AWS SSM Session manager client
I am using AWS a lot and I am tired of dealing with everything that comes with the bastion host (additional instance one has to maintain, distribute SSH keys (shared SSH keys are not an option for me), exposing SSH to the network). A while ago, Amazon released a service to fix this - AWS Systems Manager Session Manager. However, CLI user experience of Session Manager is limited and lacks some features:
aws-gate tries to address these issues.
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
Via pip
pip install aws-gate
or via Homebrew
brew tap xen0l/homebrew-taps
brew install aws-gate
# For installing session-manager-plugin via Homebrew (optional)
brew install --cask session-manager-plugin
or via Docker
docker login docker.pkg.github.com -u $YOUR_GH_USERNAME -p $GH_TOKEN
docker pull docker.pkg.github.com/xen0l/aws-gate/aws-gate:latest
You can store information about to connect to your instance (name, region and profile) and aws-gate will do everything for you. The config file is stored in ~/.aws-gate/config and has the following YAML syntax:
hosts:
- alias: backend-pre
name: backend
profile: preproduction
region: eu-west-1
- alias: backend-pro
name: backend
profile: production
region: eu-west-1
defaults:
profile: development
region: eu-west-1
where hosts stores connection information and defaults default configuration settings to use. To connect to instance backend-pre, execute:
aws-gate session backend-pre
You can place additional configuration files in ~/.aws-gate/config.d. This is ideal when you are working on different projects or when you need to share configuration inside your team.
aws-gate supports querying for instances with following identifiers:
aws-gate session i-0772e4c1dcdd763b6
aws-gate session ec2-34-245-174-132.eu-west-1.compute.amazonaws.com
aws-gate session ip-172-31-35-113.eu-west-1.compute.internal
aws-gate session 34.245.174.13
aws-gate session 172.31.35.113
aws-gate session Name:SSM-test
aws-gate session SSM-test
aws-gate session asg:dummy-v001
AWS SSM Session Manager supports tunneling SSH sessions over it. Moreover, aws-gate supports generating ephemeral SSH keys and uploading them via EC2 Instance Connect API. However, to use this functionality, EC2 Instance Connect setup is needed.
To use this functionality, simply run aws-gate ssh-config, which will generate the required ~/.ssh/config snippet for you:
% aws-gate ssh-config
Host *.eu-west-1.default
IdentityFile /Users/xenol/.aws-gate/key
IdentitiesOnly yes
User ec2-user
Port 22
ProxyCommand sh -c "aws-gate ssh-proxy -p `echo %h | sed -Ee 's/^(.*)\.(.*)\.(.*)$/\\3/g'` -r `echo %h | sed -Ee 's/^(.*)\.(.*)\.(.*)$/\\2/g'` `echo %h | sed -Ee 's/^(.*)\.(.*)\.(.*)$/\\1/g'`"
Store the snippet inside ~/.ssh/config:
% aws-gate ssh-config >> ~/.ssh/config
Then connect via ssh:
% ssh ssm-test.eu-west-1.default
Last login: Fri Oct 4 17:17:02 2019 from localhost
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
1 package(s) needed for security, out of 20 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-172-31-35-173 ~]$
SSH session to instance ssm-test in eu-west-1 AWS region via default AWS profile is opened.
scp works the same way (both ways):
% # local to remote
% scp test_file ssm-test.eu-west-1.glovoapp:test_file
test_file 100% 0 0.0KB/s 00:00
%
% # remote to local
% scp ssm-test.eu-west-1.glovoapp:test_file test_file
test_file 100% 0 0.0KB/s 00:00
Please, also note that while scp over SSM works, it can be extremely slow. This is because of the underlying SSM limitations and not caused by aws-gate itself.
aws-gate provides a way to open SSH session on the instance directly. This is achieved by wrapping around ssh under the hood. Simply run aws-gate ssh <instance_identifier>:
% aws-gate ssh ssm-test
Last login: Sat Nov 9 10:23:11 2019 from localhost
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
28 package(s) needed for security, out of 56 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-172-31-35-173 ~]$
If you wish to execute a specific command (or plug it into your shell pipelines):
% aws-gate ssh ssm-test uname -a
Linux ip-172-31-35-173.eu-west-1.compute.internal 4.14.123-111.109.amzn2.x86_64 #1 SMP Mon Jun 10 19:37:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Local ports can be forwarded to another host and port relative to the target instance. This works as if by using ssh's -L option. Instead of executing a command, aws-gate establishes a forwarding session that can be used by other local applications.
For example, you can use this to connect to a private web server by forwarding the instance's local port.
# Terminal 1
% aws-gate ssh -L 8888:localhost:80 ssh-test
# Terminal 2
% curl localhost:8888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Test Page for the Nginx HTTP Server on Amazon Linux</title>
...
Or you can use it to connect to a private RDS instance by forwarding the remote address and remote port.
# Terminal 1
% aws-gate ssh -L 3306:privatedb.abcdef123456.eu-west-1.rds.amazonaws.com:3306 ssm-test
# Terminal 2
% mysql -h 127.0.0.1 -u root -P 3306 -p -e "SELECT User from mysql.user;"
Enter password:
+------------------+
| User |
+------------------+
| root |
| mysql.infoschema |
| mysql.session |
| mysql.sys |
| rdsadmin |
+------------------+
If you run into issues, you can get detailed debug log by setting GATE_DEBUG environment variable:
export GATE_DEBUG=1
After setting the environment variable, the debug mode will be automatically enabled:
% aws-gate session test
2019-05-26 01:18:23,535 - aws_gate.config - DEBUG - Located config file: /Users/xenol/.aws-gate/config
2019-05-26 01:18:23,538 - aws_gate.utils - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,549 - aws_gate.utils - DEBUG - Obtained configured AWS profiles: default development preproduction production
2019-05-26 01:18:23,550 - aws_gate.utils - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,560 - aws_gate.utils - DEBUG - Obtained configured AWS profiles: default development preproduction production
2019-05-26 01:18:23,560 - aws_gate.utils - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,574 - aws_gate.utils - DEBUG - Obtaining ssm client
2019-05-26 01:18:23,608 - aws_gate.utils - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,636 - aws_gate.utils - DEBUG - Obtaining ec2 boto3 resource
2019-05-26 01:18:23,694 - aws_gate.query - DEBUG - Querying EC2 API for instance identifier: SSM-test
2019-05-26 01:18:24,029 - aws_gate.query - DEBUG - Found 1 maching instances
2019-05-26 01:18:24,030 - aws_gate.query - DEBUG - Matching instance: i-0772e4c1dcdd763b6
2019-05-26 01:18:24,030 - aws_gate.session - INFO - Opening session on instance i-0772e4c1dcdd763b6 (eu-west-1) via profile default
2019-05-26 01:18:24,030 - aws_gate.session - DEBUG - Creating a new session on instance: i-0772e4c1dcdd763b6 (eu-west-1)
...
Debug mode also enables printing of Python stack traces if there is a crash or some other problem.
This project is licensed under the BSD License - see the LICENSE.md file for details
FAQs
aws-gate - AWS SSM Session Manager client CLI
We found that aws-gate demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.