I need to pass "sudo su - < user >" command once i logged though AWS CLI using aws ssm?
aws ssm start-session --target "instance ID" ??????? "sudo su - < user >"
Is there any way? Passing as parameters or something?
It is possible to get into an EC2 instance from the command line without SSH. Whenever you can avoid using SSH, and use more cloud-native approaches such as System Manager's Session Manager, that is recommended.
The documentation says:
Example 1: To start a Session Manager session
This start-session example establishes a connection with an instance
for a Session Manager session. Note that this interactive command
requires the Session Manager plugin to be installed on the client
machine making the call.
aws ssm start-session \
--target "i-1234567890abcdef0"
Output:
Starting session with SessionId: Jane-Roe-07a16060613c408b5
So you can get into your EC2 instance that way, and then enter "sudo su - < user >".
However, passing in parameters with the aws ssm start-session AWS CLI command is currently not supported, as that same documentation page says:
--parameters (map)
Reserved for future use.
key -> (string)
value -> (list)
(string)
Related
Background:
I have jenkins installed in AWS Account #1 (account1234) and it has iam Role-jenkins attached to it. There's github configured with Jenkins.
When I click build job in Jenkins, jenkins pulls all the files from github and can be found in
/var/lib/jenkins/workspace/.
There's an application running in AWS Account #2 (acccount5678) in an ec2 instance (i-xyz123) and the project files are in /home/app/all_files/ ; This ec2 instance role has app-role attached to it.
What I'm trying to achieve:
When I click build, I want jenkins to push files from account 1234 to account 5678 by opening an SSM session from Jenkins ,to the ec2 instance on which app is running.
What I tried:
In the jenkins as part of build shell script I added:
aws ssm send-command --region us-east-1 --instance-ids i-xyz123 --document-name AWS-RunShellScript --comment IP config --parameters commands=ifconfig --output text
to test it. (If successful, I want to pass cp var/lib/jenkins/workspace/ /home/app/all_files/ as the command)
Error:
An error occurred (AccessDeniedException) when calling the SendCommand operation: User: arn:aws:sts::account1234:assumed-role/Role-Jenkins/i-01234abcd is not authorized to perform: ssm:SendCommand on resource: arn:aws:ec2:us-east-1:account1234:instance/i-xyz123
Build step 'Execute shell' marked build as failure
Finished: FAILURE
Issue 1: instance/i-xyz123 is in account5678 but error above shows ssm trying to connect to instance in account1234 ( which shouldn't be happening)
Q1: How do I update my command so that it tries to open an ssm session
with instance/i-xyz123 present in account5678 to accomplish what I'm
trying to do.
I believe I would also need to make each role added as a trusted relationship to the other.
(Note I want to do it via sessions manager as I won't have to deal with credentials of any sort)
If I've understood correctly then you're right; to interact with the resources in account5678, there needs to be a trust relationship so that the Jenkins account can assume the relevant role in account5678 and call SSM from there.
Once you've configured the role relationship (ref: IAM cross account roles )
You should be able to achieve what you need by assuming the role first in your shell script and then running the ssm command. That way Jenkins will use the temp creds and execute the command in the correct account (5678).
This site steps through it pretty well :
Tom Gregory - Jenkins Assume Role
If you just cmd/ctrl f on that page ^ and search for 'shell' you should get to the section you need. Hope this somewhat helps.
Hi need to transfer a file to ec2 machine via ssm agent. I have successfully installed ssm-agent in ec2 instances and from UI i am able to start session via "session-manager" and login to the shell of that ec2 machine.
