Access EC2 without SSH key

Access EC2 without SSH key

ยท

3 min read

AWS EC2 Linux instances can be accessed directly via SSH if you have the associated SSH key pair. Users can choose an existing SSH key or generate a new one while launching an EC2 instance. However, maintaining the SSH keys and sharing them across teams or accessing instances if you lose the keys can be troublesome.

In this article, we will learn an alternative method to access your server, using AWS EC2 Instance Connect. We will use the IAM role assumption concept to achieve this.

Prerequisites

This article assumes that you have an existing EC2 Linux instance, AWS CLI, and access to make IAM roles in AWS.

Creating IAM role

Let's get started by creating an IAM role and providing the necessary permissions to access the EC2 instance.

First, go to IAM, click Create role, and choose AWS account as the trusted entity if you want to log in from your local CLI.

๐Ÿ’ก
If you want to access your server from GitHub Actions or GitLab CI, set up OpenID connect with GitHub or GitLab as the provider and enter a custom trust policy instead.

Next, choose the EC2InstanceConnect policy or create a policy to limit access to only the instance you want to connect using the following statements:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2-instance-connect:SendSSHPublicKey",
            "Resource": [
                "arn:aws:ec2:{region}:{accountNumber}:instance/{instanceID}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
        }
    ]
}

Replace {region}, {accountNumber}, and {instanceId} with appropriate values from your AWS account.

Enter the role name and complete the creation of the IAM role. Copy the role ARN so that we can use it to access the instance from your local CLI.

Accessing EC2 with IAM Role and EC2 Instance Connect

Great, now that you've successfully set up the IAM role, follow the steps to connect to your EC2 instance.

Assuming the new IAM role

First, make sure you completely configure AWS CLI on your target machine and validate your access to the AWS account that you specified while creating the IAM role.

Then, to assume the new IAM role and set the credentials for your new session, simply run the following script after replacing the ROLE_ARN with the one you created above.

aws sts assume-role --role-arn {ROLE_ARN} --role-session-name instance-session> output.json
AccessKey=$(cat output.json | jq -r '.Credentials''.AccessKeyId')
SecretKey=$(cat output.json | jq -r '.Credentials''.SecretAccessKey')
SessionToken=$(cat output.json | jq -r '.Credentials''.SessionToken')
export AWS_ACCESS_KEY_ID=$AccessKey
export AWS_SECRET_ACCESS_KEY=$SecretKey
export AWS_SESSION_TOKEN=$SessionToken

Using the EC2 Instance Connect command

Awesome, now that you've successfully assumed the IAM role, run the following command after replacing instanceId with the ID of the EC2 instance that you want to access.

aws ec2-instance-connect ssh --instance-id {instanceId}

That's it! You will be able to access your EC2 instance now without directly using the SSH key.

Conclusion

This article guides you on setting up the IAM role and permissions to access EC2 instances without using the SSH key directly. We have used the IAM role assumption concept and EC2 Instance Connect command to achieve this.

Follow me for more Cloud and DevOps content.

See you in cloud!

Vishnu S.

Did you find this article valuable?

Support Learn More Cloud by becoming a sponsor. Any amount is appreciated!

ย