AWS EC2 Instance Session Manager from Command Line

AWS Terraform
Tristan SelfLeave a Comment on AWS EC2 Instance Session Manager from Command Line

You can use EC2 Instance Session Manager to give you direct console access without the need for an SSH connection direct to the instance (which can cause some security issues), instead you can get the same kind of access via the AWS CLI. These instructions assume you have an EC2 instance already setup and working with EC2 SSM, i.e. you can access the console via the AWS web interface, if you can do this you’ve got the permissions as they need to be.

You don’t need to install anything onto the EC2 instance for this to work, you need to install a plugin on your AWS Workstation (i.e. client) machine you wish to use to access the EC2 instance.

See https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html for the correct version for your Operating System. In my case I was using Ubuntu Linux so I used:

cd /tmp

sudo curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "session-manager-plugin.deb"

sudo dpkg -i /tmp/session-manager-plugin.deb

session-manager-plugin

The last command just verifies it is installed correctly. Now you can try to connect to the conole with the following, obviously identify the correct instance ID of your instance first!

aws ssm start-session --target <instance-id>

All being well you should be in. If you are still seeing:

SessionManagerPlugin is not found. Please refer to SessionManager Documentation here: http://docs.aws.amazon.com/console/systems-manager/session-manager-plugin-not-found

Then check to ensure you have correctly installed the AWS Session Manager plugin on your client machine.

Example Terraform

Here is the Terraform markup for creating an EC2 instance with a suitable EC2 IAM Role that provides sufficient privileges for assuming the role and thus accessing the EC2 console via SSM. Note your AZ, AMI etc. will be different based on your requirements.

// EC2 Instance --------------------------------------------------------
resource "aws_instance" "VPC-Instance-1" {
  ami               = "ami-008ea0202116dbc56"
  instance_type     = "t2.micro"
  tenancy           = "default"
  availability_zone = "eu-west-2a"
  key_name          = ""
  subnet_id         = aws_subnet.VPC-Public-Subnet-A.id
  security_groups = ["${aws_security_group.VPC-SecurityGroup-1.id}"]
  iam_instance_profile = aws_iam_instance_profile.ec2_profile.name
  user_data         = file("${path.module}/user_data.sh")

  tags = {
    Name = "VPC-Instance-1"
  }
}

// EC2 IAM Role ----------------------------------------------------------

resource "aws_iam_role" "ec2_role" {
    name = "ec2-ssm-role"

    assume_role_policy = jsonencode({
        Version = "2012-10-17"
        Statement = [
            {
                Sid = ""
                Action = "sts:AssumeRole"
                Effect = "Allow"
                Principal = {
                    Service = "ec2.amazonaws.com"
                }
            },
        ]
    })
}
resource "aws_iam_role_policy_attachment" "custom" {
    role = aws_iam_role.ec2_role.name
    policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
resource "aws_iam_instance_profile" "ec2_profile" {
    name = "ec2-ssm-profile"
    role = aws_iam_role.ec2_role.name
}

Related Posts

Example AWS Application Load Balancer (ALB)

Tristan Self

DNSSEC Explained (with AWS Route53 Hosted Zone Example)

Tristan Self

AWS CLI Quick Start (Linux)

Tristan Self

Leave a Reply

Your email address will not be published. Required fields are marked *