All Products
Search
Document Center

Elastic Compute Service:Connect to an ECS instance by using Session Manager

Last Updated:Feb 02, 2024

You can use Session Manager to connect to an Elastic Compute Service (ECS) instance without using a password or public IP address or opening SSH and Remote Desktop Protocol (RDP) ports on the instance. Compared with SSH and Virtual Network Computing (VNC), Session Manager allows you to connect to instances in a more convenient and secure manner. This topic describes how to connect to an instance by using Session Manager.

For more information about how Session Manager works, see Session Manager.

Prerequisites

Make sure that the following conditions are met if you want to use Session Manager:

  • The instance is in the Running state.

  • Cloud Assistant Agent is installed on the instance, and the version of the agent supports Session Manager.

    • If the instance is a Linux instance, the version of the agent must be 2.2.3.196 or later.

    • If the instance is a Windows instance, the version of the agent must be 2.1.3.196 or later.

    For information about how to query the version of Cloud Assistant Agent, see the "View the information of Cloud Assistant Agent on an instance" section of the "Install Cloud Assistant Agent" topic. For information about how to upgrade Cloud Assistant Agent, see Upgrade or disable upgrades for Cloud Assistant Agent.

  • The instance resides in a region in which Session Manager is available. For more information, see the "Supported regions" section of the "Session Manager" topic.

  • If you want to use Session Manager as a Resource Access Management (RAM) user, make sure that policies are attached to the RAM user to grant permissions to call the StartTerminalSession operation. For more information about sample policies attached to RAM users, see the "Sample policies" section of this topic.

    Important

    You can enable Session Manager to connect to instances without the need to provide passwords. If you connect to instances as a RAM user without providing passwords, proceed with caution when you attach policies to the RAM user. Otherwise, unauthorized operations may be performed due to improper management of or unintended authorizations to RAM users.

Procedure

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. On the Instances page, find the instance to which you want to connect, and click Connect in the Actions column.

  5. Click Show Other Logon Methods and check whether Session management turned on (full region) is displayed. If Session Management closed is displayed, enable Session Manager.

    Important

    Before you enable Session Manager, make sure that the RAM user has the DescribeUserBusinessBehavior permission to view session management configurations and the ModifyUserBusinessBehavior permission to enable or disable Session Manager. For more information about sample policies, see Sample policies.

    session-mgr-switch

  6. Click Secret-free login.

    After the instance is connected, you log on as the ecs-assist-user if the instance runs a Linux OS or as the system user if the instance runs a Windows OS. The following figure shows logon to a Linux instance.session-mgr-logon

Sample policies

For information about how to create policies and attach policies to RAM users, see Create custom policies and Grant permissions to a RAM user. The following items describe the policies that are required to use Session Manager to connect to instances:

  • After you attach policies to a RAM user to grant permissions to call the StartTerminalSession operation, you can use Session Manager to connect to instances as the RAM user. Sample policies:

    • Policy that grants permissions to connect to all instances

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "ecs:StartTerminalSession"
                  ],
                  "Resource": [
                      "acs:ecs:*:*:instance/*"
                  ]
              }
          ],
          "Version": "1"
      }
    • Policy that grants permissions to connect to a specified instance

      Important

      Replace i-**** with the ID of the instance to which you want to connect.

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "ecs:StartTerminalSession"
                  ],
                  "Resource": [
                      "acs:ecs:*:*:instance/i-bp11igy9rss1hu8y****",
                      "acs:ecs:*:*:instance/i-bp1fihgzdytqve94****"
                  ]
              }
          ],
          "Version": "1"
      }
    • Policy that grants permissions to connect to an instance that has a specified tag added

      Important

      Replace key-**** with the key of the specified tag and replace value-**** with the value of the specified tag.

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "ecs:StartTerminalSession"
                  ],
                  "Resource": "*",
                  "Condition": {
                      "StringEquals": {
                          "ecs:tag/key-****": "value-****"
                      }
                  }
              }
          ],
          "Version": "1"
      }
    • Policy that grants permissions to connect to an instance from a specified IP address or CIDR block

      Important

      Replace 192.168.XX.XX with the specified IP address or replace 192.168.XX.XX/24 with the specified CIDR block.

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "ecs:StartTerminalSession"
                  ],
                  "Resource": "*",
                  "Condition": {
                      "IpAddress": {
                          "acs:SourceIp": [
                              "192.168.XX.XX",
                              "192.168.XX.XX/24"
                          ]
                      }
                  }
              }
          ],
          "Version": "1"
      }
  • Before you enable Session Manager, you need to only grant the RAM user the DescribeUserBusinessBehavior permission to view session management configurations and the ModifyUserBusinessBehavior permission to enable or disable Session Manager. After you enable Session Manager, you can revoke permissions from the RAM user based on your business requirements. Sample policy:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:ModifyUserBusinessBehavior",
                    "ecs:DescribeUserBusinessBehavior"
                ],
                "Resource": "acs:ecs:*:*:instance/*"
            }
        ]
    }

Use Session Manager for remote logons in your applications

The open source project cloud-assistant-starter contains the complete code for using the Session Manager feature to remotely connect to an ECS instance or a managed instance. In the project, AxtSession.tsx provides the complete code for connecting to instances and using WebSocket URLs that are returned by StartTerminalSession. You can copy the code snippet to your application code to implement password-free and public IP address-free remote logons.