VSCode Remote to EC2 instance (via SSH over SSM)

[jovanshernandez]

Desktop (please complete the following information):

• OS: Ubuntu18 and/or Amazon Linux2
• VS Code version: 1.41.0
• AWS Toolkit extension version: 1.70

Anyway to connect to EC2 through VSCode without SSH Key?

Trying to connect to EC2 through VSCode without SSH Keys. I'm able to connect to EC2s using AWS Credentials, AWS Profiles, and AWS SSM, but is there a way to pass that connection through VSCode/?

[awschristou]

Hi @jovanshernandez , when you mention "Connect to EC2", are you trying to use VS Code's Remote Development feature, that allows users to open a remote folder in the VS Code file explorer? Or did you have something else in mind?

[jovanshernandez]

@awschristou Correct, I am trying to open say the /home/ubuntu/ folder on an EC2 in my VSCode desktop file explorer.

[dmattia]

I do not believe this to be a duplicate issue.

This issue is talking about a connection like aws ssm start-session --target "i-0012341ef010ffc4f", which uses the AWS CLI to open an SSH-like connection to a remote EC2. This is an AWS specific form of authentication, and is felt to be more secure by many because:

1. You can use SSM to access instances in private subnets, whereas SSHing requires some instance in a public subnet
2. SSM uses AWS creds, which has strong MFA support, whereas SSH is just SSH
3. SSM access control is controlled by AWS IAM Policies, whereas SSH requires maintaining public keys
4. All SSM access has built in monitoring and auditing by AWS Cloudtrail and the SSM service itself

So this issue is really just asking for almost a direct integration, or otherwise mirroring of functionality, of Microsoft's Remote Dev tooling but for SSM instead of SSH.

This is not related to ECS or EC2 metadata endpoints that issue #918 talks about

[twitu]

This is a powerful feature and an important component in making AWS development experience secure but also seamless. + 💯 from my side.

[thomas-anderson-bsl]

As a workaround, you could update the ssh configuration file to run a proxy command, which routes ssh traffic via SSM. See https://pub.towardsai.net/how-to-do-remote-development-with-vs-code-using-aws-ssm-415881d249f3

[justinmk3]

Related:

• https://aws.amazon.com/blogs/architecture/field-notes-use-aws-cloud9-to-power-your-visual-studio-code-ide/ shows how to configure remote SSH over SSM so that VS Code can connect to an EC2 instance. Furthermore shows how to use Cloud9 as the remote instance from a local VS Code instance.
• https://github.com/elpy1/ssh-over-ssm
  • key feature: copies public key to server so that ssh works seamlessly. https://github.com/elpy1/ssh-over-ssm/blob/e439729a80dd65990bd3bf7b96f4a180dc93c7e3/ssh-ssm.sh#L29-L37
• auth: auto-configure .ssh/config to use SSM session manager so we can log into EC2 #1627

[szukalski]

This will work but you have to manually specify the AWS profile and region.

Outside of VS Code, your ssh config for SSM integration would look something like this:

host i-* mi-*
  User ec2-user
  ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

Then you would ssh to your instance directly. Ie. ssh i-xzyyxzzxyyxzzxy. Things work because you have an AWS profile and region loaded.

To get things working with VS Code, your ssh config would look like this:

host i-*.*.*
  User ec2-user
  ProxyCommand bash -c "aws ssm start-session --target $(echo %h|cut -d'.' -f1) --profile $(echo %h|/usr/bin/cut -d'.' -f2) --region $(echo %h|/usr/bin/cut -d'.' -f3) --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

You then connect to your instance with i-xzyyxzzxyyxzzxy.profile_name.region.

[chm123]

I can confirm solution from @szukalski works, although I need to do some modifications due to our special AWS config. Our SSH port for EC2 instance is not open, but I can ssh through aws ssm. VS Code remote ssh works perfectly this way, and I can also forward ports in ssh config file.

[jtele2]

@chm123 Can you elaborate? I cannot get this to work like so.

[chm123]

@chm123 Can you elaborate? I cannot get this to work like so.

@jtele2 Basically you can follow
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html

And try SSH from terminal (not from VS Code). If this works for you, you should be able to connect via VS Code.

[jtele2]

@chm123 Thank you for your response. I can get in via Windows Subsystem for Linux (WSL) but not from PowerShell with the proxy command. I have to use WSL because I cannot install SessionManagerPlugin directly to PowerShell (non-Admin rights), but can install to WSL.

Is there a way to make ProxyCommand use WSL.exe to setup the Remote-SSH session?

[chm123]

@jtele2

I'm using MacBook, so I'm not familiar with WSL. You can try this
https://stackoverflow.com/questions/60150466/can-i-ssh-from-wsl-in-visual-studio-code

[jtele2]

@szukalski Any ideas on how to get this to work with Windows (AWS CLI on PowerShell)?

[PeterBaker0]

+1 for this feature - would be very useful - going to try and setup workaround as above for now.

[mrgum]

one thing to note, vscode needs your credentials, so if you use temporary credentials, say via SSO to an IdP you need to close vscode and open it again from a terminal that has your session token, a PITA

if anyone knows a work-around, that doesn't involve session up a credentials file or iam user, that would be great

[szukalski]

@mrgum Source your credentials from an external process:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

[borontion]

I implemented a simple prototype EC2 explorer, which can 1) start / stop instances and 2) open via SSH: https://marketplace.visualstudio.com/items?itemName=PengzhanZhao.ec2-farm. However, It does require to provision EC2 instances with a uploaded key pair.

[sholtomaud]

@borontion nice. However we don't want to use key pairs or ssh.

[serverhorror]

For anyone interested: the issue in microsoft/vscode-remote-release#8186 is now eligible for upvotes. If we reach 10 or more it will be considered for the next step. Let the upvotes ensue...

