I'm trying to access a private EC2 instance from a local Visual Studio Code IDE with Session Manager and AWS SSO (CLI). I have the following in ~/.ssh/config:
Host i-0dXXXXXXXXXX
User ubuntu
ProxyCommand C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "aws sso login --profile ExProfile; aws ssm start-session --target %h --profile ExProfile--document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
So when I try to connect to the EC2 via VSCode Remote-SSH, it begins the login process (via browser) for my AWS SSO account as expected, however, after I allow the request, it throws out an error: ubuntu@i-0dXXXXXXXXXX: Permission denied (publickey).
[23:52:21.763] > OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
[23:52:21.769] Running script with connection command: "C:\WINDOWS\System32\OpenSSH\ssh.exe" -T -D 63367 "i-0dXXXXXXXXXX" bash
[23:52:21.777] Terminal shell path: C:\WINDOWS\System32\cmd.exe
[23:52:22.068] > ]0;C:\WINDOWS\System32\cmd.exe
[23:52:22.069] Got some output, clearing connection timeout
[23:52:32.400] > The authenticity of host 'i-0dXXXXXXXXXX (<no hostip for proxy command>)' c
> an't be established.
> ECDSA key fingerprint is SHA256:gGuNpmbuoZFSyDD2utyHzp7IVV//OkM64AV+jBpBccU.
> Are you sure you want to continue connecting (yes/no/[fingerprint])?
[23:52:32.401] Detected fingerprint confirmation message
[23:52:32.401] Showing fingerprint confirmation dialog
[23:52:50.005] Got fingerprint response: yes
[23:52:50.006] "install" wrote data to terminal: "yes"
[23:52:50.029] > y
[23:52:50.045] > Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
> Warning: Permanently added 'i-0dXXXXXXXXXX' (ECDSA) to the list of known ho
> sts.
[23:52:50.216] > ubuntu@i-0dXXXXXXXXXX: Permission denied (publickey).
[23:52:50.310] > The process tried to write to a nonexistent pipe.
[23:52:51.613] "install" terminal command done
[23:52:51.614] Install terminal quit with output: ubuntu@i-0dXXXXXXXXXX: Permission denied (publickey).
[23:52:51.614] Received install output: ubuntu@i-0dXXXXXXXXXX: Permission denied (publickey).
[23:52:51.617] Resolver error: Error: Permission denied (publickey).
My understanding was that I wouldn't have to worry about SSH key pairs with AWS Session Manager, so why am I still getting this publickey error. Am I doing something wrong here? Any ideas on how to resolve this?
TIA.
You still need a key to connect. Let me explain with a sample ssh config,
Whats happening here is,
VSCode treats
--target i-xxxxx54fd41xxxxxxas a proxy ssh server (read, a tunnel server) to connect to theHost ip-xxx-109-xxx-11.vpc.internalasUser ssm-user.So it first establishes a connection to the host instance through the
ProxyCommand. It then tries to ssh into theHostusing theUserprovided. But guess what, it needs a key to do so. Thats where it uses theIdentityFile.To make things easy, I did
ssh-keygenon the remote ec2 instance, didcat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keysand then copied the~/.ssh/id_rsa(private key) to local machine asC:\Users\localuser\.ssh\ssm-user-i-xxxxx54fd41xxxxxxto use in ssh key exchange. You can use different key pair if you want to.The key point to note is, I baked the
--target i-xxxxx54fd41xxxxxxinto the proxy command, and made host name withHost ip-xxx-109-xxx-11.vpc.internal.This is because, we cannot use
--target %h, because session manager then will try to login toip-xxx-109-xxx-11.vpc.internal, instead of using the instance id. Which we don't want!Make sure the host name is correct (like
ip-xxx-109-xxx-11.vpc.internal) so when VS Code issues the ssh tunnel it will try withuser@host(like[email protected]).I know its late, but hope it helps someone else, understanding the process and adjust it to their needs.