Use ec2instance connect from Visual Studio Code

[mrpackethead]

Is your feature request related to a problem? Please describe.

I can't use Ec2instance connect to connect VSCode to a EC2 instance. Becuase of Covid Isolaiton i have moved from using a physical workstation in the office to a AWS workspace ( windows 10 experience ). Windows 10 expeirence does not let me install WSL ( windows subsystem for linux ) so, what i have done is now setup a EC2 linux instance ( t3.small ) that starts and stops along side my workspace. To make this work with VSCODE, like i used to use with WSL, i have had to use permanent keys on my workspace. I recently have been able to remove the use of permanant keys in our AWS clouds by using ec2instance connect..

Describe the solution you'd like

A way for VSCODE to be able to open a folder/remote session using ec2instance.

[awschristou]

Hi @mrpackethead , thanks for taking the time to explain your use case. VS Code's Remote SSH feature is pretty slick, and it is possible to set up VS Code to connect to EC2 instances from Windows.

The EC2 Instance Connect User Guide mentions that Windows users can use Putty (or other ssh clients) to connect to their EC2 instances instead:

If you are connecting to a Linux instance from a local computer running Windows, see the following documentation instead: (Connecting to Your Linux Instance from Windows Using PuTTY)

Here's what I've done in order to connect from Windows 10 to an Amazon Linux EC2 instance:

• From the VS Code command palette, run "Remote-SSH: Open Configuration File..."
• In the config file, I added the following

  Host <some friendly display name>
  HostName <ec2 instance public dns>
  User <the ec2 user>
  IdentityFile <the PEM file associated with the ec2 instance>

  Mine looks like this:

  Host MyEC2Instance
  HostName xxxxxxx.us-west-2.compute.amazonaws.com
  User ec2-user
  IdentityFile C:\Users\xxxxx\.ssh\xxxxx.pem

• I'm then able to go to the command palette, run "Remote-SSH: Connect to Host..." , and select my new entry, "MyEC2Instance", and I am connected to my EC2 instance.

At this time there is a known issue (https://github.com/microsoft/vscode-remote-release/issues/2512) where Remote SSH attempts to connect with your machine's login, instead of the user value specified in the ssh config file. When that is resolved, this should be a smooth process, but until then as a workaround, I followed these EC2 instructions for creating a new user to create a user on the EC2 instance that is the same name as my local machine's login.

Hope this helps

[mrpackethead]

Hi.. This unforuantly doesnt solve the problem. THis is just using a Key file that had been created previously. I'm trying to use ec2instance connect. if you install ec2 instance connect you'll find that it will install somethign called mssh.

When you call mssh, it does the follwoing;

(1) it creates a new keypair.. (2) It sends the new public key to the amazon ec2instance connect API. In order for this to work, you have to be permitted to access the API ( on a host by host basis if you set up your IAM policy that way ).. In my case, i can only access it, once i have used my 2FA authentication.
(3) the API places the public key in teh metadata which the ec2 instance has ( on the 169.254.254.254 addres ).. (3) mssh then trys to open a ssh session to the host using the new private key that was just generated.. (4) the host's sshd looks to the meta data to see if its a valid key, and if it is , the session is allowed.

The keys are only valid for 60seconnds, so are effectively only good for a single connection. This means you have no long lived credentials on the host.

So, i'd love to be able to use mssh to connect to my ec2 instacnes, rather than rely on a key pair that is long lived..

I need a way to be able to get vscode to run a small script before it does the ssh, and be able to pass the key file to it before it runs..

[awschristou]

Ah, I understand now. I've made a request to VS Code to see if extensions like the toolkit could expose a way to run custom scripts before making a connection.

I'm not very familiar with .ssh config, but have you explored the use of the ProxyCommand field as a workaround?

[Zemnmez]

I was able to make this work, using some trickery. mssh is really hard to get working directly, but under the hood it uses aws ec2-instance-connect send-public-key, which can be snuck in before the ssh starts using ProxyCommand:

~/.ssh/config

Host 35.89.28.82
  HostName 35.89.28.82
  ProxyCommand bash -c "aws ec2-instance-connect send-ssh-public-key --instance-id i-abcdefghijk --region us-east-1 --instance-os-user ubuntu --ssh-public-key file://$HOME/.ssh/id_rsa.pub; nc %h %p"
  User ubuntu
  LogLevel verbose

On WSL, you will need to put this in WSL's ~/.ssh/config, and then trick VSCode into using WSL's ssh by creating a batch file with the contents:

C:\Windows\system32\wsl.exe $SHELL -l -c 'ssh %*'

This is a little more elaborate than you might expect because aws requires a login shell.

The ergonomics of creating the ProxyCommand are not fantastic, and I leave it as an exercise to the reader.

[mlutsoucs]

@Zemnmez RE: The ergonomics of creating the ProxyCommand are not fantastic, and I leave it as an exercise to the reader.

Are there such hard just help somebody without f##ng nerd's pride? ProxyCommand ergonomics is exactly the question that I and many newbies are stuck with, but after scouring half the Internet, I mostly found answers from persons like you. Sometimes better not to answer if you don’t want to help, but just show off

[Zemnmez]

Hey there, I’m sorry that the way I wrote this was hard to understand. I understand your frustration.

I did provide a ProxyCommand in my comment – did you have trouble working off of it? The reason I wrote as such is because I genuinely had a hard time making ProxyCommand work how I wanted it to myself, and I didn’t feel like an expert enough to provide a full explanation.

Let me know what issue you have.

Thanks

On 10 Nov 2023, at 04:18, m.lutso @.***> wrote:

@Zemnmez https://www.google.com/url?q=https://github.com/Zemnmez&source=gmail-imap&ust=1700223510000000&usg=AOvVaw0wpDB1BqsIT2tC1cMS7Owq RE: The ergonomics of creating the ProxyCommand are not fantastic, and I leave it as an exercise to the reader.

Are there such hard just help somebody without f##ng nerd's pride? ProxyCommand ergonomics is exactly the question that I and many newbies are stuck with, but after scouring half the Internet, I mostly found answers from persons like you. Sometimes better not to answer if you don’t want to help, but just show off

— Reply to this email directly, view it on GitHub https://www.google.com/url?q=https://github.com/aws/aws-toolkit-vscode/issues/1011%23issuecomment-1805637953&source=gmail-imap&ust=1700223510000000&usg=AOvVaw1TcT8iTWOUF9-8citvWVD-, or unsubscribe https://www.google.com/url?q=https://github.com/notifications/unsubscribe-auth/ABDJGLSSEP4523O2CRVWXJTYDYLRFAVCNFSM4L7M3IJKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBQGU3DGNZZGUZQ&source=gmail-imap&ust=1700223510000000&usg=AOvVaw2lhAghEpZUynV7n3UE-tt0. You are receiving this because you were mentioned.