aws-gate
AWS SSM Session manager client
Motivation
I am using AWS a lot and I am tired of dealing with everything that comes with the bastion host (additional instance one has to maintain, distribute SSH keys (shared SSH keys are not an option for me), exposing SSH to the network). A while ago, Amazon released a service to fix this - AWS Systems Manager Session Manager. However, CLI user experience of Session Manager is limited and lacks some features:
- ability to connect to instances by other means (e.g. DNS, IP, tag, instance name, autoscaling group) as aws cli supports only connecting by instance IDs
- configuration file support for storing connection information via Session Manager
aws-gate tries to address these issues.
Getting Started
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
Prerequisites
- Python 3.5+ (earlier Python 3 versions should work too)
- session-plugin-manager from AWS
- SSM Agent version 2.3.68.0 or later must be installed on EC2 instances we want to connect to
- Proper IAM permissions for instance profile
Installing
Via pip
pip install aws-gate
or via Homebrew
brew tap xen0l/homebrew-taps
brew install aws-gate
# For installing session-manager-plugin via Homebrew (optional)
brew install --cask session-manager-plugin
or via Docker
docker login docker.pkg.github.com -u $YOUR_GH_USERNAME -p $GH_TOKEN
docker pull docker.pkg.github.com/xen0l/aws-gate/aws-gate:latest
Features
config and config.d support
You can store information about to connect to your instance (name, region and profile) and aws-gate will do everything for you. The config file is stored in ~/.aws-gate/config and has the following YAML syntax:
hosts:
- alias: backend-pre
name: backend
profile: preproduction
region: eu-west-1
- alias: backend-pro
name: backend
profile: production
region: eu-west-1
defaults:
profile: development
region: eu-west-1
where hosts stores connection information and defaults default configuration settings to use. To connect to instance backend-pre, execute:
aws-gate session backend-pre
You can place additional configuration files in ~/.aws-gate/config.d. This is ideal when you are working on different projects or when you need to share configuration inside your team.
Querying instances by different instance identifiers
aws-gate supports querying for instances with following identifiers:
- instance id
aws-gate session i-0772e4c1dcdd763b6
- DNS name
aws-gate session ec2-34-245-174-132.eu-west-1.compute.amazonaws.com
- private DNS name
aws-gate session ip-172-31-35-113.eu-west-1.compute.internal
- IP address
aws-gate session 34.245.174.13
- private IP address
aws-gate session 172.31.35.113
- tags
aws-gate session Name:SSM-test
- name (uses tag identifier under the hood)
aws-gate session SSM-test
- autoscaling group name (uses tag identifier under the hood)
aws-gate session asg:dummy-v001
SSH ProxyCommand support
AWS SSM Session Manager supports tunneling SSH sessions over it. Moreover, aws-gate supports generating ephemeral SSHkeys and uploading them via EC2 Instance Connect API. However, to use this functionality,EC2 Instance Connect setup is needed.
To use this functionality, simply run aws-gate ssh-config, which will generate the required ~/.ssh/config snippet for you:
% aws-gate ssh-config
Host *.eu-west-1.default
IdentityFile /Users/xenol/.aws-gate/key
IdentitiesOnly yes
User ec2-user
Port 22
ProxyCommand sh -c "aws-gate ssh-proxy -p `echo %h | sed -Ee 's/^(.*)\.(.*)\.(.*)$/\\3/g'` -r `echo %h | sed -Ee 's/^(.*)\.(.*)\.(.*)$/\\2/g'` `echo %h | sed -Ee 's/^(.*)\.(.*)\.(.*)$/\\1/g'`"
Store the snippet inside ~/.ssh/config:
% aws-gate ssh-config >> ~/.ssh/config
Then connect via ssh:
% ssh ssm-test.eu-west-1.default
Last login: Fri Oct 4 17:17:02 2019 from localhost
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
1 package(s) needed for security, out of 20 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-172-31-35-173 ~]$
SSH session to instance ssm-test in eu-west-1 AWS region via default AWS profile is opened.
scp works the same way (both ways):
% # local to remote
% scp test_file ssm-test.eu-west-1.glovoapp:test_file
test_file 100% 0 0.0KB/s 00:00
%
% # remote to local
% scp ssm-test.eu-west-1.glovoapp:test_file test_file
test_file 100% 0 0.0KB/s 00:00
Please, also note that while scp over SSM works, it can be extremely slow. This is because of the underlying SSM limitations and not caused by aws-gate itself.
SSH support
aws-gate provides a way to open SSH session on the instance directly. This is achieved by wrapping around ssh under the hood.Simply run aws-gate ssh <instance_identifier>:
% aws-gate ssh ssm-test
Last login: Sat Nov 9 10:23:11 2019 from localhost
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
28 package(s) needed for security, out of 56 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-172-31-35-173 ~]$
If you wish to execute a specific command (or plug it into your shell pipelines):
% aws-gate ssh ssm-test uname -a
Linux ip-172-31-35-173.eu-west-1.compute.internal 4.14.123-111.109.amzn2.x86_64 #1 SMP Mon Jun 10 19:37:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Local ports can be forwarded to another host and port relative to the target instance. This works as if by using ssh's -L option. Instead of executing a command, aws-gate establishes a forwarding session that can be used by other local applications.
For example, you can use this to connect to a private web server by forwarding the instance's local port.
# Terminal 1
% aws-gate ssh -L 8888:localhost:80 ssh-test
# Terminal 2
% curl localhost:8888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Test Page for the Nginx HTTP Server on Amazon Linux</title>
...
Or you can use it to connect to a private RDS instance by forwarding the remote address and remote port.
