Session Manager: Connecting and copy files from local windows system to AWS instance (If MFA enabled).
To connect your system with AWS Linux instance, first you should have some knowledge of session manager and basic knowledge of AWS Identity and Access Management (IAM) service. The definition of both services is given on AWS’s documentation pages which is really much more appropriate than the other definitions given on different tutorial websites. So let’s see these two things one by one.
What is Session Manager?
According to AWS documentation: Session Manager is a fully managed AWS Systems Manager that allows you to manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
What is IAM?
According to AWS documentation: AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
So if admin user from your organization created a custom AWS Identity and Access Management (IAM) instance profile that provides permissions for only Session Manager actions on your instances. Then you can only use session manager for using or launching AWS instances.
To launch an AWS instance using session manager through AWS UI or from AWS CLI, you can follow below steps:
Go to AWS and login with your credentials and if you want to work on any instance then you can simply click on instance id and then by clicking on connect button on instance summary page, you can redirect to the “connect to instance” options page where you can find session manager option and by clicking on connect button you can launch an instance and can work on it.
But if you want to upload some files from your local system to this instance then you have to setup your local instance by installing some AWS software packages according to connection permissions that have assigned to you by AWS admin. So let’s see the practical example of connecting local windows systems to AWS instance through session manager.
Setup Windows system:
1. Download and install Git on local system:
You can download git using below URL.
After downloading Git on local system, you can install it using general installation steps.
Once you installed Git on your local system then you can launch it using right click on desktop and then click on Git Bash here or if you want to open Git Bash in any specific folder then press right-click and then click on Git Bash here. It will launch git-bash on the same directory.
2. Download and install AWS-CLI on local system:
Then you need to install AWS-CLI on your local system. To install AWS-CLI you can use below link and by simply pasting this link to the web-browser you can download AWS-CLI on your local system.
Then you need to install AWS-CLI on your local system using some general installation steps. And after installation of AWS-CLI, you can test it by executing below command on git-bash.
$aws - -version
Output of this command can vary according to the python and AWS CLI versions installed on your local system.
3. Download and install Session Manager on local system:
Now you need to install Session Manager on AWS CLI. You can follow instructions on AWS documentation page of installing session manager on windows. Use below link to go to session manager installation guide of AWS.
Using above link, go to Session Manager installation page of AWS and copy installer URL. URL will look similar to the URL given in below image.
After downloading Session Manager plugin, you can simply install it using general installation steps.
To verify session manager plugin installation, execute below command on git-bash command line.
session-manager-plugin
4. Starting a session through session manager:
To start a session through session manager, you need to configure SSH config file according to configuration steps given in AWS documentation guide. Use below link to go to “Enabling and controlling permissions for SSH connections through Session Manager” guide of AWS.
You just need to add below configurations in your local system’s SSH config file.
First change directory to .ssh using below command:
$cd ~/.ssh
And then create configuration file with name “config” if it is not there by default. Use “vi” to open or automatically create config file (if it is not there).
$vi ~/.ssh/config
And then add below configurations in that config file.
# SSH over Session Manager
host i-* mi-*
ProxyCommand /c/windows/system32/windowspowershell/v1.0/powershell.exe “aws ssm start-session — target %h — document-name AWS-StartSSHSession — parameters portNumber=%p”
To save and exit from config file, press “ESC” and then type :wq and hit Enter button.
5. Generate SSH keys on local system:
To generate SSH keys on your local system use below command:
$ssh-keygen
Press enter to store public and private keys in default .ssh directory. Public key will store in id_rsa.pub file.
Now use “cat” command to read public key data as an output. And select and copy this public key.
Then go to AWS UI and launch an AWS instance using session manager as explained above. Now change the user of this OS and go to .ssh folder of this OS using below commands.
$sudo su username
Username will be something like centos, ubuntu and can be any other user with different name.
$sudo cd ~/.ssh/
Now edit authorized_keys file or create that file in .ssh folder if it is not present there. Use below command to create and edit authorized_keys file.
$sudo vi authorized_keys
Now paste that public key in this file and, save and exit from this file with press ESC -> type :wq and then press Enter.
6. Configure AWS environment credentials:
Use below command to set environment credentials at runtime.
$aws configure
Provide access key and secret key here to setup environment credentials for the particular environment that you want to connect.
And setup these credentials in below two files if ‘aws configure’ command by default not update these values in aws configuration files.
Open aws config and update these values:
$vi ~/.aws/config
[default]
region = “region in which your instance is running”
AWS_ACCESS_KEY_ID = “your account’s access key id”
AWS_SECRET_ACCESS_KEY = “your account’s secret key id”
Update the same in aws credentials file.
$vi ~/.aws/credentials
Update same entries as per config file.
Now you can use below scp command to copy files from your local system to AWS instance using session manager plugin of AWS.
$scp -r filename_or_location_of_file_with_filename instance’s_username@instance_id:instance_directory_where_you_want to_paste_the_files
For example: scp -r filename centos@i-12345asdf6789jkl:/home/centos
If MFA is enable for your IAM user profile then this scp command will not work or it will give an error. Although it’s a good practice to protect your account and it’s resources with multi-factor authentication (MFA) device. But if your AWS admin applied this configuration and if you plan to interact with your resources using the AWS CLI, then you must create a temporary session.
6. Creating temporary session for MFA:
For more details of AWS’s MFA, you can refer below link of AWS documentation:
https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
If you’re using a MFA hardware device, the ARN value is similar to GAHT12345678. And if you’re using virtual MFA, the value is similar to arn:aws:iam::123456789012:mfa/user.
Run the sts get-session-token AWS CLI command, replace variables with information from your account, resources, and MFA device:
$ aws sts get-session-token — serial-number arn-of-the-mfa-device — token-code code-from-token
arn-of-the-mfa-device: You can get ARN value from AWS’s MFA section, inside the “My Security Credentials” option.
code-from-token: Open authentication device and copy-paste the code from authenticator device.
You will receive an output similar to below one, with temporary credentials and expiration time is by default, 12 hours.
You can use temporary credentials by exporting their values to environment variables using these commands.
set AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-output
set AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output
set AWS_SESSION_TOKEN=example-session-Token-as-in-previous-output
You can also set these values using below AWS configure command:
$aws configure
Provide access key and secret key in the input of this command.
And when you will try again with that scp command, it will work now.