All Products
Search
Document Center

Elastic Compute Service:Connect to an instance by using Session Manager

Last Updated:Jul 24, 2023

You can use Session Manager to connect to an Elastic Compute Service (ECS) instance without using a password or public IP address or opening SSH and Remote Desktop Protocol (RDP) ports on the instance. Compared with the SSH and RDP connection methods, Session Manager allows you to connect to instances in a more convenient manner. This topic describes how to connect to an instance by using Session Manager.

Prerequisites

The instance to which you want to connect meets the following requirements:

  • The instance is in the Running state.

  • Cloud Assistant Agent is installed on the instance, and the version of the agent supports Session Manager.

    • If the instance is a Linux instance, the version of the agent must be 2.2.3.196 or later.

    • If the instance is a Windows instance, the version of the agent must be 2.1.3.196 or later.

    For information about how to query the version of Cloud Assistant Agent, see the "View the information of Cloud Assistant Agent on an instance" section of the "Install Cloud Assistant Agent" topic. For information about how to upgrade Cloud Assistant Agent, see Upgrade or disable upgrades for Cloud Assistant Agent.

  • The instance resides in a region in which Session Manager is available. For more information, see the "Supported regions" section of the "Session Manager" topic.

  • If you want to use Session Manager as a Resource Access Management (RAM) user, make sure that policies are attached to the RAM user to grant permissions to call the StartTerminalSession operation. For more information about sample policies attached to RAM users, see the "Sample policies" section of this topic.

Background information

Session Manager offers security and convenience. For information about how Session Manager works, see Session Manager.

Procedure

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the upper-left corner of the top navigation bar, select a region. Region
  4. On the Instances page, find the instance to which you want to connect, and click Connect in the Actions column.

  5. Click Show Other Logon Methods and check whether Session management turned on (full region) is displayed. If Session Management closed is displayed, enable Session Manager.

    Important

    You can enable Session Manager to connect to instances without the need to provide passwords. If you connect to instances as a RAM user without providing passwords, proceed with caution when you attach policies to the RAM user. Otherwise, unauthorized operations may be performed due to improper management of or unintended authorizations to RAM users.

    2023-06-15_14-51-10..png
  6. Click Secret-free login.

    By default, you are connected to the instance as the ecs-assist-user user, as shown in the following figure.session-mgr-logon

Sample policies

After you attach policies to a RAM user to grant permissions to call the StartTerminalSession operation, you can use Session Manager to connect to instances as the RAM user. For information about how to create policies and attach policies to RAM users, see Create a custom policy and Grant permissions to a RAM user. Sample policies:

  • Policy that grants permissions to connect to all instances

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StartTerminalSession"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ],
        "Version": "1"
    }
  • Policy that grants permissions to connect to a specified instance

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StartTerminalSession"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-bp11igy9rss1hu8y****",
                    "acs:ecs:*:*:instance/i-bp1fihgzdytqve94****"
                ]
            }
        ],
        "Version": "1"
    }
    Note

    Replace i-**** with the ID of the instance to which you want to connect.

  • Policy that grants permissions to connect to an instance that has a specified tag added

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StartTerminalSession"
                ],
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ecs:tag/key-****": "value-****"
                    }
                }
            }
        ],
        "Version": "1"
    }
    Note

    Replace key-**** with the key of the specified tag and replace value-**** with the value of the specified tag.

  • Policy that grants permissions to connect to an instance from a specified IP address or CIDR block

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StartTerminalSession"
                ],
                "Resource": "*",
                "Condition": {
                    "IpAddress": {
                        "acs:SourceIp": [
                            "192.168.XX.XX",
                            "192.168.XX.XX/24"
                        ]
                    }
                }
            }
        ],
        "Version": "1"
    }
    Note

    Replace 192.168.XX.XX with the specified IP address or replace 192.168.XX.XX/24 with the specified CIDR block.