I'm using AWS Simple Session Manager along with the AWS CLI to SSH into instances. When I call aws ssm start-session --target INSTANCE_ID, it starts sh on the server, not bash. Is there any way to customize the command that is run on instance start?
You can do it using an AWS provided configuration document, like so:
aws ssm start-session --target INSTANCE_ID --document-name AWS-StartInteractiveCommand --parameters command="bash -l"
Source: a github issue on the topic
Related
I would like to streamline our database connection.
We currently connect locally through an ec2 jumpbox, forward the connection on the jumpbox to the rds db, and then start a port forward to local
currently we have to use 2 terminals, ideally want to use just 1
# Login to AWS using SSO
aws sso login
# Connect to the jumpbox shell and forward connection with `socat`
aws ssm start-session --target i-0194fgavc352351cv
sudo socat -d -d TCP4-LISTEN:0,fork TCP4:my-rds-env.z01241nng2.us-west-2.rds.amazonaws.com:12345
# record port that socat outputs: ...listening 0.0.0.0:53859
# new terminal - set "portNumber" to whatever socat outputs
aws ssm start-session --target i-0194fgavc352351cv \
--document-name AWS-StartPortForwardingSession \
--parameters '{"portNumber":["53859"],"localPortNumber":["44444"]}'
# connect locally to db with localPortNumber
Can we use the nohup command to try to run this all in one terminal?
Is there a way to ensure background processes are properly killed - IE.. if one part terminates, so should the others so there aren’t zombie processes
As #Anon Cowards posted above, this worked using 1 command via AWS-StartPortForwardingSessionToRemoteHost:
aws ssm start-session \
--target i-0194fgavc352351cv \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{"host":["my-rds-env.z01241nng2.us-west-2.rds.amazonaws.com"],"portNumber":["12345"], "localPortNumber":["56789"]}'
With the explosion of multi-account AWS configuration, and ssh being snuffed out in favor of session manager, I need ssh functionality and multi-profile ProxyCommand.
From aws docs it's simple enough. But I can see now way to add extra args to specify a profile. All I can think of is essentially concatenating the profile to the instanceid and creating dedicated commands.
The question:
How can I support multiple profiles using aws ssm when the proxycommand doesn't seem to offer me extra args?
Example that I would like: ssh ec2-user#i-18274659f843 --profile dev
Because the i-* doesn't indicate what account profile to use
Assuming you're using the example below in your ssh/config, you can just define AWS_PROFILE environmental variable before connecting to the desired instance
host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
terminal:
$ export AWS_PROFILE=bernard
$ ssh i-12345
Is there a way i can copy a file from my s3 bucket to an windows ec2 instance?
I have tried the following way using send command.. it returns success but file is not being copied.. need help
sh """
aws ssm send-command --instance-ids ${Instance_Id} --document-name "AWS-RunPowerShellScript" --parameters '{"commands":["Read-S3Object -BucketName s3://{bucket-name} file.pfx -File file.pfx"]}' --timeout-seconds 600 --max-concurrency "50" --max-errors "0" --region eu-west-1
"""
I believe the command you pasted is wrong, or you might have copy/pasted wrong:
Considering you are running awscli and sending PowerShell command to be run within the instance, below 2 documents are worth referring.
Send-command CLI: https://docs.aws.amazon.com/cli/latest/reference/ssm/send-command.html
Read-S3Object CmdLet: https://docs.aws.amazon.com/powershell/latest/reference/items/Read-S3Object.html
SSM returning success would still only mean that it was able to execute the underlying plugin (in this case runpowershellscript) - regardless of the fact it was successfully executed or not. In order to investigate why it did not copy the file, you may start with checking the output of the ssm command.
Having said that, below is a working syntax of file copy from s3 object using runPowerShellScript:
aws ssm send-command --instance-ids $instance --document-name "AWS-RunPowerShellScript" --parameters commands=["Read-S3Object -BucketName $bucket -key get-param.reg -File c:\programdata\get-param.reg"]
SSM also provides a way to download s3 object with its own plugin aws:downloadContent
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html#aws-downloadContent
This would require you to create a custom document (you should find example in the above doc) and just run that document to get the s3 object into windows/linux instance.
I hope this helps.
Here is how I would accomplish what you are attempting:
Instead of AWS-RunPowerShellScript SSM document, use the SSM document AWS-RunRemoteScript.
What this document allows you to do is run a script on the ec2 instance, and then inside of the script you can have it download the files you're looking for in the s3 bucket using the aws s3api cli.
It would look something like this:
aws ssm send-command --document-name "AWS-RunRemoteScript" --document-version "1" --instance-ids $instance --parameters "sourceType=S3, sourceInfo=path:\"[url to script that is stored in s3]", commandLine=".\[name of script]", workingDirectory=\"\", executionTimeout=3600" --timeout-seconds 600 --max-concurrency "50" --max-errors "0"
The powershell script that you upload to s3 will look something like this:
aws s3api get-object --bucket [bucket name here] --key [s3 path (not url)] [path to where you want it downloaded]
To make this work, you need to make sure that the ec2 instance has permissions to read from your s3 bucket. You can do this by attaching an s3 full access policy to your ec2 security role in IAM.
I need to pass "sudo su - < user >" command once i logged though AWS CLI using aws ssm?
aws ssm start-session --target "instance ID" ??????? "sudo su - < user >"
Is there any way? Passing as parameters or something?
It is possible to get into an EC2 instance from the command line without SSH. Whenever you can avoid using SSH, and use more cloud-native approaches such as System Manager's Session Manager, that is recommended.
The documentation says:
Example 1: To start a Session Manager session
This start-session example establishes a connection with an instance
for a Session Manager session. Note that this interactive command
requires the Session Manager plugin to be installed on the client
machine making the call.
aws ssm start-session \
--target "i-1234567890abcdef0"
Output:
Starting session with SessionId: Jane-Roe-07a16060613c408b5
So you can get into your EC2 instance that way, and then enter "sudo su - < user >".
However, passing in parameters with the aws ssm start-session AWS CLI command is currently not supported, as that same documentation page says:
--parameters (map)
Reserved for future use.
key -> (string)
value -> (list)
(string)
I am very new to AWS. I have a Windows Server EC2 instance. I installed AWS CLI on my laptop. Then I opened a CMD window, typed in "aws configure", put in the access key credentials, and was able to connect to the EC2.
From here, how do I get the http://169.254.169.254/latest/meta-data working? How do I retrieve some meta data?
On your Laptop
On your local machine you only can use the cli to retrieve metadata about your instance. Simply use this aws cli command:
aws ec2 describe-instance-attribute --instance-id <your-ec_instance_id e.g. i-ab12345> --attribute instanceType --region <your_region e.g. eu-west-1>
Documentation: http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-attribute.html
On your EC2-Instance only:
On your instance you can use the cli (like above) and the following:
PowerShell >3.0:
Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/instance-type
Documentation: http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-instance-metadata.html
Or you can install "curl for windows" and run:
curl http://169.254.169.254/latest/meta-data/instance-type
When running on an EC2 instance, you can query the metadata service, like so:
curl http://169.254.169.254/latest/meta-data/public-ipv4
You can also use:
curl http://instance-data/latest/meta-data/public-ipv4
From outside the EC2 instance, you can use the awscli, like so:
aws ec2 describe-instances
--instance-ids i-01234567890123456
--query "Reservations[0].Instances[0].PublicIpAddress"
--output text
You cannot use http://169.254.169.254/latest/meta-data from AWS cli on your laptop
Use the ec2 describe-instances command instead for getting instance details
More details here