/amz-ssh

a tool that replaces aws/aws-ec2-instance-connect-cli. No python and support for ssh tunnels

Primary LanguageGoGNU General Public License v3.0GPL-3.0

amz-ssh

a tool that replaces aws/aws-ec2-instance-connect-cli.

Advantages

  • Keys generated in memory and never stored to disk
  • Native golang, no ssh exec
  • Detects instance details based on tags, via spot requests
  • supports tunneling

Getting Started

In aws launch a bastion server compatible with EC2 Instance Connect either via spot request or standard on demand. by default amz-ssh looks for requests / instances tagged with role:bastion. The instance must be accessible to your network, usually this mean has a public ip.

see EC2 Instance Connect docs for more information

see this simple Terraform bastion example

How to use

amz-ssh is designed to be run in an already authenticated environment eg via aws-vault or with default credentials, it does not, and will never, support assuming roles internally.

Connect to a bastion / jump host launched by a spot request with a tag role:bastion

amz-ssh

Connect to a specific instance (ignoring tags etc)

amz-ssh -i i-0eaa4d1c7f350216e

Connect to a bastion with the tag job:bastion-special

amz-ssh --tag job:bastion-special

Tunnel through the default bastion

amz-ssh -t somedatabase.example.com:5432

Tunnel to a host through a specific instance

amz-ssh -i i-0eaa4d1c7f350216e -t somedatabase.example.com:5432

SSH to another host via the bastion

amz-ssh -d i-0eaa4d1c7f350216e

You can add as many -d flags as you want to continue chaining connections

amz-ssh -d i-0eaa4d1c7f350216e -d i-0eaa4d1c7f67546e

Specify the username and port

amz-ssh -d ubuntu@i-0eaa4d1c7f350216e:2222

Manual

NAME:
   amz-ssh - connect to an ec2 instance via ec2 connect

USAGE:
   main [global options] command [command options] [arguments...]

VERSION:
   0.0.0

COMMANDS:
   update   Update the cli
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --region value, -r value         [$AWS_REGION]
   --tag value                     (default: "role:bastion")
   --instance-id value, -i value   instance id to ssh to or tunnel through
   --user value, -u value          OS user of bastion (default: "ec2-user")
   --tunnel value, -t value        Host to tunnel to
   --destination value, -d value   destination to ssh to via the bastion. This flag can be provided multiple times to allow for multple hops
   --port value, -p value          (default: 22)
   --local-port value, --lp value  local port to map to, defaults to tunnel port (default: 0)
   --debug                         (default: Print debug information)
   --help, -h                      show help (default: false)
   --version, -v                   print the version (default: false)