Ruan Bekker's Blog

From a Curious mind to Posts on Github

SSH Using AWS SSM Session Manager

You can use SSM Session Manager to connect to your EC2 instances, as long as your EC2 instance has the associated IAM Role which includes the AmazonSSMManagedInstanceCore managed policy.

AWS EC2 Console

Head over to “Connect” and select “Session Manager”:

image

You should get a shell:

image

AWS CLI

You can also use the CLI:

1

aws --profile prod ssm start-session --target i-0ebba722b102179b6

If you get this error:

image

Head over to:

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

Install the session manager plugin, for Mac:

1
2
3
4

$ curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/sessionmanager-bundle.zip" -o "sessionmanager-bundle.zip"
$ unzip sessionmanager-bundle.zip
$ sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin
$ rm -rf sessionmanager-bundle

After installation:

1
2
3
4
5
6

$ aws --profile prod ssm start-session --target i-0ebba722b102179b6
Starting session with SessionId: ruan.bekker-0b07cbbe261885ad3

sh-4.2$ sudo su - ec2-user
Last login: Wed Jan  6 12:55:03 UTC 2021 on pts/0
[ec2-user@ip-172-31-23-246 ~]$

Note: when you are using ssm session manager you don’t require security groups or a direct routable network to your instance.

Bash Functions FTW

You can implement this into a bash function:

1
2
3
4
5
6
7
8
9
10

$ cat ~/.functions.aws
aws-ssh(){
  instance_name=${1}
  instance_id=$(aws --profile prod ec2 describe-instances --filter "Name=tag:Name,Values=${instance_name}" --query "Reservations[].Instances[?State.Name == 'running'].InstanceId[]" --output text)
  aws --profile prod ssm start-session --target ${instance_id}
}

$ aws-ssh ssm-session-manager-ssh-test2
Starting session with SessionId: ruan.bekker-04daf56c5f3668790
sh-4.2$

If you have your own SSH key, you can use this ~/.ssh/config:

1
2
3

# AWS SSM Session Manager
Host i-*
    ProxyCommand sh -c "aws --profile prod ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
1
2
3
4
5
6
7
8
9
10

$ ssh -i ~/.ssh/infra.pem ec2-user@i-0ebba722b102179b6
Warning: Permanently added 'i-0ebba722b102179b6' (ECDSA) to the list of known hosts.
Last login: Wed Jan  6 13:04:03 2021

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-172-31-23-246 ~]$

Related:

Thanks

Thanks for reading, if you like my content, check out my website or follow me at @ruanbekker on Twitter.