Questions tagged with Session Management

My [**Instance status checks**] is failing since yesterday and I couldn't access instance to trouble shooting. Either via SSH or SSM The networking is not a problem since I checked via Reachability Analyzer (IGW to Instance) We also monitoring the instance and Ram or Dish storage is not the issue the last time the instance online Is there any way we can access instance for troubleshooting?   If it's help, the instance ID is i-0510a4ace1ff4069d and we are in Tokyo Regionlg...

Would be great if re:Post team could provide docs for how to sign in from CLI into re:Post with an automatic redirect. I'm using `aws-vault` which can assume a role, and create a valid session. And I know the pre-signed AWS console URLs have the redirect capability. So I think this should be possible? I just want to execute: ```sh aws-vault login repost ``` And be taken to this site, with a logged-in session.lg...

Hello All, I have a solution to allow customers to access ec2 linux instance via Session manager, but after login, the user is ssm-user, Is there any way to changed to ec2-user automatically. That means customers do not need to change to ec2-user manaually? Thanks, Mingtonglg...

I met a weird problem, I use a same AMI to launch a ec2 linux instance. If I launch the instance from aws console, and use the default vpc and subnet. this instance can be access through "Session Manager Connect". The Session Manager "Connect" button is enabled. If I launch a instance through a cloudformation, and the instance is in a created vpc and subnet. This instance's role already have AmazonSSMManagedInstanceCore policy. But this instance cannot be accessed through "Session Manager Connect". The Session Manager "Connect" button is disabled. The security group is as below:  I ssh to above two instances, check the ssm-agent status. Both instances ssm-agent status is Active: active (running) since xxxxxxxxxxxx I don't know what's the reason? Could you help me? What should I check or configure?lg...

Good evening to all, when I edit an xml configuration file under path **C:\appname** during the session, when I disconnect this change is lost even if I have enabled in the stack the **application persistance setting** and the **home folder S3** in storage. Do you have any advice? Thank you!!lg...

Dear all, I set up the session manager correctly a while ago. I was able to connect to my ubuntu-managed node through: * the *System Manager Console* * the *AWS CLI* ( Session manager Plugin is installed on my local Mac) * SSH using *instance-id* instead of host public IP I need the last one because I also need to transfer files between my local and the managed nodes. But after a few months, today I tried to connect using ssh: `ssh -i :path/to/file.pem ubuntu@{instance-id}` But I'm not able to connect using ssh anymore `ssh: Could not resolve hostname {instance-id}: nodename nor servname provided, or not known` The other starting session methods still work very fine and I am also able to SSH to the server using the host IP. OS Version: Ubuntu 18.04.4 LTS amazon-ssm-agent: 3.1.1188.0 Local AWS CLI: aws-cli/2.4.28 Python/3.8.8 Darwin/21.5.0 exe/x86_64 prompt/off session-manager-plugin 1.2.295.0 Any help is really appreciated Regards Hamed.lg...

I can't seem to get an instance in a public subnet to connect via session manager. The subnet that the instance ends up deploying to has `0.0.0.0/0` set to an internet gateway. The security group has no inbound rules and an outbound rule of `Allow` `0.0.0.0/0`. The instance profile has the `AmazonSSMManagedInstanceCore` managed policy, the instance is on a public subnet with an internet gateway and a security group that allows all outbound requests, and it’s running AmazonLinux 2, so the SSM agent should be installed. I even added a userData command to install the latest again, but that didn’t change anything. From the console, I see the following error message: > **We weren't able to connect to your instance. Common reasons for this include:** > * SSM Agent isn't installed on the instance. You can install the agent on both [Windows instances](https://docs.aws.amazon.com/en_us/console/systems-manager/agent-windows) and [Linux instances](https://docs.aws.amazon.com/en_us/console/systems-manager/agent-linux). > * The required [IAM instance profile](https://docs.aws.amazon.com/en_us/console/systems-manager/qs-instance-profile) isn't attached to the instance. You can attach a profile using [AWS Systems Manager Quick Setup](https://docs.aws.amazon.com/en_us/console/systems-manager/qs-quick-setup). > * Session Manager setup is incomplete. For more information, see [Session Manager Prerequisites.](https://docs.aws.amazon.com/en_us/console/systems-manager/session-manager-prerequisites) Here's a sample of CDK code that replicates the problem: ```typescript const region = 'us-east-2' const myInstanceRole = new Role(this, 'MyRole', { assumedBy: new ServicePrincipal('ec2.amazonaws.com'), }) myInstanceRole.addManagedPolicy( ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore') ) const myUserData = UserData.forLinux() myUserData.addCommands( `sudo yum install -y https://s3.${region}.amazonaws.com/amazon-ssm-${region}/latest/linux_amd64/amazon-ssm-agent.rpm`, 'sudo systemctl restart amazon-ssm-agent', ) const myInstance = new Instance(this, 'MyInstance', { instanceType: InstanceType.of(InstanceClass.C6I, InstanceSize.LARGE), machineImage: MachineImage.latestAmazonLinux({ generation: AmazonLinuxGeneration.AMAZON_LINUX_2, cpuType: AmazonLinuxCpuType.X86_64, }), vpc: Vpc.fromLookup(this, 'ControlTowerVPC', { vpcName: 'aws-controltower-VPC', }), vpcSubnets: { subnetType: SubnetType.PUBLIC, }, blockDevices: [ { deviceName: '/dev/xvda', volume: BlockDeviceVolume.ebs(30, { volumeType: EbsDeviceVolumeType.GP2, encrypted: true, }), }, ], userData: myUserData, role: myInstanceRole, detailedMonitoring: true, }) ```lg...

