Skip to main content

How to connect to EC2 instance (without private key) using SSM Session Manager?

Run the following AWS CLI commands:

$ aws ec2 run-instances --image-id <Id-of-AMI-with-SSM-Agent-pre-installed> --subnet-id <subnet-id> --instance-type <instance-type> --associate-public-ip-address

$ aws iam create-role --role-name <role-name> --assume-role-policy-document '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}}'

Note: The command above has inline JSON. Run such commands only from bash (not from cmd/powershell).

$ aws iam attach-role-policy --role-name <role-name> --policy-arn <ARN-of-AmazonSSMManagedInstanceCore-Policy>

$ aws iam create-instance-profile --instance-profile-name <instance-profile-name>

$ aws iam add-role-to-instance-profile --role-name <role-name> --instance-profile-name <instance-profile-name>

$ aws ec2 associate-iam-instance-profile --instance-id <ec2-instance-id> --iam-instance-profile Name=<instance-profile-name>

aws ec2 describe-iam-instance-profile-associations

$ aws ssm start-session --target <ec2-instance-id>

Note: Install Session Manager - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html#install-plugin-debian

If the EC2 instances are in a private subnet, you can do the following:

- Route traffic to internet through a NAT GW

- If you don't want to use NAT GW, add the following Interface VPC endpoints:

com.amazonaws.eu-west-2.ssm

com.amazonaws.eu-west-2.ssmmessages

com.amazonaws.eu-west-2.ec2messages

Link the subnets and Security Groups to these VPC endpoints. The Security Groups linked to these VPC endpoints should allow outbound HTTPS traffic to SSM. 


Comments

Popular posts from this blog

How to install/upgrade/downgrade kubectl in Linux (Ubuntu)?

To install the latest version: curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" curl -LO "https://dl.k8s.io/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256" echo "$(<kubectl.sha256) kubectl" | sha256sum --check sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl kubectl version --client kubectl version To install a specific (v1.19.0) version: curl -LO "https://dl.k8s.io/release/v1.19.0/bin/linux/amd64/kubectl" curl -LO "https://dl.k8s.io/v1.19.0/bin/linux/amd64/kubectl.sha256" echo "$(<kubectl.sha256) kubectl" | sha256sum --check sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl kubectl version --client kubectl version This will install kubectl client. Run minikube start to install kubectl server.

Application Load Balancer (ALB)

The ALB spans all subnets in a VPC i.e., it is not inside a subnet but VPC. ALB is bound to Target Groups (TGs). TGs are bound to subnets.