[serverhorror]

VS Code has accepted the refrenced issue in their backlog.

We might want to bring our input so it does get enough priority and people can create useful extensions with the solution they come up with.

[iancullinane]

@Roseidon your solution gets me through the mfa portion, but asks for a password afterwards. Is this supposed to happen? I don't have a password for this instance.

[Roseidon]

@Roseidon your solution gets me through the mfa portion, but asks for a password afterwards. Is this supposed to happen? I don't have a password for this instance.

Unfortunately not, I haven't been prompted for a password afterwards.
Maybe that is an auth setting on the instance itself. So far I only worked with saving my public ssh key on the instance, but not with user/pass.

[trallnag]

For me it works on Windows 10, VS Code 1.79.2, Remote SSH 0.102.0. Entry in SSH config:

Host server
   User ubuntu
   ProxyCommand C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "aws ssm start-session --target i-0824c21f7abd6347c --document-name AWS-StartSSHSession --parameters portNumber=%p"

[justinmk3]

Status

We are actively working on these features.

• Implemented:
  • ✅ Open Terminal to an EC2 instance (including Windows instances)
  • ✅ AWS: Connect to EC2 Instance... command
    • 
  • ✅ Browse EC2 instances in AWS Explorer
  • ✅ Start/Stop/Reboot actions #1559
  • ✅ Connect to EC2 instance via VSCode remote-ssh
  • ✅ Connect to EC2 instance from Windows
• Not implemented yet:
  • Connect to EC2 Windows instance
  • Other actions: list EBS volumes, set shutdown schedule #1559

[justinmk3]

Is AWS: Connect to EC2 Instance in version 1.91.0?

The features in the above comment are implemented but not released. We're hoping to make it available as an "experimental" option.

Will update this issue when there is any news.

[jfmcdowell]

Is there an update on this? I periodically (about every VSCode update) lose the ability to run SSM via the proxy script. Using my terminal is fine but inside of VSCode it seems to lose the awscli path.

See this issue for additional details

[la-cruche]

@justinmk3 those features are still not part of the extension? #941 (comment) any ETA?

[ekalosak]

Would like to see progress on this as well - it was a surprise to not see EC2 in the AWS VScode toolkit. I'm still cycling the public IP for my ec2 instance :(

[SuperP4rks]

Would it be possible to release this as experimental as mentioned in an above message @justinmk3.

My understand would be that there would be an ability to SSM on Linux/Mac in its current phase.

[sholtomaud]

This Connect to EC2 instance via VSCode remote-ssh, is that considered zero-trust with MFA auth + Enterprise AzureAD? Can I access the EC2 without being in the private network using the DirectConnection to the AWS data centre from the on-prem network? OR is all traffic over the public internet, and Enterprise AzureAD auth not supported?

[TheCaffeintedSloth]

Would it be possible to release this as experimental as mentioned in an above message @justinmk3.

My understand would be that there would be an ability to SSM on Linux/Mac in its current phase.

Echoing this from June. Any update on when the experimental will be released? Have been hoping for this feature for quite awhile. @justinmk3

[justinmk3]

We've made progress on this and it's likely for Q1. We definitely want to see this too :)

[tehnrd]

I have a single stateless ec2 bastion box, so the instance ID is constantly changing. Below is a simple config file that works for me and maybe others will find helpful. It will dynamically look up the ec2 instance ID based on the name of the ec2 instance.

I did have to set up a Key Pair for this to work.

ssh config file entry:

Host auditr
    HostName ec2-0-00-00-000.us-east-2.compute.amazonaws.com
    User ec2-user
    IdentityFile /Path/To/Pem/file.pem
    ProxyCommand aws ssm start-session --target $(aws ec2 describe-instances --profile profileName --filters 'Name=tag:Name,Values=name-of-ec2-instance' 'Name=instance-state-name,Values=running' --query 'Reservations[].Instances[].InstanceId' --output text) --profile profileName --document-name AWS-StartSSHSession --parameters 'portNumber=%p'

[sholtomaud]

I have a single stateless ec2 bastion box ...

There's your problem. Just delete the Bastion and this issue is solved.

[tehnrd]

I have a single stateless ec2 bastion box ...

There's your problem. Just delete the Bastion and this issue is solved.

I'm unsure how this helps, as the instance ID would get recreated/change, and you'd have to constantly update your scripts with the new instance ID.

Also, deleting is not a great option when using CDK or other IaC, as you'll get stack drift and all sorts of deployment challenges. I just shut down (not terminate) the instance when not needed, and the script above works great if the instance gets swapped out for any reason.

[justinmk3]

Status

AWS Toolkit 3.39.0 includes these features:

• ✅ AWS Explorer (and VSCode command palette): Start/Stop/Reboot actions #1559
• ✅ AWS Explorer: list EC2 instances, view their status.
• ✅ AWS: Launch EC2 Instance command opens the AWS web console launch page.
• ✅ AWS: Open terminal to EC2 instance... command opens a VSCode terminal connected to an EC2 instance.
  • Requires remote-ssh (which requires ssh on your local desktop).
  • Supports EC2 instances running Linux/macOS/Windows.
• ✅ AWS: Connect to EC2 instance in New Window... command connects VSCode to an EC2 instance.
  • Requires remote-ssh (which requires ssh on your local desktop).
  • Supports EC2 instances running Linux or macOS (not Windows, currently).
  • Your local desktop can be Linux/macOS (not Windows, currently).
  • 

These features are not currently implemented:

• Connect to EC2 Windows instance
• Other actions: list EBS volumes, set shutdown schedule #1559

Please upvote or create issues to track the above or any other requests that are important to you.

---

Issue locked so that the above status is visible. Please open new issues with your feedback!