AWS recently announced EC2 Instance Connect, a way to grant yourself temporary ssh access to a host without the need for more permanent ssh credentials to be stored on the host.
While that’s very cool, the instructions to use it make it nowhere as nice as using standard ssh. You need to:
- Find out the instance ID
- Run a lengthy command to push your ssh key onto the instance
- Then ssh to the instance
Thankfully, with the joys of ssh’s ProxyCommand, we can make this a lot nicer.
A helper script can do all the grunt work above
Then all we need to do is be able to able to set an appropriate ProxyCommand for the instances
All of our hosts are on private networks with separate CIDR ranges, so that I can map the hostname/IP address to a region, which means that
~/.ssh/config can be set up as follows:
ProxyCommand ~/.ssh/aws-proxy.sh --profile my_aws_profile --region ap-southeast-2 --filter private-dns-name --key ~/.ssh/my_private_key %r %h %pHost 10.1.*
ProxyCommand ~/.ssh/aws-proxy.sh --profile my_aws_profile --region ap-southeast-2 --filter private-ip-address --key ~/.ssh/my_private_key %r %h %p
At that point, running
ssh 10.1.2.3 logs me straight in. This completely mitigates the need for SSH key rotation (for example as part of an offboarding process or a regular 90-day access key rotation).
As well as being in a gist, the aws-proxy.sh is also in a github repo for further improvement