# Terminal 1
% aws-gate ssh -L 3306:privatedb.abcdef123456.eu-west-1.rds.amazonaws.com:3306 ssm-test
# Terminal 2
% mysql -h 127.0.0.1 -u root -P 3306 -p -e "SELECT User from mysql.user;"
Enter password:
+------------------+
| User |
+------------------+
| root |
| mysql.infoschema |
| mysql.session |
| mysql.sys |
| rdsadmin |
+------------------+
Debugging mode
If you run into issues, you can get detailed debug log by setting GATE_DEBUG environment variable:
export GATE_DEBUG=1
After setting the environment variable, the debug mode will be automatically enabled:
% aws-gate session test
2019-05-26 01:18:23,535 - aws_gate.config - DEBUG - Located config file: /Users/xenol/.aws-gate/config
2019-05-26 01:18:23,538 - aws_gate.utils - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,549 - aws_gate.utils - DEBUG - Obtained configured AWS profiles: default development preproduction production
2019-05-26 01:18:23,550 - aws_gate.utils - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,560 - aws_gate.utils - DEBUG - Obtained configured AWS profiles: default development preproduction production
2019-05-26 01:18:23,560 - aws_gate.utils - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,574 - aws_gate.utils - DEBUG - Obtaining ssm client
2019-05-26 01:18:23,608 - aws_gate.utils - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,636 - aws_gate.utils - DEBUG - Obtaining ec2 boto3 resource
2019-05-26 01:18:23,694 - aws_gate.query - DEBUG - Querying EC2 API for instance identifier: SSM-test
2019-05-26 01:18:24,029 - aws_gate.query - DEBUG - Found 1 maching instances
2019-05-26 01:18:24,030 - aws_gate.query - DEBUG - Matching instance: i-0772e4c1dcdd763b6
2019-05-26 01:18:24,030 - aws_gate.session - INFO - Opening session on instance i-0772e4c1dcdd763b6 (eu-west-1) via profile default
2019-05-26 01:18:24,030 - aws_gate.session - DEBUG - Creating a new session on instance: i-0772e4c1dcdd763b6 (eu-west-1)
...
Debug mode also enables printing of Python stack traces if there is a crash or some other problem.
License
This project is licensed under the BSD License - see the LICENSE.md file for details
Stargazers over time
-
aws lambda使用 by Yan Cui 崔燕 如何使用AWS Lambda为发布/订阅消息选择最佳事件源 (How to choose the best event source for pub/sub messaging with AWS Lambda) AWS offers a wealth of options for implementing messaging patt
-
原文:The AdStage Migration From Heroku To AWS 作者:G Gordon Worley III 翻译:黑色巧克力 2013年的秋天,当我加入AdStage时,我们的产品一直运行在Heroku平台。这是很明智的选择,因为它比其它虚拟服务器更易上手而且低开销,对我们的业务发展也足够灵活。后来我们也确实发展了起来。Heroku让我们唯一专注于建立更有吸引力的产品而不
-
我想知道使用AWS OpsWorks与AWS Beanstalk和AWS CloudFormation的优缺点是什么? 我感兴趣的是一个可以自动伸缩的系统,它可以处理任意数量的并发web请求(从每分钟1000个请求到1000万rpm),包括一个可以自动伸缩的数据库层。 理想情况下,我希望有效地共享一些硬件资源,而不是为每个应用程序提供单独的实例。在过去,我主要使用EC2实例RDS Cloudtop
-
介绍如何在AWS上获取在云联壹云平台需要使用的配置参数。 获取AWS的访问密钥 使用AWS主账号(或拥有AdministratorAccess管理权限的子账号)登录AWS管理控制台,单击 “IAM” 菜单项,进入IAM控制面板页面。 单击左侧菜单栏 “用户” 菜单项,进入用户管理列表,单击用户名名称项,进入指定用户详情页面。注意需要选择有足够管理权限的用户。 单击“安全证书”页签。 单击 “创建访
-
AWS Global Infrastructure AWS Global Cloud - A single global cloud, is made up of devices and Services in many regions. AWS Region - A physical location around the world where Amazon have equipment(de
-
A collection of bash shell scripts for automating various tasks with Amazon Web Services using the AWS CLI and jq. https://github.com/swoodford/aws Table of contents Why Getting Started What's Include
-
我使用的是AWS SQS服务,很难定义SQS队列上的权限。在我的设置中,我使用的是AWS Lambda服务,当一个对象被推到S3存储桶上时会触发该服务。 然而,让我简短地提问,这是我想要实现的: 对象被推送到S3存储桶中 正如您可以从前面的用例中看到的,我希望我的AWS Lambda方法是唯一可以向SQS队列发送消息的应用程序。我试图设置一个原则和一个条件“sourceArn”。但是它们都不起作用
-
我有一个Powershell Lambda,我希望通过AWS CDK部署它,但在运行时遇到问题。 通过手动发布AWSPowerShellLambda部署Powershell可以: 但是,与CDK一起部署的同一脚本不会记录到CloudWatch日志,即使它具有以下权限: powershell脚本当前仅包含以下行,在CLI上由Publish AWSPowerShellLambda部署时可以工作: 注意
-
每当我试图在AWS Lambda上测试我的Lambda函数时,我目前都会得到一个ClassNotFoundExcure。例外情况显示在这里: 我在网上搜索过,包括这里的链接: AWS Lambda:类java.lang.ClassNotFoundExc0019,但没有用。 我在Android Studio中工作,创建了一个JAR文件(使用此链接:如何从Android Studio项目生成.JAR)
-
Setup source aws-alias.sh aws-start aws-ssh Shutdown aws-stop