- Newest
- Most votes
- Most comments
I assume your EC2 is in a public subnet.
You do not need to set proxy to use SSM Session Manager. Your AWS CLI need to be configured with the necessary permissions.
To establish SSM sessions with AWS CLI, you must install the Session Manager plugin on your local machine. Once installed, try establishing SSM session using AWS CLI
aws ssm start-session --target <instance_id> --region us-east-2
After which, you can configure your SSH to use Session Manager according to instructions at Allow and control permissions for SSH connections through Session Manager, including IAM permissions. Connect using SSH Starting a session (SSH)
Edit: Seems that you want to start SSM session from a external machine with output in your local machine. Something like this?
Local machine --ssh?--> External machine -- SSM session --> EC2
You will need to login to external machine to establish SSM session and map output back. With SSH, you can probably do it this way
ssh user@external-machine-ip 'aws ssm start-session --target <ec2-instance_id> --region us-east-2'
Hi Joann, What problem are you actually trying to slve here - why do you need to go via this 'second' proxy machine to access the actual EC2 - what is that adding?
If your EC2 is not reachable from the internet (which is generally good practice) you can still use SSM directly to connect to it - essentially you just need:
- ssm agent installed
- instance role with ssm permissions in place
- EC2 needs to be able to each the SSM endpoints - either via IGW/NGW/service endpoints
As long as that is in place you can then get connectivity using SSM either via the console directly or by using the AWS CLI to create a kind of proxy connection that you can ssh to (using something like putty) - is this maybe what you want to be able to do? This doesn;t need a server in the middle though to make it work.
Cheers, Rich
Hi, thanks for your answer. The problem is that, because of the requirements, only IP range that covers only some network, is allowed by IAM policy attached to my IAM user to SSM into the EC2 instance. So, in order to get into the EC2 instance, i need to be inside of the "secure network", i can get "inside" of the compliant network by ssh-ing in one of the machines. So i thought, is it possible to "proxy" AWS SSM requests from my local machine, to external machine, and into the AWS SSM endpoint, to get terminal access to my EC2 instance.
Relevant content
- asked 9 months ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
Thanks for your answer. Your proposal is kinda the same as in the first answer, maybe i have explained the situation that im in not enough. The problem is that i have an IAM policy which forbids access to the EC2 instance, if the request from AWS SSM does not contain the right IP, and even thought, AWS SSM does not require to EC2 instance to be open to the internet, i face this issue, simply because of my company requirements (which, no, they cannot be changed)
Thanks for the clarification. I have updated the post.