Hello, I need to connect each IAM user to their own system user in EKS pod. I know that using the `aws eks --region region update-kubeconfig --name cluster_name` + `kubectl exec --stdin --tty pod/test -- /bin/bash` commands i can get the "terminal access" to the pod, hosted in AWS EKS. But it always gives me `root` user, how i can define by which user i want to authenticate into the pod? And, is it possible to define which IAM users have access to which pods system users? I know that it is possible to do what i need with `system manager - session manager` by using SSH keys or defining the user-name with Tag `SSMSessionRunAs` for EC2 instances, but does it work similar with the EKS? Joannlg...

Hi, I was able to configure AWS session manager to use SSH keys over session manager tunnel as it is described here -> https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html. But now i need to force user to provide SSH keys, because now, even tho i can use SSH keys to authenticate into the EC2 instance, im still able to to it without providing SSH keys, just by using `aws ssm start-session` command. As i suppose i can add some kind of policy for that, something like: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::accountid:user/test-user" }, "Action": [ "ssm:TerminateSession", "ssm:ResumeSession" ], "Condition": { "StringEquals": { "ssm:StartSession/RequireSSH": "True" ( parameters made up, by me ) } } } ] } ``` But im not sure what should be in the place of `"ssm:StartSession/RequireSSH": "True"`, Any help will be appreciated Joannlg...

Hi, I need to assign ssh key pairs to the EC2 instances for multiple IAM users. So what i want to have: IAM users `[user1,user2,user3]`, out of them `[user1,user2]` should have separate (each IAM user should have its own user in VM) SSH access to the `[VM-1,VM-2]` EC2 instances, and the `[user3]` should have access **only** to the `[VM-3]` instance. Do i need to generate ssh key pairs, create users inside the EC2 instance, assign permissions for those users - manually, and then also manually add those SSH pub keys in the EC2 instances? Or AWS has service that can do it automatically for me? Joannlg...

Hi, I want to forbid IAM user (for example: support-IAM ) to authenticate to the EC2 instance user ( for example : root-EC2 ), but still be able to authenticate as other EC2 instance user ( for example: support-EC2 ) , for that, as i understood i need to forbid this user to set `--tags` with value `root-EC2` (or in my case, everything **except** `support-EC2`) while using command `aws sts assume-role`, but how can i do it? P.S im using `AWS session manager` Joannlg...

Hi, My first question - https://repost.aws/questions/QUS8M4w0jkS8iV6EzPmaRmag/ssh-key-managment-for-multiple-accounts Im trying to use "AWS system manager" - "session manager". As i was advised in my previous question, to be able to login into the EC2 instances located in multiple accounts, i will need to do something similar to https://aws.amazon.com/blogs/mt/vr-beneficios-session-manager/ But the problem is that i need to have for each IAM user their own user in EC2 instance, as i found out, i need to pass tag "SSMSessionRunAs" with the value of the username to witch im login in. But if i will use "group" roles (roles assigned for multiple users), they will be authenticating with the same user in EC2 instance, which will not work for me. Does that mean, that in my case i will need to create a role for each IAM user? or i can change tag of the role depending on the user assuming this role? Thank you very much. Joannlg...