Sign inDemoInstall


Package Overview
File Explorer

Install Socket

Detect and block malicious and high-risk dependencies



aws-gate - AWS SSM Session Manager client CLI




Build StatusCode style: blackcodecovCodacy BadgePyPI versionPyPI - Downloads

AWS SSM Session manager client



I am using AWS a lot and I am tired of dealing with everything that comes with the bastion host (additional instance one has to maintain, distribute SSH keys (shared SSH keys are not an option for me), exposing SSH to the network). A while ago, Amazon released a service to fix this - AWS Systems Manager Session Manager. However, CLI user experience of Session Manager is limited and lacks some features:

  • ability to connect to instances by other means (e.g. DNS, IP, tag, instance name, autoscaling group) as aws cli supports only connecting by instance IDs
  • configuration file support for storing connection information via Session Manager

aws-gate tries to address these issues.

Getting Started

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.


  • Python 3.5+ (earlier Python 3 versions should work too)
  • session-plugin-manager from AWS
  • SSM Agent version or later must be installed on EC2 instances we want to connect to
  • Proper IAM permissions for instance profile


Via pip

pip install aws-gate

or via Homebrew

brew tap xen0l/homebrew-taps
brew install aws-gate

# For installing session-manager-plugin via Homebrew (optional)
brew install --cask session-manager-plugin

or via Docker

docker login -u $YOUR_GH_USERNAME -p $GH_TOKEN
docker pull


config and config.d support

You can store information about to connect to your instance (name, region and profile) and aws-gate will do everything for you. The config file is stored in ~/.aws-gate/config and has the following YAML syntax:

  - alias: backend-pre
    name: backend
    profile: preproduction
    region: eu-west-1
  - alias: backend-pro
    name: backend
    profile: production
    region: eu-west-1

  profile: development
  region: eu-west-1

where hosts stores connection information and defaults default configuration settings to use. To connect to instance backend-pre, execute:

aws-gate session backend-pre

You can place additional configuration files in ~/.aws-gate/config.d. This is ideal when you are working on different projects or when you need to share configuration inside your team.

Querying instances by different instance identifiers

aws-gate supports querying for instances with following identifiers:

  • instance id
aws-gate session i-0772e4c1dcdd763b6
  • DNS name
aws-gate session
  • private DNS name
aws-gate session
  • IP address
aws-gate session
  • private IP address
aws-gate session
  • tags
aws-gate session Name:SSM-test
  • name (uses tag identifier under the hood)
aws-gate session SSM-test
  • autoscaling group name (uses tag identifier under the hood)
aws-gate session asg:dummy-v001
SSH ProxyCommand support

AWS SSM Session Manager supports tunneling SSH sessions over it. Moreover, aws-gate supports generating ephemeral SSH keys and uploading them via EC2 Instance Connect API. However, to use this functionality, EC2 Instance Connect setup is needed.

To use this functionality, simply run aws-gate ssh-config, which will generate the required ~/.ssh/config snippet for you:

% aws-gate ssh-config
Host *.eu-west-1.default
IdentityFile /Users/xenol/.aws-gate/key
IdentitiesOnly yes
User ec2-user
Port 22
ProxyCommand sh -c "aws-gate ssh-proxy -p `echo %h | sed -Ee 's/^(.*)\.(.*)\.(.*)$/\\3/g'` -r `echo %h | sed -Ee 's/^(.*)\.(.*)\.(.*)$/\\2/g'` `echo %h | sed -Ee 's/^(.*)\.(.*)\.(.*)$/\\1/g'`"

Store the snippet inside ~/.ssh/config:

% aws-gate ssh-config >> ~/.ssh/config

Then connect via ssh:

% ssh
Last login: Fri Oct  4 17:17:02 2019 from localhost

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
1 package(s) needed for security, out of 20 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-172-31-35-173 ~]$

SSH session to instance ssm-test in eu-west-1 AWS region via default AWS profile is opened.

scp works the same way (both ways):

% # local to remote
% scp test_file    
test_file                                                                                                                                                                 100%    0     0.0KB/s   00:00    
% # remote to local
% scp test_file
test_file                                                                                                                                                                 100%    0     0.0KB/s   00:00    

Please, also note that while scp over SSM works, it can be extremely slow. This is because of the underlying SSM limitations and not caused by aws-gate itself.

