VSCode Remote to EC2 instance (via SSH over SSM)

[jovanshernandez]

Desktop (please complete the following information):

• OS: Ubuntu18 and/or Amazon Linux2
• VS Code version: 1.41.0
• AWS Toolkit extension version: 1.70

Anyway to connect to EC2 through VSCode without SSH Key?

Trying to connect to EC2 through VSCode without SSH Keys. I'm able to connect to EC2s using AWS Credentials, AWS Profiles, and AWS SSM, but is there a way to pass that connection through VSCode/?

[awschristou]

Hi @jovanshernandez , when you mention "Connect to EC2", are you trying to use VS Code's Remote Development feature, that allows users to open a remote folder in the VS Code file explorer? Or did you have something else in mind?

[jovanshernandez]

@awschristou Correct, I am trying to open say the /home/ubuntu/ folder on an EC2 in my VSCode desktop file explorer.

[dmattia]

I do not believe this to be a duplicate issue.

This issue is talking about a connection like aws ssm start-session --target "i-0012341ef010ffc4f", which uses the AWS CLI to open an SSH-like connection to a remote EC2. This is an AWS specific form of authentication, and is felt to be more secure by many because:

1. You can use SSM to access instances in private subnets, whereas SSHing requires some instance in a public subnet
2. SSM uses AWS creds, which has strong MFA support, whereas SSH is just SSH
3. SSM access control is controlled by AWS IAM Policies, whereas SSH requires maintaining public keys
4. All SSM access has built in monitoring and auditing by AWS Cloudtrail and the SSM service itself

So this issue is really just asking for almost a direct integration, or otherwise mirroring of functionality, of Microsoft's Remote Dev tooling but for SSM instead of SSH.

This is not related to ECS or EC2 metadata endpoints that issue #918 talks about

[ragebiswas]

+1 for this, I see this could be useful for many.

[asherawelan]

This would be the last piece in the puzzle for us...

[twitu]

This is a powerful feature and an important component in making AWS development experience secure but also seamless. + 💯 from my side.

[thomas-anderson-bsl]

As a workaround, you could update the ssh configuration file to run a proxy command, which routes ssh traffic via SSM. See https://pub.towardsai.net/how-to-do-remote-development-with-vs-code-using-aws-ssm-415881d249f3

[justinmk3]

Related:

• https://aws.amazon.com/blogs/architecture/field-notes-use-aws-cloud9-to-power-your-visual-studio-code-ide/ shows how to configure remote SSH over SSM so that VS Code can connect to an EC2 instance. Furthermore shows how to use Cloud9 as the remote instance from a local VS Code instance.
• https://github.com/elpy1/ssh-over-ssm
  • key feature: copies public key to server so that ssh works seamlessly. https://github.com/elpy1/ssh-over-ssm/blob/e439729a80dd65990bd3bf7b96f4a180dc93c7e3/ssh-ssm.sh#L29-L37
• auth: auto-configure .ssh/config to use SSM session manager so we can log into EC2 #1627

[szukalski]

This will work but you have to manually specify the AWS profile and region.

Outside of VS Code, your ssh config for SSM integration would look something like this:

host i-* mi-*
  User ec2-user
  ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

Then you would ssh to your instance directly. Ie. ssh i-xzyyxzzxyyxzzxy. Things work because you have an AWS profile and region loaded.

To get things working with VS Code, your ssh config would look like this:

host i-*.*.*
  User ec2-user
  ProxyCommand bash -c "aws ssm start-session --target $(echo %h|cut -d'.' -f1) --profile $(echo %h|/usr/bin/cut -d'.' -f2) --region $(echo %h|/usr/bin/cut -d'.' -f3) --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

You then connect to your instance with i-xzyyxzzxyyxzzxy.profile_name.region.

[chm123]

I can confirm solution from @szukalski works, although I need to do some modifications due to our special AWS config. Our SSH port for EC2 instance is not open, but I can ssh through aws ssm. VS Code remote ssh works perfectly this way, and I can also forward ports in ssh config file.

[jtele2]

@chm123 Can you elaborate? I cannot get this to work like so.

[chm123]

@chm123 Can you elaborate? I cannot get this to work like so.

@jtele2 Basically you can follow
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html

And try SSH from terminal (not from VS Code). If this works for you, you should be able to connect via VS Code.

[jtele2]

@chm123 Thank you for your response. I can get in via Windows Subsystem for Linux (WSL) but not from PowerShell with the proxy command. I have to use WSL because I cannot install SessionManagerPlugin directly to PowerShell (non-Admin rights), but can install to WSL.

Is there a way to make ProxyCommand use WSL.exe to setup the Remote-SSH session?

[chm123]

@jtele2

I'm using MacBook, so I'm not familiar with WSL. You can try this
https://stackoverflow.com/questions/60150466/can-i-ssh-from-wsl-in-visual-studio-code

[jtele2]

@szukalski Any ideas on how to get this to work with Windows (AWS CLI on PowerShell)?

[PeterBaker0]

+1 for this feature - would be very useful - going to try and setup workaround as above for now.

[mrgum]

one thing to note, vscode needs your credentials, so if you use temporary credentials, say via SSO to an IdP you need to close vscode and open it again from a terminal that has your session token, a PITA

if anyone knows a work-around, that doesn't involve session up a credentials file or iam user, that would be great

[serverhorror]

After this issue is addressed, these won't be needed:

• aws cli version 2

AWS Toolkit will auto-configure SSH for you. The reason for requiring SSH is because that is what vscode-remote requires.

Please keep in mind that some of us have a mind boggling amount of profiles in ~/.aws/config. If we don't need aws cli it would be great to still use the AWS eco system (profiles, SSO, ...).

[justinmk3]

If we don't need aws cli it would be great to still use the AWS eco system (profiles, SSO, ...).

Absolutely. If you get a chance to try out "Dev Environments" with https://codecatalyst.aws/ , please let us know what you think. We have put a lot of work into how AWS Toolkit presents credentials, with more improvements planned.

[sholtomaud]

I've tried out the "Dev Environments" for codecatalyts and it works great. Now we need to be able to get VSCode to get a session into a specific EC2 with a similar method.

…

________________________________ From: Justin M. Keyes ***@***.***> Sent: Tuesday, 14 March 2023 10:50 AM To: aws/aws-toolkit-vscode ***@***.***> Cc: Sholto Maud ***@***.***>; Comment ***@***.***> Subject: Re: [aws/aws-toolkit-vscode] VSCode Remote to EC2 instance (via SSH over SSM) (#941) CAUTION: This email has originated outside our organisation. Do not CLICK on links or open attachments that are unexpected. If in doubt report this email as suspicious.

________________________________ If we don't need aws cli it would be great to still use the AWS eco system (profiles, SSO, ...). Absolutely. If you get a chance to try out "Dev Environments" with https://codecatalyst.aws/<https://codecatalyst.aws/> , please let us know what you think. We have put a lot of work into how AWS Toolkit presents credentials, with more improvements planned. — Reply to this email directly, view it on GitHub<#941 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AADBIQRLIPN2AXHJE3436KLW36XCVANCNFSM4KZNQB7A>. You are receiving this because you commented.Message ID: ***@***.***> ******************************************************************************************* We acknowledge the traditional custodians of the land on which we meet, work and live. We pay our respects to the ancestors and Elders, past and present. The information in this email and any attachments may contain confidential, privileged or copyright material belonging to us, related entities or third parties. If you are not the intended recipient you are prohibited from disclosing this information. If you have received this email in error, please contact the sender immediately by return email or phone and delete it. We apologise for any inconvenience caused. We use security software but do not guarantee this email is free from viruses. You assume responsibility for any consequences arising from the use of this email. This email may contain personal views of the sender not authorised by us. *******************************************************************************************

[borontion]

I implemented a simple prototype EC2 explorer, which can 1) start / stop instances and 2) open via SSH: https://marketplace.visualstudio.com/items?itemName=PengzhanZhao.ec2-farm. However, It does require to provision EC2 instances with a uploaded key pair.

[sholtomaud]

@borontion nice. However we don't want to use key pairs or ssh.

[serverhorror]

For anyone interested: the issue in microsoft/vscode-remote-release#8186 is now eligible for upvotes. If we reach 10 or more it will be considered for the next step. Let the upvotes ensue...

[serverhorror]

VS Code has accepted the refrenced issue in their backlog.

We might want to bring our input so it does get enough priority and people can create useful extensions with the solution they come up with.

[iancullinane]

@Roseidon your solution gets me through the mfa portion, but asks for a password afterwards. Is this supposed to happen? I don't have a password for this instance.

