How to connect to a Windows EC2 instance using Ansible? - windows

From reading the Connect to your Windows instance AWS EC2 docs page, my understanding is that it is not possible to SSH to Windows EC2 instances.
The typical procedure to connect to a Windows EC2 instance manually is to download the remote desktop file, get the password for the instance, and then use the Remote Desktop Connection tool to RDP to the instance (more detail is in the docs page above).
If I am correct that Windows EC2 instances do not support connecting via SSH, how can you connect to a Windows EC2 in an Ansible playbook?
I would prefer to be able to do this without installing any software on the Windows EC2 instance beforehand, but if that is necessary, I can do that.

I have found you need to do the following to connect to a Windows EC2 instance using Ansible:
You need to configure the EC2 to allow connections from Ansible using the ConfigureRemotingForAnsible.ps1 script. This can be done either by setting this as the user data when you create the EC2, or by running this script after the EC2 is created.
You need add a security group, or configure a security group already added to the EC2 to allow the following incoming requests to the EC2 from the host(s) that the Ansible playbook will be running on:
WinRM
TCP requests to whatever you configure as the Ansible port
You need to install pywinrm>=0.3.0 so Ansible can use WinRM to connect to the EC2.
You need to run the Ansible playbook with ansible_connection variable set to winrm, and the ansible_winrm_scheme variable set to http. This can be done with --extra-args or any other way that variables are set.
You need to provide the public IP address of the Windows EC2 host, either under hosts in the playbook, or in a host file passed to ansible-playbook with -i.
You need to get or set the EC2's Administrator password, and then provide this password with the ansible_password variable for the EC2.

Related

AWS DocumentDB ECONNRESET error with SSH tunneling from Mongo shell

I've followed the AWS DocumentDB docs for connecting outside VPC:
I created an EC2 instance in the same security group and VPC as the DocDB cluster
In the security group I opened 22 port access for my IP, and also opened port 27017 for communication inside the security so EC2 instance can SSH tunnel to the DocDB
I ran ssh -f -i "ssh-tunneling-access.pem" -L 27017:{doc-db-cluster}:27017 {ec2-instance-user}#{ec2-instance-dns} -N to open the SSH tunnel
In another terminal I tried to connect using Mongo shell with mongosh "mongodb://{credentials}!#localhost:27017/?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=rds-combined-ca-bundle.pem"
I got an error "MongoServerSelectionError: read ECONNRESET"
I'm running on Windows 11, and my terminal is Powershell Core.
Any ideas what did I miss and/or how to troubleshoot it?
First of all, make sure you can connect to DocumentDB from the EC2 instance. The security group attached to the DocumentDB cluster has to allow port 27017 with source the EC2 instance (or the security group of the EC2).
Second, is not clear from where you're initiating the tunnel. Did you execute step 3. on the Windows 11 machine? Have you installed OpenSSH on Windows?
How about using a GUI client, like Robo 3t, which has SSH tunneling support? Instructions on how to connect can be found here.

How can I access the Neptune Database from my local environment using SSH tunnel?

I have both application and network load balancer. EC2 instance and the Neptune are in the same VPC group. I am able to access the EC2 instance by using ssh username# and can access the Gremlin server there and execute queries but how can I make a tunnel out of it so that I can use it from the local environment? Let me know if you need more detail.
It's not 100% clear if you are connecting directly to EC2 or whether there is a NLB or an ALB in between. If you are connecting from a local machine via SSH directly to EC2 to build a tunnel to Neptune, a command such as this will work.
ssh -i mycreds.pem ec2-user#ec2-xx-xx-xx-xx.compute-1.amazonaws.com -N -L 8182:my-neptune-cluster.us-east-1.neptune.amazonaws.com:818
In order to get the SSL credentials to resolve you will likely need to add a line to your hosts file along the lines of:
127.0.0.1 localhost my-neptune-cluster.us-east-1.neptune.amazonaws.com

Ansible connectivity from Control Host to Remote Host : Alternate to Passwordless SSH

We are in the midway of implementing Ansible CI for app deployment. For connecting the Remote host from Control Host , we used passwordless SSH authentication (by adding SSH key to authorized_keys).
But with recent changes, Unix team not allowing this any more on higher env as corporate unix policy. So have to use the password way.
The user with which Ansible running & connecting to Remote machine is a sudo user & does not have a password for itself.
So in this case, how do we connect from Control Host to Remote host, without the SSH key?
while running the ansible playbook we get an option to provide the user using which we can do ssh --user . Also the same configuration can be achieved by providing the configuration in the inventory file.
ansible_user=<user_name>
For password you can use vault
I am editing the answer to provide info that we can use other user than the one with which ansible is installed. You can create a new user which has password or passwordless authentication setup.
Hope so this helps.
Cheers,
Yash

SSH to EC2 instance using boto on private IP through bastion server

I am trying to execute some bash script on EC2 instance using boto. Boto provides a way SSH to EC2 instance on public IP but in my case the instances have only private IP. The way SSH is done on these instance is using a host which can SSH on all the instance using private IP (Bastion host).
Following is the script to connect to instance on public IP:
s3_client = boto3.client('s3')
s3_client.download_file('mybucket','key/mykey.pem', '/tmp/mykey.pem')
k = paramiko.RSAKey.from_private_key_file("/tmp/mykey.pem")
c = paramiko.SSHClient()
c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
host=event
print "Connecting to " + host
c.connect( hostname = host, username = "ec2-user", pkey = k )
How to connect to instances if host have private IP instead of public key if we want to connect through bastion host with public IP P.P.P.P
If your requirement is to trigger execution of some code on an Amazon EC2 instance, then it would be better to use the Amazon EC2 Run Command rather than try to automate an SSH connection.
Amazon EC2 Run Command provides a simple way of automating common administrative tasks like executing Shell scripts and commands on Linux, running PowerShell commands on Windows, installing software or patches, and more. Amazon EC2 Run Command allows you to execute these commands across multiple instances and provides visibility into the results, making it easy to manage configuration change across fleets of instances.
Your instances would need the Amazon EC2 Systems Manager (SSM) agent installed. See: Installing SSM Agent
You would then run commands on Amazon EC2 instances from the management console, AWS Command-Line Interface (CLI) or via an API call.
The send command does not accept tags as input. However, you could first perform a list-instances command to search for instances by tag, then pass the instance-ids to the send command. See: AWS CLI send-command

Ansible - ELB - EC2

I am new to ansible - I am using ansible to add the instances created by ELB ( my AWS will create instances for ELB) to ansible hosts file and access the instances from ansible server. From a linux machine, i use jumpbox and .pem key to access the ec2instance. How will I do in ansible ?
You should be able to pass in the flag --private-key=. You will probably also want to use -u ec2user to instruct Ansible to login as the correct user.

Resources