSH Connections are ad-hoc. A new connection is tried on each query
Setup The Connection
You will need:
(a) The address, port, and system user that Redash will use to connect with your
bastion (b) The URL for the data source to be tunneled (c) The organization slug
for your hosted account (d) The API key of an admin user within your
organization (available from the Profile screen)
GET the data source details
Copy your organization slug and the numerical data source ID and make an API
call to the
https://app.redash.io/<slug>/api/data_sources/<data source id>
This request must include an
Authorization header with a value of
Key <admin api key>.
The JSON response includes all the details for the specified data source. Copy
options objects and proceed to the next step.
POST the SSH access details
POST api call to the same endpoint as step 1 adding an
object with three key-value-pairs:
Using the values from (a) above. For example:
"name": "My Sample Database",
If you receive an HTTP response with code
200 then your SSH access details
Step 3: Test the connection
You can either visit the data source within Redash and click Test Connection
or make a
POST api call to
https://app.redash.io/<slug>/api/data_sources/<data source id>/test.
The JSON response will indicate whether Redash successfully reached your
database through the tunnel.
Depending on your firewall settings you might need to whitelist Redash’s public