How to Give Coding Agents Access to SSH and Databases Safely: Practical Patterns for Production

As coding agents become more capable, teams face a hard problem: how to let them access SSH and databases for useful tasks, without risking production. Common attempts rely on command allowlists, SQL filters, or manual approval flows. These are useful but incomplete. The fundamental insight is that risk is driven by what the system can execute, not only by what the agent is told it can do.

Control surfaces versus execution surfaces

Control surfaces are prompts, allowlists, and approval dialogs that influence agent behavior. Execution surfaces are shells, credentials, runtimes, and database roles that determine what actions actually happen. Protect production by reducing power at the execution surface. If an agent only ever holds a credential that can read from a replica, the agent cannot modify primary data even if it tries.

Why simple filters and allowlists fail in practice

• SQL filters are brittle. Many query constructs and functions can produce side effects or create new objects. Blocking keywords is not a full-proof boundary.
• Read-only access can still expose secrets, PII, and operational metadata if not scoped properly.
• Agents pursue tasks. If one tool is blocked at the control surface, an agent will chain allowed operations to achieve the same outcome at the execution surface.

Principles for safe agent access

• Enforce least privilege at the execution surface. Give agents the minimum role, database user, or SSH capability required for the task.
• Use read-only replicas and views for investigative tasks. Never give agents direct credentials to primary databases.
• Prefer API layers or stored procedures as controlled interfaces. Design explicit functions that encapsulate allowed operations and audit every call.
• Issue ephemeral credentials from a secrets manager. Rotate and revoke quickly to limit blast radius.
• Sandbox agent runtimes using containerization, restricted user accounts, and network egress controls.
• Record and audit all sessions with session logging for SSH and query logging for databases. Use SIEM and alerting on anomalous patterns.

Practical architecture patterns

• Agent runs in an isolated container with no persistent host credentials and strict egress rules. Network policies only allow access to a bastion and specific database replicas.
• Agent connects to a bastion host that enforces forced commands and session recording. The bastion uses a jump host pattern and short-lived keys issued by a secrets manager.
• Datastore access is mediated by a proxy or API gateway that enforces RBAC, query shape validation, rate limits, and auditing. Use replicas and views for analysis workflows.
• High-risk operations require multi-party approvals implemented at the execution tier. The approval artifact should alter runtime configuration or temporarily grant elevated roles, not just be logged in the agent layer.

Testing and validation

• Run adversarial tests and red-team exercises focused on how an agent might chain allowed operations into harmful state changes.
• Perform chaos testing that simulates credential compromise to verify revocation and rotation workflows.
• Validate monitoring by injecting known canary queries and verifying detection, alerting, and response procedures.

Incident response and operational playbook

• Predefine fast revocation: revoke agent keys, rotate secrets, and isolate the agent runtime.
• Record and preserve logs for forensic analysis. Automate alerting on unusual query shapes, large data exfiltration, or unexpected schema changes.
• Review and tighten execution surfaces after any incident. Move more operations behind safe APIs and reduce broad privileges.

Key takeaways

Do not rely solely on control surfaces. Allowlists and prompt constraints help, but true safety depends on enforcing limits where commands actually run. Use replicas, roles, ephemeral credentials, sandboxed runtimes, API layers, and rigorous auditing to allow coding agents to be useful while protecting production systems. Designing safety into the execution surface is the single most important step to keep agents productive and production intact.