[Roseidon]

@Roseidon your solution gets me through the mfa portion, but asks for a password afterwards. Is this supposed to happen? I don't have a password for this instance.

Unfortunately not, I haven't been prompted for a password afterwards.
Maybe that is an auth setting on the instance itself. So far I only worked with saving my public ssh key on the instance, but not with user/pass.

[trallnag]

For me it works on Windows 10, VS Code 1.79.2, Remote SSH 0.102.0. Entry in SSH config:

Host server
   User ubuntu
   ProxyCommand C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "aws ssm start-session --target i-0824c21f7abd6347c --document-name AWS-StartSSHSession --parameters portNumber=%p"

[justinmk3]

Status

We are actively working on these features.

• Implemented:
  • ✅ Open Terminal to an EC2 instance (including Windows instances)
  • ✅ AWS: Connect to EC2 Instance... command
    • 
  • ✅ Browse EC2 instances in AWS Explorer
  • ✅ Start/Stop/Reboot actions #1559
  • ✅ Connect to EC2 instance via VSCode remote-ssh
• Not implemented yet:
  • Connect to EC2 instance from Windows
  • Connect to EC2 Windows instance
  • Other actions: list EBS volumes, set shutdown schedule #1559

[justinmk3]

Is AWS: Connect to EC2 Instance in version 1.91.0?

The features in the above comment are implemented but not released. We're hoping to make it available as an "experimental" option.

Will update this issue when there is any news.

[justinmk3]

See #941 (comment)

[jfmcdowell]

Is there an update on this? I periodically (about every VSCode update) lose the ability to run SSM via the proxy script. Using my terminal is fine but inside of VSCode it seems to lose the awscli path.

See this issue for additional details

[justinmk3]

Current status is #941 (comment)

[la-cruche]

@justinmk3 those features are still not part of the extension? #941 (comment) any ETA?

[deanhtid]

anything new on this? @justinmk3

[justinmk3]

Current status is #941 (comment)

[ekalosak]

Would like to see progress on this as well - it was a surprise to not see EC2 in the AWS VScode toolkit. I'm still cycling the public IP for my ec2 instance :(

[SuperP4rks]

Would it be possible to release this as experimental as mentioned in an above message @justinmk3.

My understand would be that there would be an ability to SSM on Linux/Mac in its current phase.

[sholtomaud]

This Connect to EC2 instance via VSCode remote-ssh, is that considered zero-trust with MFA auth + Enterprise AzureAD? Can I access the EC2 without being in the private network using the DirectConnection to the AWS data centre from the on-prem network? OR is all traffic over the public internet, and Enterprise AzureAD auth not supported?

[TheCaffeintedSloth]

Would it be possible to release this as experimental as mentioned in an above message @justinmk3.

My understand would be that there would be an ability to SSM on Linux/Mac in its current phase.

Echoing this from June. Any update on when the experimental will be released? Have been hoping for this feature for quite awhile. @justinmk3

[justinmk3]

We've made progress on this and it's likely for Q1. We definitely want to see this too :)

[tehnrd]

I have a single stateless ec2 bastion box, so the instance ID is constantly changing. Below is a simple config file that works for me and maybe others will find helpful. It will dynamically look up the ec2 instance ID based on the name of the ec2 instance.

I did have to set up a Key Pair for this to work.

ssh config file entry:

Host auditr
    HostName ec2-0-00-00-000.us-east-2.compute.amazonaws.com
    User ec2-user
    IdentityFile /Path/To/Pem/file.pem
    ProxyCommand aws ssm start-session --target $(aws ec2 describe-instances --profile profileName --filters 'Name=tag:Name,Values=name-of-ec2-instance' 'Name=instance-state-name,Values=running' --query 'Reservations[].Instances[].InstanceId' --output text) --profile profileName --document-name AWS-StartSSHSession --parameters 'portNumber=%p'

[sholtomaud]

I have a single stateless ec2 bastion box ...

There's your problem. Just delete the Bastion and this issue is solved.

[tehnrd]

I have a single stateless ec2 bastion box ...

There's your problem. Just delete the Bastion and this issue is solved.

I'm unsure how this helps, as the instance ID would get recreated/change, and you'd have to constantly update your scripts with the new instance ID.

Also, deleting is not a great option when using CDK or other IaC, as you'll get stack drift and all sorts of deployment challenges. I just shut down (not terminate) the instance when not needed, and the script above works great if the instance gets swapped out for any reason.