Now I tried to automate it via boto3 and using the below code,
ssm_client = boto3.client('ssm', 'us-west-2')
resp = client.send_command(
DocumentName="AWS-RunShellScript", # One of AWS' preconfigured documents
Parameters={'commands': ['echo "hello world" >> /tmp/test.txt']},
InstanceIds=['i-xxxxx'],
)
The above works fine and i am able to send create a file called test.txt in remote machine but his is via echo command
Instead I need to send a file from my local machine to this remove ec2 machine via ssm agent, hence I did the following ,
Modified the "/etc/ssh/ssh_config" with proxy as below,
# SSH over Session Manager
host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
Then In above code, I have tried to start a session with below code and that is also successfully .
response = ssm_client.start_session(Target='i-04843lr540028e96a')
Now I am not sure how to use this session response or use this aws ssm session and send a file
Environment description:
Source: pod running in an EKS cluster
dest: ec2 machine (which has ssm agent running)
file to be transferred: Important private key which will be used by some process in ec2 machine and it will be different for different machine's
Solution tried:
I can push the file to s3 in source and execute ssm boto3 libaray can pull from s3 and store in the remote ec2 machine
But I don't want to do the above due to the reason I don't want to store the private key i s3. So wanted to directly send the file from memory to the remote ec2 machine
Basically i wanted to achieve scp which is mentioned in this aws document : https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html#sessions-start-ssh
If you have SSH over SSM setup, you can just use normal scp, like so:
scp file.txt ec2-user#i-04843lr540028e96a
If it isn't working, make sure you have:
Session Manager plugin installed locally
Your key pair on the instance and locally (you will need to define it in your ssh config, or via the -i switch)
SSM agent on the instance (installed by default on Amazon Linux 2)
An instance role attached to the instance that allows Session Manager (it needs to be there at boot, so if you just attached, reboot)
Reference: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html
If you need more detail, give me more info on your setup, and I'll try and help.
I'm using AWS Simple Session Manager along with the AWS CLI to SSH into instances. When I call aws ssm start-session --target INSTANCE_ID, it starts sh on the server, not bash. Is there any way to customize the command that is run on instance start?
You can do it using an AWS provided configuration document, like so:
aws ssm start-session --target INSTANCE_ID --document-name AWS-StartInteractiveCommand --parameters command="bash -l"
Source: a github issue on the topic
With the explosion of multi-account AWS configuration, and ssh being snuffed out in favor of session manager, I need ssh functionality and multi-profile ProxyCommand.
From aws docs it's simple enough. But I can see now way to add extra args to specify a profile. All I can think of is essentially concatenating the profile to the instanceid and creating dedicated commands.
The question:
How can I support multiple profiles using aws ssm when the proxycommand doesn't seem to offer me extra args?
Example that I would like: ssh ec2-user#i-18274659f843 --profile dev
Because the i-* doesn't indicate what account profile to use
Assuming you're using the example below in your ssh/config, you can just define AWS_PROFILE environmental variable before connecting to the desired instance
host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
terminal:
$ export AWS_PROFILE=bernard
$ ssh i-12345
I'm currently trying to automate the Cognito User Pool creation process via bash scripts on AWS-CLI. However, following the steps from the AWS console, I'm trying to reproduce the same steps via the CLI. I like to know which commands I should be looking at and in what sequence? The AWS docs don't really say much and the commands sometimes tend to be confusing.
Any ideas will be greatly appreciated.
Cheers!
Nyah
First install aws cli using following command
sudo pip install awscli
Configure AWS credentials, Run below commonond, system will ask following input AWS Access Key ID, AWS Secret Access Key, Default region name, Default output format
sudo aws configure
Create user pool
sudo aws cognito-idp create-user-pool --pool-name MyUserPool
You can install first awscli
sudo pip install awscli
configure aws cli with your private key and access key.
to run configure aws-cli run the command:
aws configure
For all the details of Cognito, you can find available command for it over here: https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/index.html
Create the user pool in cognito:
aws Cognito-idp create-user-pool --pool-name <Whatever name you want to add>
Update the user pool incognito
aws cognito-idp update-user-pool --user-pool-id <value>
You can also refer this bash script :
https://github.com/awslabs/aws-cognito-angular-quickstart/blob/master/aws/createResources.sh