SSH support

aws-gate provides a way to open SSH session on the instance directly. This is achieved by wrapping around ssh under the hood. Simply run aws-gate ssh <instance_identifier>:

% aws-gate ssh ssm-test
Last login: Sat Nov  9 10:23:11 2019 from localhost

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
28 package(s) needed for security, out of 56 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-172-31-35-173 ~]$

If you wish to execute a specific command (or plug it into your shell pipelines):

% aws-gate ssh ssm-test uname -a
Linux 4.14.123-111.109.amzn2.x86_64 #1 SMP Mon Jun 10 19:37:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Local ports can be forwarded to another host and port relative to the target instance. This works as if by using ssh's -L option. Instead of executing a command, aws-gate establishes a forwarding session that can be used by other local applications.

For example, you can use this to connect to a private web server by forwarding the instance's local port.

# Terminal 1
% aws-gate ssh -L 8888:localhost:80 ssh-test

# Terminal 2
% curl localhost:8888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "">

<html xmlns="" xml:lang="en">
        <title>Test Page for the Nginx HTTP Server on Amazon Linux</title>

Or you can use it to connect to a private RDS instance by forwarding the remote address and remote port.

# Terminal 1
% aws-gate ssh -L ssm-test

# Terminal 2
% mysql -h -u root -P 3306 -p -e "SELECT User from mysql.user;"
Enter password: 
| User             |
| root             |
| mysql.infoschema |
| mysql.session    |
| mysql.sys        |
| rdsadmin         |

Debugging mode

If you run into issues, you can get detailed debug log by setting GATE_DEBUG environment variable:

export GATE_DEBUG=1

After setting the environment variable, the debug mode will be automatically enabled:

% aws-gate session test
2019-05-26 01:18:23,535 - aws_gate.config  - DEBUG - Located config file: /Users/xenol/.aws-gate/config
2019-05-26 01:18:23,538 - aws_gate.utils   - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,549 - aws_gate.utils   - DEBUG - Obtained configured AWS profiles: default development preproduction production
2019-05-26 01:18:23,550 - aws_gate.utils   - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,560 - aws_gate.utils   - DEBUG - Obtained configured AWS profiles: default development preproduction production
2019-05-26 01:18:23,560 - aws_gate.utils   - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,574 - aws_gate.utils   - DEBUG - Obtaining ssm client
2019-05-26 01:18:23,608 - aws_gate.utils   - DEBUG - Obtaining boto3 session object
2019-05-26 01:18:23,636 - aws_gate.utils   - DEBUG - Obtaining ec2 boto3 resource
2019-05-26 01:18:23,694 - aws_gate.query   - DEBUG - Querying EC2 API for instance identifier: SSM-test
2019-05-26 01:18:24,029 - aws_gate.query   - DEBUG - Found 1 maching instances
2019-05-26 01:18:24,030 - aws_gate.query   - DEBUG - Matching instance: i-0772e4c1dcdd763b6
2019-05-26 01:18:24,030 - aws_gate.session - INFO  - Opening session on instance i-0772e4c1dcdd763b6 (eu-west-1) via profile default
2019-05-26 01:18:24,030 - aws_gate.session - DEBUG - Creating a new session on instance: i-0772e4c1dcdd763b6 (eu-west-1)

Debug mode also enables printing of Python stack traces if there is a crash or some other problem.


This project is licensed under the BSD License - see the file for details

Stargazers over time

Stargazers over time


Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.


Related posts

SocketSocket SOC 2 Logo


  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc