It is widely known that AWS offers browser-based and terminal access to EC2 instances. Many users, however, prefer utilizing their existing terminal applications for SSH access to their EC2 instances.
The primary drawback of this approach lies in the management of SSH key-pairs. For companies with a substantial user base, handling user provisioning and key management becomes an additional operational burden.
Imagine a scenario where users could access EC2 instances through their terminal applications, eliminating the operational overhead associated with managing users and their keys on the instances. What if we could streamline this process and do away with the need for SSH key-pair management on AWS itself?
Pre-requisites
Let us review what is necessary and unecessary for this setup.
To execute this, you require:
- The SSM Agent running on the EC2 instance. It comes pre-installed and operational on Amazon Linux instances and the Ubuntu AMIs provided by AWS. If needed, you can manually install the the SSM Agent from here.
- The AWS CLI and Session Manager plugin for AWS CLI installed on your terminal application
- An IAM role with the managed policy
AmazonSSMManagedInstanceCoreattached to the EC2 Instance
You do not require:
- Security group rule allowing traffic for SSH
- Creating key pairs while launching your EC2 instances!
- Additional access provisioning on EC2 instances.
How to SSH using AWS CLI
This can be in done in two steps.
- First, you push the SSH public key to the instance.
- Modify the instance-id, public key file and availability zone accordingly
- The SSH public key remains on the instance only for 60 seconds
aws ec2-instance-connect send-ssh-public-key --instance-id i-0999e44444aa333 --instance-os-user ec2-user --ssh-public-key 'file://~/.ssh/id_mykey.pub' --availability-zone eu-central-1a
- Next, run the SSM start session command to connect to the instance
- Modify the instance Id, region accordingly
aws ssm start-session --region eu-central-1 --target i-0999e44444aa333 --document-name AWS-StartSSHSession --parameters 'portNumber=22'
Using SSH config
You could simplify the SSH configuration by adding the above commands in your SSH configuration
Edit your ~/.ssh/config file to add the following code snippet:
# SSH over Session Manager Host i-* IdentityFile ~/.ssh/id_mykey User ec2-user ProxyCommand sh -c "aws ec2-instance-connect send-ssh-public-key --instance-id %h --instance-os-user %r --ssh-public-key 'file://~/.ssh/id_mykey.pub' --availability-zone '$(aws ec2 describe-instances --instance-ids %h --query 'Reservations[0].Instances[0].Placement.AvailabilityZone' --output text)' && aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
And then you could simply SSH into the instance using
ssh i-0999e44444aa333
Troubleshooting
- SessionManagerPlugin is not found. Please refer to SessionManager Documentation here: http://docs.aws.amazon.com/console/systems-manager/session-manager-plugin-not-found
As the above error suggests, you may not have Session Manager Plugin installed. Once you install it, it is also a good idea to verify the installation by running
session-manager-plugin
A successful installation should display the below message
The Session Manager plugin is installed successfully. Use the AWS CLI to start a session.
- An error occurred (TargetNotConnected) when calling the StartSession operation: i-0999e44444aa333 is not connected.
Verify if the IAM role with the managed policy AmazonSSMManagedInstanceCore is attached to the instannce.
Sometimes the instance takes a while to warm up. If you have just launched the instance, give it a few more minutes.
This could also mean that the SSM Agent is not installed or running on the instance. You can try to connect to the instance using SSM Manager from the console to verify this.
