Generate SSH config files from AWS EC2 inventory
Python
Switch branches/tags
Nothing to show
Clone or download
Permalink
Failed to load latest commit information.
LICENSE Initial commit Feb 8, 2015
README.md Override the ssh key name to use (#20) Sep 2, 2017
aws-ssh-config.py Consistent use of single quotes Jun 7, 2018

README.md

aws-ssh-config

Description

A very simple script that queries the AWS EC2 API with boto and generates a SSH config file ready to use. There are a few similar scripts around but I couldn't find one that would satisfy all my wish list:

  • Connect to all regions at once
  • Do AMI -> user lookup (regexp-based)
  • Support public/private IP addresses (for VPNs and VPCs)
  • Support multiple instances with same tags (e.g. autoscaling groups) and provide an incremental count for duplicates based on instance launch time
  • Support multiple customizable tags concatenations in a user-provided order
  • Support region (with AZ) in the host name concatenation
  • Properly leverage tab completion

Usage

This assumes boto is installed and configured. Also, private ssh keys must be copied under ~/.ssh/

Supported arguments:

usage: aws-ssh-config.py [-h] [--default-user DEFAULT_USER] [--keydir KEYDIR]
                         [--no-identities-only] [--prefix PREFIX] [--private]
                         [--profile PROFILE] [--region]
                         [--strict-hostkey-checking] [--tags TAGS]
                         [--user USER]
                         [--white-list-region WHITE_LIST_REGION [WHITE_LIST_REGION ...]]

optional arguments:
  -h, --help            show this help message and exit
  --default-user DEFAULT_USER
                        Default ssh username to use if it can't be detected
                        from AMI name
  --keydir KEYDIR       Location of private keys
  --no-identities-only  Do not include IdentitiesOnly=yes in ssh config; may
                        cause connection refused if using ssh-agent
  --prefix PREFIX       Specify a prefix to prepend to all host names
  --private             Use private IP addresses (public are used by default)
  --profile PROFILE     Specify AWS credential profile to use
  --region              Append the region name at the end of the concatenation
  --ssh-key-name        Override the ssh key to use
  --strict-hostkey-checking
                        Do not include StrictHostKeyChecking=no in ssh config
  --tags TAGS           A comma-separated list of tag names to be considered
                        for concatenation. If omitted, all tags will be used
  --user USER           Override the ssh username for all hosts
  --white-list-region WHITE_LIST_REGION [WHITE_LIST_REGION ...]
                        Which regions must be included. If omitted, all
                        regions are considered

By default, it will name hosts by concatenating all tags:

gianluca@sid:~$ python aws-ssh-config.py > ~/.ssh/config
gianluca@sid:~$ cat ~/.ssh/config
Host dev-worker-1
    HostName 54.173.109.173
    User ec2-user
    IdentityFile ~/.ssh/dev.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

Host dev-worker-2
    HostName 54.173.190.141
    User ec2-user
    IdentityFile ~/.ssh/dev.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

Host prod-worker-1
    HostName 54.164.168.30
    User ec2-user
    IdentityFile ~/.ssh/prod.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

Host prod-worker-2
    HostName 54.174.115.242
    User ubuntu
    IdentityFile ~/.ssh/prod.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

ssh completion will immediately work:

gianluca@sid:~$ ssh d[TAB]
dev-worker-1
dev-worker-2

If the ssh completion will not immediately work you should add the following script to your .bash_profile

_complete_ssh_hosts ()
{
        COMPREPLY=()
        cur="${COMP_WORDS[COMP_CWORD]}"
        comp_ssh_hosts=`cat ~/.ssh/known_hosts | \
                        cut -f 1 -d ' ' | \
                        sed -e s/,.*//g | \
                        grep -v ^# | \
                        uniq | \
                        grep -v "\[" ;
                cat ~/.ssh/config | \
                        grep "^Host " | \
                        awk '{print $2}'
                `
        COMPREPLY=( $(compgen -W "${comp_ssh_hosts}" -- $cur))
        return 0
}
complete -F _complete_ssh_hosts ssh

and run gianluca@sid:~$ source .bash_profile

It's possible to customize which tags one is interested in, as well as the order used for concatenation:

gianluca@sid:~$ python aws-ssh-config.py --tags Name > ~/.ssh/config
gianluca@sid:~$ cat ~/.ssh/config
Host worker-1
    HostName 54.173.109.173
    User ec2-user
    IdentityFile ~/.ssh/dev.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

Host worker-2
    HostName 54.173.190.141
    User ec2-user
    IdentityFile ~/.ssh/dev.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

Host worker-3
    HostName 54.164.168.30
    User ec2-user
    IdentityFile ~/.ssh/prod.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

Host worker-4
    HostName 54.174.115.242
    User ubuntu
    IdentityFile ~/.ssh/prod.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

gianluca@sid:~$ python aws-ssh-config.py --tags Name,Infrastructure > ~/.ssh/config
gianluca@sid:~$ cat ~/.ssh/config
Host worker-dev-1
    HostName 54.173.109.173
    User ec2-user
    IdentityFile ~/.ssh/dev.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

Host worker-dev-2
    HostName 54.173.190.141
    User ec2-user
    IdentityFile ~/.ssh/dev.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

Host worker-prod-1
    HostName 54.164.168.30
    User ec2-user
    IdentityFile ~/.ssh/prod.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

Host worker-prod-2
    HostName 54.174.115.242
    User ubuntu
    IdentityFile ~/.ssh/prod.pem
    IdentitiesOnly yes
    StrictHostKeyChecking no

By default, the ssh user is calculated from a regular expression based on the AMI name. A default user can be set with --default-user to use if no matches are found, otherwise a warning is printed on standard error and one can edit the script and add the rule to the AMIS_TO_USER dictionary:

gianluca@sid:~$ python aws-ssh-config.py > ~/.ssh/config
Can't lookup user for AMI 'ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20140926', add a rule to the script

The --user param can also be used to use a single username for all hosts.