Skip to content

qoomon/aws-ssm-ec2-proxy-command

master
Switch branches/tags
Code

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

aws-ssm-ec2-proxy-command Sparkline

Open an SSH connection to your ec2 instances via AWS SSM without the need to open any ssh port in you security groups.

ⓘ Windows users please refere to README.windows.md

Prerequisits

Install SSH Proxy Command

  • Move proxy command script aws-ssm-ec2-proxy-command.sh to ~/.ssh/aws-ssm-ec2-proxy-command.sh
  • Ensure it is executable (chmod +x ~/.ssh/aws-ssm-ec2-proxy-command.sh)
Setup SSH Config [optional]
  • Add ssh config entry for aws ec2 instances to your ~/.ssh/config. Adjust key file path if needed.
    host i-* mi-*
      IdentityFile ~/.ssh/id_rsa
      ProxyCommand ~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/id_rsa.pub
      StrictHostKeyChecking no

Open SSH Connection

  • Ensure AWS CLI environemnt variables are set properly e.g.
    • export AWS_PROFILE=default or AWS_PROFILE=default ssh ... <INSTACEC_USER>@<INSTANCE_ID>
  • If default region does not match instance region you need to provide it
    • e.g. <INSTACEC_USER>@<INSTANCE_ID>--<INSTANCE_REGION>
SSH Command with SSH Config Setup

ssh <INSTACEC_USER>@<INSTANCE_ID>

  • e.g. ssh ec2-user@i-1234567890
SSH Command with ProxyCommand CLI Option
ssh <INSTACEC_USER>@<INSTANCE_ID> \
  -i "~/.ssh/id_rsa" \
  -o ProxyCommand="~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/id_rsa.pub"

Alternative Implementation with ec2-instance-connect

The advantage from security perspective it that you don't need to grant ssm:SendCommand to users and there by the permission to execute everything as root. Instead you only grant ec2-instance-connect:SendSSHPublicKey permission to a specific instance user e.g. ec2-user.