# Quick Start Guide

### Overview

This guide is designed to help administrators with initial configuration of their StrongDM network. You will learn how to set up a gateway and resource in the Admin UI, set appropriate permissions and roles in order to access the resource, install and use the StrongDM client to connect to it, and review activity history in the logs. This quick start allows you to try using StrongDM before setting up access for your entire organization.

{% hint style="info" %}
If you'd like to use Terraform to set up a test installation of StrongDM on AWS, read our [Terraform Quick Start](https://docs.strongdm.com/admin/deployment/terraform/aws) documentation.
{% endhint %}

### Prerequisites

Before you begin, the following requirements should be met:

* **Server (to host the gateway)**: You can repurpose an existing bastion or jump host for testing purposes. For production-ready deployments, we recommend a server reserved exclusively for use as a gateway.
* **Specifications**: The [StrongDM gateway](https://docs.strongdm.com/admin/networking/gateways-and-relays) can be installed on any Linux distribution. We recommend servers with 2 CPUs and 4 GB of memory.
* **Network Settings**: To get live quickly, the server hosting the gateway needs to be able to connect to the resource that you set up. This may require modifying the security group on the server or database itself. You also need SSH access to the server.

### Create a Gateway

{% hint style="info" %}
If you are comfortable with Terraform, and choose to set up a gateway in AWS, you can [automate gateway setup](https://github.com/strongdm/terraform-aws-sdm-gateway)!
{% endhint %}

Gateways are the entry points to your StrongDM network. When users authenticate via the StrongDM client, the client contacts a gateway. The gateway verifies the user’s permission level, roles, and access grants before routing their traffic and establishing a connection to the target resource. Each network needs at least one gateway for StrongDM to function.

Gateways are hosted on servers that live outside of StrongDM. The following steps show you how to define and connect to the host of a new gateway, using the Admin UI and your command line.

{% tabs %}
{% tab title="US" %}

1. Log in to the Admin UI at <https://app.strongdm.com>.
2. From the navigation menu, click **Network** and then click **Gateways**. 2. On the **Gateways** page, click **Add gateway**.

   ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-89c127c7a0408576dd8ee8f807f2bd123bfedde7%2Fgateways-add%20\(1\).png?alt=media)
3. For **Name**, enter a unique, memorable name. Use only letters, numbers, and hyphens
4. For **Advertised Host**, define the advertised host for the server (for example, `sdm-gw0.yourcompany.com`, `111.222.333.444`, or `ec2-nn-nnn-nnn-nnn.us-east-2.compute.amazonaws.com`). It must be an IP or hostname accessible to your StrongDM client(s).
5. For **Advertised Port**, enter the port that you left open for the gateway to interact with StrongDM clients (by default, `5000`). If you need to use another port, choose any port above 1024, as StrongDM runs as a non-privileged daemon.
6. Click **Create gateway** to save your name, host, and port.
7. A token is generated that is **shown only once**. Carefully copy the token and save it for later use.
8. Establish an SSH connection to the server that will host the gateway.
9. Download the StrongDM binary:

   ```bash
   curl -J -O -L https://app.strongdm.com/releases/cli/linux
   ```
10. Unzip it.

    ```bash
    unzip sdmcli_VERSION_NUMBER_linux_amd64.zip
    ```
11. Run the installer. When prompted for the token created earlier, paste it and hit enter. Note that the token does not echo back to you.

    ```bash
    sudo ./sdm install --node
    ```
12. Return to the Admin UI. On the **Gateways** page, the gateway just created should have a status of **online** and a heartbeat.
    {% endtab %}

{% tab title="UK" %}
*Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.*

1. Log in to the Admin UI at <https://app.uk.strongdm.com>.
2. From the navigation menu, click **Network** and then click **Gateways**. 2. On the **Gateways** page, click **Add gateway**.

   ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-89c127c7a0408576dd8ee8f807f2bd123bfedde7%2Fgateways-add%20\(1\).png?alt=media)
3. For **Name**, enter a unique, memorable name. Use only letters, numbers, and hyphens
4. For **Advertised Host**, define the advertised host for the server (for example, `sdm-gw0.yourcompany.com`, `111.222.333.444`, or `ec2-nn-nnn-nnn-nnn.us-east-2.compute.amazonaws.com`). It must be an IP or hostname accessible to your StrongDM client(s).
5. For **Advertised Port**, enter the port that you left open for the gateway to interact with StrongDM clients (by default, `5000`). If you need to use another port, choose any port above 1024, as StrongDM runs as a non-privileged daemon.
6. Click **Create gateway** to save your name, host, and port.
7. A token is generated that is **shown only once**. Carefully copy the token and save it for later use.
8. Establish an SSH connection to the server that will host the gateway.
9. Download the StrongDM binary:

   ```bash
   curl -J -O -L https://app.uk.strongdm.com/releases/cli/linux
   ```
10. Unzip it.

    ```bash
    unzip sdmcli_VERSION_NUMBER_linux_amd64.zip
    ```
11. Run the installer. When prompted for the token created earlier, paste it and hit enter. Note that the token does not echo back to you.

    ```bash
    sudo ./sdm install --app-domain app.uk.strongdm.com --node
    ```
12. Return to the Admin UI. On the **Gateways** page, the gateway just created should have a status of **online** and a heartbeat.
    {% endtab %}

{% tab title="EU" %}
*Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.*

1. Log in to the Admin UI at <https://app.eu.strongdm.com>.
2. From the navigation menu, click **Network** and then click **Gateways**. 2. On the **Gateways** page, click **Add gateway**.

   ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-89c127c7a0408576dd8ee8f807f2bd123bfedde7%2Fgateways-add%20\(1\).png?alt=media)
3. For **Name**, enter a unique, memorable name. Use only letters, numbers, and hyphens
4. For **Advertised Host**, define the advertised host for the server (for example, `sdm-gw0.yourcompany.com`, `111.222.333.444`, or `ec2-nn-nnn-nnn-nnn.us-east-2.compute.amazonaws.com`). It must be an IP or hostname accessible to your StrongDM client(s).
5. For **Advertised Port**, enter the port that you left open for the gateway to interact with StrongDM clients (by default, `5000`). If you need to use another port, choose any port above 1024, as StrongDM runs as a non-privileged daemon.
6. Click **Create gateway** to save your name, host, and port.
7. A token is generated that is **shown only once**. Carefully copy the token and save it for later use.
8. Establish an SSH connection to the server that will host the gateway.
9. Download the StrongDM binary:

   ```bash
   curl -J -O -L https://app.eu.strongdm.com/releases/cli/linux
   ```
10. Unzip it.

    ```bash
    unzip sdmcli_VERSION_NUMBER_linux_amd64.zip
    ```
11. Run the installer. When prompted for the token created earlier, paste it and hit enter. Note that the token does not echo back to you.

    ```bash
    sudo ./sdm install --app-domain app.eu.strongdm.com --node
    ```
12. Return to the Admin UI. On the **Gateways** page, the gateway just created should have a status of **online** and a heartbeat.
    {% endtab %}
    {% endtabs %}

#### Gateway setup troubleshooting

* If you typically set up servers with [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) on, make sure it is [turned off](https://docs.strongdm.com/admin/networking/selinux) while installing the StrongDM binary.
* The installer must be run by a user that exists in the `/etc/passwd` file.
* If the gateway does not appear to be online, it's possible the webpage is cached. Please perform a hard refresh of your browser. If the gateway is still not online, verify that the StrongDM daemon is running by typing `ps aux|grep sdm` on the server and looking for a line that says `sdm relay`.

### Add a Resource

A resource is any type of infrastructure—datasources, servers, clusters, clouds, and websites—that is added and configured for your organization. StrongDM users use the client to view and connect to the resources that they have permission to access.

You need to add at least one resource to your organization because if you don't, users won't be able to do anything in StrongDM other than log in. You can add any supported resource type; however, for the purposes of this procedure, we are adding a datasource.

1. In the Admin UI, select **Resources** > **Managed Resources** from the navigation menu and choose a resource type to add to your organization. In this example, we select **Datasources** to add a database.
2. On the **Datasources** page, click **Add Resource**.

   ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-581c5214b4a6ad817ec49c9d85d9129f547eed32%2Fadd-resource.png?alt=media)
3. Enter a **Display Name** for the resource. This name appears throughout StrongDM for those who are granted access.
4. Select the **Resource Type** from the dropdown.
5. Enter the **Hostname**. This address must be resolvable from the perspective of the gateway. One way to verify this is to use SSH to log in to the gateway and use netcat: `nc -zv <YOUR_HOSTNAME> <YOUR_PORT>` (for example, `nc -zv testdb-01.fancy.org 3306` or `nc -zv 111.222.333.444 3306`).
6. StrongDM prepopulates the **Port** field with a database default. You may change the port now on the resource configuration form, or later in [Port Overrides](https://docs.strongdm.com/admin/resources/port-overrides) settings if your database is set to listen on a different port.
7. Enter the username, password, and default database name to complete the connection. Complete any other required fields.
8. Click the **Create** button to save your new resource's settings.

The Admin UI then updates and the added resource shows a positive, green health status momentarily. If the resource is not healthy, click its name to view the resource's **Diagnostics** tab and check for errors. The Admin UI indicates if there is a network or credentialing error.

### Assign Roles to Users

{% tabs %}
{% tab title="US" %}
Before users can connect to a resource, they must be assigned a role that grants them access to the particular resource. This section describes the basic steps to assign a role to a user.

1. Go to the [Roles](https://app.strongdm.com/app/access/roles) page in the Admin UI. If you already have a role created, you can update the role's access rules to allow users with that role to access your new resource. If you don't have an existing role and need a role specifically for testing purposes, you can easily create a role and assign this particular resource to it with a static rule.
2. Go to the [Users](https://app.strongdm.com/app/access/users) page in the Admin UI. Click your username. Then click **Roles** and select the newly created role to assign yourself to it and get access.
   {% endtab %}

{% tab title="UK" %}
*Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.*

Before users can connect to a resource, they must be assigned a role that grants them access to the particular resource. This section describes the basic steps to assign a role to a user.

1. Go to the [Roles](https://app.uk.strongdm.com/app/access/roles) page in the Admin UI. If you already have a role created, you can update the role's access rules to allow users with that role to access your new resource. If you don't have an existing role and need a role specifically for testing purposes, you can easily create a role and assign this particular resource to it with a static rule.
2. Go to the [Users](https://app.uk.strongdm.com/app/access/users) page in the Admin UI. Click your username. Then click **Roles** and select the newly created role to assign yourself to it and get access.
   {% endtab %}

{% tab title="EU" %}
*Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.*

Before users can connect to a resource, they must be assigned a role that grants them access to the particular resource. This section describes the basic steps to assign a role to a user.

1. Go to the [Roles](https://app.eu.strongdm.com/app/access/roles) page in the Admin UI. If you already have a role created, you can update the role's access rules to allow users with that role to access your new resource. If you don't have an existing role and need a role specifically for testing purposes, you can easily create a role and assign this particular resource to it with a static rule.
2. Go to the [Users](https://app.eu.strongdm.com/app/access/users) page in the Admin UI. Click your username. Then click **Roles** and select the newly created role to assign yourself to it and get access.
   {% endtab %}
   {% endtabs %}

### Set up Policies

If your organization has policies enabled via either the Enterprise plan or a StrongDM trial, a key decision to make early on in the configuration of your organization is whether you wish to use policies to control fine-grained access to resources. If your organization is currently in a trial but not going to use the Enterprise plan or if your organization does not intend to use policies, you should disable them by going in the Admin UI to **Policies** and toggling them off by disabling the **Enable Policy** toggle in the upper-right corner of the screen.

If policies are enabled, policies forbid connections to, and specific actions on, all resources by default. Thus, policies need to be configured to allow particular principals (users, roles, service accounts) to take particular actions on particular resources, and often with contextual limitations. Those limitations can include geographic location, device trust score, and others. If you intend to use policies in your organization, you should create a policy to allow your test user access to your test resource.

#### Create a policy to allow access

If you intend to use policies for access control, you should set one up now. Create a policy similar to the following, for the purposes of this quick start:

```cedar
permit (
  principal in StrongDM::Role::"<ROLE_ID>"
  action,
  resource == StrongDM::Resource::"<RESOURCE_ID>"
);
```

In this example, when you write the `principal` line into the editor, if you do not know the role ID of the role, if you begin typing the name of the role here, the editor attempts to provide choices of your currently defined roles and fills the role ID for you. The same applies to the resource ID; when you begin typing the name of a resource, the editor suggests resources, and when one is chosen, fill its resource ID for you.

Now, your user should be able to connect to the resource!

### Install the Client and Connect to a Resource

Users use the StrongDM client (which consists of the StrongDM Desktop application and/or the CLI) to connect to the resources that are available to them. The client is available for download from the Admin UI for Linux, macOS, and Windows. For macOS and Windows, you can download the desktop app and CLI packaged together, or you can download the CLI standalone.

This section describes how to use the desktop app and CLI to connect to the resource that you added in a previous step.

1. Go to the Admin UI's **Download & Install** page.
2. Download and install StrongDM for [macOS Installation Guide](https://app.gitbook.com/s/HaY8OFbXUreWEF61MhKm/client/macos "mention"), [Windows Installation Guide](https://app.gitbook.com/s/HaY8OFbXUreWEF61MhKm/client/windows "mention"), or [Linux Installation Guide](https://app.gitbook.com/s/HaY8OFbXUreWEF61MhKm/client/linux "mention"). Follow the instructions in the installation guide for your particular operating system.
3. Open the desktop app and log in to StrongDM. The resource that you added should appear in the list of available resources.
4. Click the lightning bolt beside the resource name to connect. The lightning bolt turns green and you can see that you are connected. Being connected means that the local client is listening on that port.
5. Open your preferred SQL client (in this example, TablePlus), and create a new connection. Enter `127.0.0.1` (for some clients, this needs to be `localhost`) and the port that was assigned within the local client (in this example, `5472`). For most clients, the username and password may be left blank. Please read the [Connect to Resources](https://app.gitbook.com/s/HaY8OFbXUreWEF61MhKm/connect "mention") and [Connect to Datasources](https://app.gitbook.com/s/HaY8OFbXUreWEF61MhKm/connect/connect-databases "mention") guides for specific SQL connection requirements.

   ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-1de44023c3945a3eb2ad629fd9f3ee6371201750%2Ftableplus-sdm-resource.png?alt=media)
6. Click connect, and start querying!
7. Next, verify that the CLI is set up in your system by opening your command line and typing `sdm --version`. If it is set up properly, the response returns versioning information similar to `sdm version 38.84.0 (8e913eb01d42fc1141bda2b0d0e967b70a89d5e6 #1045)`. If the output is not like this, you should revisit the installation guide for whichever operating system your local machine uses for details on installation and setup.
8. Try executing some commands. You may wish to explore the `sdm admin` commands first, as many of the administrative features of the Admin UI can be used in the CLI as well. You can, for example, view the resource that you already added by using `sdm admin resources list`, or change its settings by using `sdm admin resources update <RESOURCE_NAME>`.

{% hint style="info" %}
All StrongDM CLI commands begin with `sdm`. To view a list of possible commands, enter `sdm --help` or `sdm -h`. Visit the [CLI Reference](https://app.gitbook.com/s/4XOJmXFslCMVCzIG2rKp/cli "mention") documentation for the same help text returned by appending the `--help` or `-h` flag to commands, along with information about commonly used CLI commands and how to filter them.
{% endhint %}

### Review Logs

All actions, queries, sessions, and errors that occur when any user uses StrongDM are logged by StrongDM. In the Admin UI, you can see a record of what you just did by going to the **Logs** section and selecting the log type you wish you review (for example, Activities or Queries).

To change where and how logs are stored, go to **Settings** > **Security** and select the **Log Encryption & Storage** tab.

### Recommended Reading

This quick start guide provides the basic setup information to begin using StrongDM. For even more detailed information about StrongDM deployment, usage, and configuration, please see the rest of the StrongDM documentation.

We recommend starting with the [Admin](https://docs.strongdm.com/admin/readme) documentation, which explains how to use and configure the administrative features found in the Admin UI and CLI.

In particular, as an admin, you may wish to explore topics in the following order:

* [Gateway and relay setup](https://docs.strongdm.com/admin/networking/gateways-and-relays)
* [Deployment](https://docs.strongdm.com/admin/deployment)
* [Resource setup](https://docs.strongdm.com/admin/resources)
* [User management](https://docs.strongdm.com/admin/principals)
* [Identity provider configuration for SSO](https://docs.strongdm.com/admin/principals/sso)
* [Identity provider configuration for Provisioning](https://docs.strongdm.com/admin/principals/provisioning)
* [Auditing](https://docs.strongdm.com/admin/audit)
* [Logging](https://docs.strongdm.com/admin/audit/logs)
* [CLI Reference](https://app.gitbook.com/s/4XOJmXFslCMVCzIG2rKp/cli "mention")
* [API Reference](https://app.gitbook.com/s/4XOJmXFslCMVCzIG2rKp/api "mention")

For installation guides and resource connection information for users using the desktop app and/or CLI, please see the [StrongDM Client](https://app.gitbook.com/s/HaY8OFbXUreWEF61MhKm/client "mention") section.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.strongdm.com/admin/deployment/quickstart.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.