SSH config synchronisation for AWS
ssh_config files, based on current Amazon EC2 state.
- Connect to one or more regions at once.
- Filter EC2 instances by name. Useful for including relevant nodes only or for creating separate config sets for the same environment (e.g. use a different
Userfor different nodes).
- Identify hosts using tags or instance IDs:
- Index duplicates (e.g. in autoscaling groups) using instance launch time.
- Include a global name prefix and/or a region ID to identify the connection in a unique way.
- Use public or private IPs.
- Set various SSH params:
- Skip strict host checking, if needed. Can be useful when working with (internal) autoscaling groups.
- Provide a server alive interval to keep the connection from timing out.
- Use custom identity files.
- Setup a proxy command for utilizing jump hosts.
- Write to
stdoutor a master file with config-key substitution. Useful for working with tools, that don't support the
You can install the latest package using
pip install aws-ssh-sync
To get a full list of options:
The easiest way to get a preview of the current config in AWS is to print the output directly to
aws_ssh_sync --profile <profile> --region <region>
Utilising the 'Include' directive
If you want to isolate the generated config, you can write it to a dedicated file, and
Include it in the main config. The base use-case is as follows:
aws_ssh_sync --profile <profile> --region <region> > ~/.ssh/config.d/<some_file>
To extend your
~/.ssh/config, add the following line:
Working with a single config file
Splitting config into multiple, small files keeps things elegant and clean - you should probably stick to that, if you can.
Unfortunatelly, some tools may still have trouble with the
Include directive itself. If you want to use a single file (e.g.
~/.ssh/config) for keeping all configuration, then you can specify the
--output-file together with a
aws_ssh_sync --profile <profile> --region <region> --config-key <key> --output-file <path>
- Configuration is written to the
- If the file doesn't exist, then it will be created.
- If a section identified by
--config-keyexists, then it will be replaced.
- If no
--config-keywas found, then a new section will be appended to the file.
- No backup file is created at the moment.
- Origin, motivation and acknowledgements - blog post.