I am trying to execute some bash script on EC2 instance using boto. Boto provides a way SSH to EC2 instance on public IP but in my case the instances have only private IP. The way SSH is done on these instance is using a host which can SSH on all the instance using private IP (Bastion host).
Following is the script to connect to instance on public IP:
s3_client = boto3.client('s3')
s3_client.download_file('mybucket','key/mykey.pem', '/tmp/mykey.pem')
k = paramiko.RSAKey.from_private_key_file("/tmp/mykey.pem")
c = paramiko.SSHClient()
c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
host=event
print "Connecting to " + host
c.connect( hostname = host, username = "ec2-user", pkey = k )
How to connect to instances if host have private IP instead of public key if we want to connect through bastion host with public IP P.P.P.P
If your requirement is to trigger execution of some code on an Amazon EC2 instance, then it would be better to use the Amazon EC2 Run Command rather than try to automate an SSH connection.
Amazon EC2 Run Command provides a simple way of automating common administrative tasks like executing Shell scripts and commands on Linux, running PowerShell commands on Windows, installing software or patches, and more. Amazon EC2 Run Command allows you to execute these commands across multiple instances and provides visibility into the results, making it easy to manage configuration change across fleets of instances.
Your instances would need the Amazon EC2 Systems Manager (SSM) agent installed. See: Installing SSM Agent
You would then run commands on Amazon EC2 instances from the management console, AWS Command-Line Interface (CLI) or via an API call.
The send command does not accept tags as input. However, you could first perform a list-instances command to search for instances by tag, then pass the instance-ids to the send command. See: AWS CLI send-command
Related
From reading the Connect to your Windows instance AWS EC2 docs page, my understanding is that it is not possible to SSH to Windows EC2 instances.
The typical procedure to connect to a Windows EC2 instance manually is to download the remote desktop file, get the password for the instance, and then use the Remote Desktop Connection tool to RDP to the instance (more detail is in the docs page above).
If I am correct that Windows EC2 instances do not support connecting via SSH, how can you connect to a Windows EC2 in an Ansible playbook?
I would prefer to be able to do this without installing any software on the Windows EC2 instance beforehand, but if that is necessary, I can do that.
I have found you need to do the following to connect to a Windows EC2 instance using Ansible:
You need to configure the EC2 to allow connections from Ansible using the ConfigureRemotingForAnsible.ps1 script. This can be done either by setting this as the user data when you create the EC2, or by running this script after the EC2 is created.
You need add a security group, or configure a security group already added to the EC2 to allow the following incoming requests to the EC2 from the host(s) that the Ansible playbook will be running on:
WinRM
TCP requests to whatever you configure as the Ansible port
You need to install pywinrm>=0.3.0 so Ansible can use WinRM to connect to the EC2.
You need to run the Ansible playbook with ansible_connection variable set to winrm, and the ansible_winrm_scheme variable set to http. This can be done with --extra-args or any other way that variables are set.
You need to provide the public IP address of the Windows EC2 host, either under hosts in the playbook, or in a host file passed to ansible-playbook with -i.
You need to get or set the EC2's Administrator password, and then provide this password with the ansible_password variable for the EC2.
I've followed the AWS DocumentDB docs for connecting outside VPC:
I created an EC2 instance in the same security group and VPC as the DocDB cluster
In the security group I opened 22 port access for my IP, and also opened port 27017 for communication inside the security so EC2 instance can SSH tunnel to the DocDB
I ran ssh -f -i "ssh-tunneling-access.pem" -L 27017:{doc-db-cluster}:27017 {ec2-instance-user}#{ec2-instance-dns} -N to open the SSH tunnel
In another terminal I tried to connect using Mongo shell with mongosh "mongodb://{credentials}!#localhost:27017/?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=rds-combined-ca-bundle.pem"
I got an error "MongoServerSelectionError: read ECONNRESET"
I'm running on Windows 11, and my terminal is Powershell Core.
Any ideas what did I miss and/or how to troubleshoot it?
First of all, make sure you can connect to DocumentDB from the EC2 instance. The security group attached to the DocumentDB cluster has to allow port 27017 with source the EC2 instance (or the security group of the EC2).
Second, is not clear from where you're initiating the tunnel. Did you execute step 3. on the Windows 11 machine? Have you installed OpenSSH on Windows?
How about using a GUI client, like Robo 3t, which has SSH tunneling support? Instructions on how to connect can be found here.
I have both application and network load balancer. EC2 instance and the Neptune are in the same VPC group. I am able to access the EC2 instance by using ssh username# and can access the Gremlin server there and execute queries but how can I make a tunnel out of it so that I can use it from the local environment? Let me know if you need more detail.
It's not 100% clear if you are connecting directly to EC2 or whether there is a NLB or an ALB in between. If you are connecting from a local machine via SSH directly to EC2 to build a tunnel to Neptune, a command such as this will work.
ssh -i mycreds.pem ec2-user#ec2-xx-xx-xx-xx.compute-1.amazonaws.com -N -L 8182:my-neptune-cluster.us-east-1.neptune.amazonaws.com:818
In order to get the SSL credentials to resolve you will likely need to add a line to your hosts file along the lines of:
127.0.0.1 localhost my-neptune-cluster.us-east-1.neptune.amazonaws.com
I have a scenario as following,
I have one EC2 instance in private subnet and one EC2 instance in public subnet.
How can I connect to private subnet EC2 instance through public subnet EC2 instance which is also called Bastion host (Jump box) from my Windows OS client machine.??
You need to connect to the Bastion host, and use that connection to open a tunnel from your machine to the target machine in the private subnet. That allows you open a second connection to the target machine, using the tunnel.
Here is a guide on how to do this using Putty: AWS Setup Bastion Host SSH Tunnel (they are also opening a second tunnel to a Windows server, you can ignore that part).
The easiest way is in the bastion(public instance), make the copy of the .pem file that you assigned to the private instance when you launched it.
example.pem
Then, you need to make it only readable by you(otherwise you cannot make a connection).
chmod 400 example.pem
Finally, run this command below to connect to the private instance from the bastion. (Use the private ip of the private instance after # in the command below)
ssh -i "example.pem" ubuntu#10.0.2.254
That's it!!
Supplementally saying, the name of .pem file doesn't need to be the same as the one you assigned to the private instance. But the content which is RSA PRIVATE KEY must be the same as the one you assigned to the private instance.
I have a jenkins box, I have ssh in to it and from there I want to access one of the Ec2 instance in AWS, I tried ssh -i "mykeyname.pem" ec2-user#DNSname but It throws me an error "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)".
I have the PEM file of the EC2 instance I want to connect. But is there any way I can ssh in to the instance..?
There are two possible reasons.
Default user name is not "ec2-user"
Please check your using image "jenkins box".
If it doesn't use "ec2-user", change user name for ssh commands
Your key-pair is incorrect
Once you created EC2 instance with correct key-pair, you could access EC2 instance with such commands
Please check your using key-pair name
FYI
Connecting to Your Linux Instance Using SSH