> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fjall.io/llms.txt
> Use this file to discover all available pages before exploring further.

# fjall tunnel

> Open a secure SSM tunnel to your Fjall application's private AWS RDS database.

## Overview

`fjall tunnel` opens a secure AWS Session Manager (SSM) port-forwarding tunnel to your application's database through a bastion host. Connect local database tools (pgAdmin, DBeaver, `psql`) to your private RDS instance without exposing it to the public internet.

## Prerequisites

* AWS Session Manager plugin (`session-manager-plugin`) installed
* Valid AWS credentials with SSM permissions
* A deployed application with a bastion host and database

## Usage

```bash theme={null}
fjall tunnel [app-name] [options]
```

The application name is optional. When omitted, Fjall auto-detects it from the current directory or prompts you to pick one.

## Arguments

| Argument   | Description      | Required                                   |
| ---------- | ---------------- | ------------------------------------------ |
| `app-name` | Application name | No (auto-detected, or prompted if omitted) |

## Options

| Option                    | Description                                               | Example             |
| ------------------------- | --------------------------------------------------------- | ------------------- |
| `-d, --database <name>`   | Select a specific database (required when multiple exist) | `-d analytics`      |
| `-l, --local-port <port>` | Local port for the tunnel (defaults to the database port) | `-l 5433`           |
| `-v, --verbose`           | Show detailed output                                      | `-v`                |
| `--non-interactive`       | Force plain CLI output (no UI)                            | `--non-interactive` |

## Basic usage

Open a tunnel to your application's database:

```bash theme={null}
fjall tunnel api
```

If the application has multiple databases, select one with `-d`:

```bash theme={null}
fjall tunnel api --database analytics
```

Use a custom local port:

```bash theme={null}
fjall tunnel api --local-port 5433
```

## How it works

1. **Prerequisites**: checks that the AWS Session Manager plugin is installed.
2. **Bastion discovery**: finds the bastion host instance in your application's VPC.
3. **Database discovery**: discovers available RDS endpoints.
4. **Tunnel**: opens an SSM port-forwarding session through the bastion to the database.

When a single database is found, Fjall connects to it automatically. When more than one is found, a picker appears:

```
Select a database to connect to:
```

Each option is labelled with the database name and shows its engine and type (for example `postgres (Instance)`).

The tunnel stays open until you press `Ctrl+C`.

## Connecting

Once the tunnel is open, connect with your preferred database tool. The connection string is displayed when the tunnel opens.

```bash theme={null}
psql -h localhost -p 5432 -U myuser -d mydb
```

## Next Steps

<CardGroup cols={2}>
  <Card title="fjall deploy" icon="rocket" href="/cli/deploy">
    Deploy applications and infrastructure to AWS.
  </Card>

  <Card title="fjall list" icon="list" href="/cli/list">
    List resources inside an application's infrastructure.
  </Card>

  <Card title="fjall restore" icon="clock-rotate-left" href="/cli/restore">
    Restore resources from AWS Backup recovery points.
  </Card>

  <Card title="fjall secrets" icon="key" href="/cli/secrets">
    Manage application secrets backed by AWS Secrets Manager.
  </Card>
</CardGroup>
