quick setup and usage guide for SSH access over SSM to private AWS EC2 instances
- python3
- awscli
- session-manager-plugin
git clone https://github.com/elpy1/ssm-tool.gitgit clone https://github.com/elpy1/ssh-over-ssm.git- Place scripts in a familiar local directory e.g.
~/bin/and add to PATH ->echo "export PATH="$HOME/bin${PATH:+:${PATH}}""| tee -a ~/.bashrc(or~/.bash_profile) - Install required python modules ->
pip3 install --user -r /path/to/ssm-tool/requirements.txt - Add snippet to SSH config (see below)
- macOS users may need to install newer versions of
bashandopensshwithbrew install
Copy and paste the following snippet to the top of your SSH config file (~/.ssh/config) or add to the bottom and remove any other config matching against host i-*:
Match exec "grep -qs '^Host.*%n' %d/.ssh/ssmtool-*"
Include ssmtool-*
Match Host i-*
ProxyCommand ssh-ssm.sh %h %r
IdentityFile ~/.ssh/ssm-ssh-tmp
StrictHostKeyChecking no
PasswordAuthentication no
ChallengeResponseAuthentication no
Listing instances
[elpy@testbox ~]$ ssm-tool --profile home-dev
+--------------------------+---------------------+---------------+------------+--------------+
| tag[name] | instance | ip address | ssm-agent* | platform |
+--------------------------+---------------------+---------------+------------+--------------+
| home-dev-jumpbox-01 | i-0xxxxxxxxxxxx79d6 | 10.xxx.24.9 | True | Amazon Linux |
| home-dev-confluenceasg | i-0xxxxxxxxxxxx9007 | 10.xxx.24.1xx | False | CentOS Linux |
| home-dev-bambooasg | i-0xxxxxxxxxxxx29b9 | 10.xxx.24.2xx | False | CentOS Linux |
| home-dev-jiraasg | i-0xxxxxxxxxxxxc331 | 10.xxx.24.2xx | False | CentOS Linux |
+--------------------------+---------------------+---------------+------------+--------------+
* ssm-agent column refers to whether the agent is up-to-date
Update ssm-agent on all instances (if need)
[elpy@testbox ~]$ ssm-tool --profile home-dev --update
success
Connecting to an instance over SSH using ssm-tool and instance id:
[elpy@testbox ~]$ ssm-tool --profile home-dev --ssh centos@i-0xxxxxxxxxxxx29b9
Last login: Fri May 8 10:54:38 2020 from localhost
[centos@ip-10-xxx-24-2xx ~]$ sudo -i
[root@ip-10-xxx-24-2xx ~]#
[root@ip-10-xxx-24-2xx ~]# logout
[centos@ip-10-xxx-24-2xx ~]$ logout
Connection to i-0xxxxxxxxxxxx29b9 closed.
Using ssm-tool to generate and configure SSH, then using ssh directly to connect:
Generate config:
[elpy@testbox ~]$ ssm-tool --profile home-dev --ssh-conf
ssh config fragment generated and saved to -> /home/elpy/.ssh/ssmtool-home-dev
Connect over SSH to the jumpbox host using name[tag]:
[elpy@testbox ~]$ ssh home-dev-jumpbox-01
Last login: Sun May 10 07:15:35 2020 from localhost
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
74 package(s) needed for security, out of 154 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-10-xxx-24-9 ~]$ logout
Connection to i-0xxxxxxxxxxxx79d6 closed.
Connect over SSH to the confluence host using IP address:
[elpy@testbox ~]$ ssh 10.xxx.24.1xx
Last login: Sun May 10 07:18:48 2020 from localhost
[centos@ip-10-xxx-24-1xx ~]$ logout
Connection to i-0xxxxxxxxxxxx9007 closed.
Connect over SSH to the bamboo host using short hostname:
[elpy@testbox ~]$ ssh ip-10-xxx-24-2xx.ap-southeast-2
Last login: Sun May 10 12:44:19 2020 from localhost
[centos@ip-10-xxx-24-2xx ~]$ logout
Connection to i-0xxxxxxxxxxxx29b9 closed.
Note: Feel free to add other names or change the username in the generated SSH config fragment
Don't need SSH? Connect to an instance over SSM session using instance id:
[elpy@testbox ~]$ ssm-tool --profile home-dev --session i-0xxxxxxxxxxxx29b9
Starting session with SessionId: example123-0e467c6bf9f9ae39d
sh-4.2$ sudo -i
[root@ip-10-xxx-24-2xx ~]# logout
sh-4.2$ exit
Exiting session with sessionId: example123-0e467c6bf9f9ae39d.