- 06 Jan 2023
- 4 Minutes to read
- Print
- DarkLight
Connecting with AWS Systems Manager Session Manager
- Updated on 06 Jan 2023
- 4 Minutes to read
- Print
- DarkLight
This is a machine-translated version of the original Japanese article.
Please understand that some of the information contained on this page may be inaccurate.
summary
By creating an SSH tunnel between trocco and customer-provided servers via AWS Systems Manager Session Manager, you can connect to your data sources via a bastion server in your private subnet.
Compared to connecting using a regular SSH tunnel, you can use trocco more securely because you no longer need to place the bastion server in a public subnet.
The following is a schematic diagram of a connection using AWS Systems Manager Session Manager (hereafter referred to simply as Session Manager).
To configure the settings, create Session Manager connection information, and then select the Session Manager connection information you want to use from the connection information settings of the data source.
As of August 2022, only MySQL and PostgreSQL are supported. Other data sources will be supported sequentially.
For more information about Sesesion Manager, see the following AWS documentation:
AWS Systems ManagerSession Manager - AWS Systems Manager
precondition
You will need to do the following on your AWS account:
These are the minimum settings for using Session Manager with trocco.
Please modify it according to your organization's policy.
Creating a Bastion Server
- SSM Agent must be installed on the instance
See the AWS documentation for installation instructions.
Using SSM Agent - AWS Systems Manager
Configuring an IAM Instance Profile to Allow Session Manager Connections to Bastion Servers
- Attach the AWS managed policy AmazonSSMManagedInstanceCore to your instance.
- Alternatively, refer to the AWS documentation.
Using Session Manager Permissions to Review or Create an IAM Instance Profile - AWS Systems Manager
Configuring IAM Policies to Allow Session Manager Connections to Bastion Servers
- Create an IAM policy by referring to "End User Policy> Session Manager and CLI" on the following page and attach it to the IAM user used by trocco.
Default IAM Policy in the Quick Start Session Manager - AWS Systems Manager
How to set it up
Click SSM Session Manager Connection Information from Settings in the header.
You will be redirected to the list page of the created Session Manager connection information.
To create a new connection information, press New.
If you want to check or edit the existing connection information, click the connection information.
You will be redirected to the Create Connection Information page of Session Manager.
Enter the required fields to create the connection information.
On the Create or edit MySQL connection information page where you want to use Session Manager, check Connect via AWS Systems Manager Session Manager.
Next, select the Session Manager connection information you want to use for connection.
If you don't see the choices, click Load SSM connection information.
It cannot be used in conjunction with a connection using a normal SSH tunnel.
Input field
This section describes the input items required to create Session Manager connection information.
Item | namerequireddefault | valuecontent | |
---|---|---|---|
name | Yes | - | Enter the name of the connection information to be used inside TROCCO. |
memorandum | No | - | Enter a memo of the connection information used inside TROCCO. |
AWS Access Key ID | Yes | - | Enter your AWS access key ID to use Session Manager. |
AWS secret access key | Yes | - | Enter your AWS secret access key to use Session Manager. |
AWS Region | Yes | ap-northeast-1 | Enter the region where you want to use Session Manager. |
EC2 Instance ID | Yes | - | Enter the instance ID of the EC2 instance that will be a stepping stone when using Session Manager. The instance ID is a string that begins with i- or mi-. |
SSH port | Yes | 22 | When using Session Manager, enter the port to SSH into the EC2 instance that will be the springboard. |
SSH User | Yes | ec2-user | When using Session Manager, enter the user name to SSH into the EC2 instance that will be the springboard. |
SSH private key | Yes | - | When connecting using Session Manager, enter the private key file to connect to the EC2 instance that will be the springboard. In general, this is the secret key of the key pair that you selected or created when you created the EC2 instance. |
SSH private key passphrase | No | - | Enter the passphrase for the SSH private key, if you have one. |
supplement
The SSH tunnel through Session Manager is stretched before the transfer and closed after the transfer is complete.
The session remains in the Session Manager, but by default it closes after 20 minutes.
- To change the time until the session is closed after completion, refer to the following document.
Specify the timeout value for idle sessions. - AWS Systems ManagerYou can also set the maximum connection time for the Session Manager session itself.
・ It is recommended to set it so that the session does not remain for any reason.
• For more information, see Specifying the Maximum Session Time - AWS Systems Manager.
Since the transfer execution environment is isolated, there is no Session Manager session or SSH tunnel shared between customers.
If the connection fails, try connecting from your environment.
Install the AWS CLI and Session Manager plugin in your environment.
• Installing, updating, and uninstalling the AWS CLI version 2 - AWS Command Line Interface
Install the Session Manager plugin for the AWS CLI - AWS Systems ManagerCreate a profile for the connection you want to verify.
• Configuration and credential file settings - AWS Command Line InterfaceTry running the following command:
・aws ssm start-session --target <bastion instance ID> --profile <your profile> --document-name AWS-StartSSHSession
・ If a message starting with Starting session with SessionId is displayed, you are connected.
・ If you cannot connect from your environment, please refer to the output error message and review the settings on AWS.
・If you can connect from your environment, please check that there are no mistakes in the input to trocco.
If the connection from Trocco continues to fail, contact support.