I built "omssh", an interactive CLI tool for SSH login via the EC2 Instance Connect API
Overview
I created an SSH login tool called oreno-mssh, also known as omssh, which leverages the AWS EC2 Instance Connect API.
View post on imgur.comimgur.com
Why I Decided to Build It
With the arrival of the EC2 Instance Connect API, it became possible to SSH into an instance simply by specifying its EC2 Instance ID.
This eliminated the need to hand out private keys to members who connect via SSH, register public keys, and so on.
When using mssh, you can SSH in with commands like the following.
// SSH into Amazon Linux mssh <EC2 Instance ID> --profile <profile> // Ubuntu mssh ubuntu@<EC2 Instance ID> --profile <profile>
To use mssh, you need the `<EC2 Instance ID>` information, and it was a hassle to look up the Instance ID every single time.
Of course, for a bastion server you could just jot it down, since it rarely gets restarted and the Instance ID rarely changes. But as the number of servers grows, this becomes hard to manage.
I decided to solve that hassle interactively with fuzzyfinder.
Usage
As described in the README.md, you can install it with the following steps.
$ git clone https://github.com/kenzo0107/omssh $ cd omssh $ make build && make install
Going Forward
At the moment, there are still cases where I can't fully switch over to an EC2 Instance Connect–based workflow.
The reason is that the EC2 Instance Connect API can only be used when the EC2 instance is placed in a Public Subnet. So while I can SSH into the bastion using the EC2 Instance Connect API, anything beyond that still requires a private key.
I’m hopeful that, before long, EC2 Instance Connect will become usable in Private Subnets as well.
If that happens, I could place omssh on the bastion too, and a world becomes possible where SSH access is managed purely through IAM permissions, without ever having to think about keys.
I’ll be sure to pass my wish along to AWS Support ♪
