All Products
Search

This Product

    Elastic Compute Service:connect to an ECS instance by using Session Manager

    Document Center

    Elastic Compute Service:connect to an ECS instance by using Session Manager

    Last Updated:Mar 28, 2024

    You can use Session Manager to connect to an Elastic Compute Service (ECS) instance without the need for a password or a public IP address or to open SSH and Remote Desktop Protocol (RDP) ports on the instance. Compared with SSH and Virtual Network Computing (VNC), Session Manager allows you to connect to instances in a more convenient and secure manner. This topic describes how to connect to an instance by using Session Manager.

    For more information about how Session Manager works, see Session Manager.

    Prerequisites

    • The instance is in the Running state.

    • Cloud Assistant Agent is installed on the instance, and the version of Cloud Assistant Agent supports Session Manager.

      • If the instance is a Linux instance, the version of Cloud Assistant Agent must be 2.2.3.196 or later.

      • If the instance is a Windows instance, the version of Cloud Assistant Agent must be 2.1.3.196 or later.

      For information about how to view the version of Cloud Assistant Agent, see the View information about Cloud Assistant Agent on an instance section in the "Install Cloud Assistant Agent" topic. For information about how to upgrade Cloud Assistant Agent, see Upgrade or disable upgrades for Cloud Assistant Agent.

    • The instance resides in a region in which Session Manager is available. For more information, see the Supported regions section in the "Session Manager" topic.

    • If you want to use Session Manager as a Resource Access Management (RAM) user, make sure that policies are attached to the RAM user to grant permissions to call the StartTerminalSession operation. For information about sample policies attached to RAM users, see the Sample policies section of this topic.

      Important

      You can enable Session Manager to connect to instances without the need for passwords. If you connect to instances as a RAM user without passwords, exercise caution when you attach policies to the RAM user. Otherwise, unauthorized operations may be performed due to improper management of or unintended authorizations to RAM users.

    Procedure

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Instances.

    3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

    4. On the Instance page, find the instance to which you want to connect and click Connect in the Actions column.

    5. Click Show Other Logon Methods and check whether Session management turned on (full region) is displayed. If Session Management closed is displayed, enable Session Manager.

      Important

      Before you enable Session Manager as a RAM user, make sure that the RAM user has the DescribeUserBusinessBehavior permission to view session management configurations and the ModifyUserBusinessBehavior permission to enable or disable Session Manager. For more information about sample policies, see the Sample policies section of this topic.

      session-mgr-switch

    6. Click Secret-free login.

      After the instance is connected, you are logged on as ecs-assist-user if the instance runs Linux or as the system user if the instance runs Windows. The following figure shows logon to a Linux instance.session-mgr-logon

    Sample policies

    For information about how to create policies and attach policies to RAM users, see Create custom policies and Grant permissions to a RAM user. The following section describes the policies that are required to use Session Manager to connect to instances:

    • After you attach policies to a RAM user to grant permissions to call the StartTerminalSession operation, you can use Session Manager to connect to instances as the RAM user. Sample policies:

      • Policy that grants permissions to connect to all instances

        {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:StartTerminalSession"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*"
            ]
        }
    ],
    "Version": "1"
}

      • Policy that grants permissions to connect to a specific instance

        Important

        Replace the i-**** parameter with the ID of the instance to which you want to connect. 

        {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:StartTerminalSession"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/i-bp11igy9rss1hu8y****",
                "acs:ecs:*:*:instance/i-bp1fihgzdytqve94****"
            ]
        }
    ],
    "Version": "1"
}

      • Policy that grants permissions to connect to an instance that has a specific tag added

        Important

        Replace the key-**** variable with the key of the specified tag and replace the value-**** variable with the value of the specified tag. 

        {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:StartTerminalSession"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ecs:tag/key-****": "value-****"
                }
            }
        }
    ],
    "Version": "1"
}

      • Policy that grants permissions to connect to an instance from a specific IP address or CIDR block

        Important

        Replace the 192.168.XX.XX parameter with the specified IP address or replace the 192.168.XX.XX/24 parameter with the specified CIDR block. 

        {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:StartTerminalSession"
            ],
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "acs:SourceIp": [
                        "192.168.XX.XX",
                        "192.168.XX.XX/24"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

    • Before you enable Session Manager, you need to only grant the RAM user the DescribeUserBusinessBehavior permission to view session management configurations and the ModifyUserBusinessBehavior permission to enable or disable Session Manager. After you enable Session Manager, you can revoke permissions from the RAM user based on your business requirements. Sample policy:

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ModifyUserBusinessBehavior",
                "ecs:DescribeUserBusinessBehavior"
            ],
            "Resource": "acs:ecs:*:*:instance/*"
        }
    ]
}

    Use Session Manager for remote logons in your applications

    The open source project cloud-assistant-starter contains the complete code for using the Session Manager feature to remotely connect to an ECS instance or a managed instance. In the project, AxtSession.tsx provides the complete code for connecting to instances and using WebSocket URLs that are returned by StartTerminalSession. You can copy the code snippet to your application code to implement password-free and public IP address-free remote logons.

    References

    Session Manager supports multiple methods to connect to ECS instances. Select a connection method based on your business requirements. For more information, see the following topics: