All Products
Search

This Product

    Elastic Compute Service:Connect to an instance by using Session Manager in the ECS console

    Document Center

    Elastic Compute Service:Connect to an instance by using Session Manager in the ECS console

    Last Updated:Apr 16, 2025

    You can use Session Manager to connect to an Elastic Compute Service (ECS) instance without the need for a password. Compared with SSH and Remote Desktop Protocol (RDP), Session Manager allows you to connect to instances in a more convenient and secure manner. This topic describes how to connect to an instance by using Session Manager in the ECS console.

    Important

    The Session Manager logon method also allows you to use the CLI to connect to Linux and Windows instances.

    If you want to use the Session Manager GUI to connect to a Windows instance, you can use the port forwarding feature to map the remote access port of the Windows instance to the on-premises computer and use RDP to connect to the instance.

    Prerequisites

    The ECS instance to which you want to connect is in the Running state

    You can view the status of the instance on the Instance page in the ECS console.

    For information about how to check the status of the instance, see View instance information.

    image

    image

    Cloud Assistant Agent is installed on the instance

    Session Manager is implemented based on Cloud Assistant. You need to install Cloud Assistant Agent on the instance. You can view the status of Cloud Assistant Agent on the ECS Cloud Assistant page in the ECS console.

    Cloud Assistant Agent is pre-installed on ECS instances that are created from Alibaba Cloud public images on or after December 1, 2017. For ECS instances created before December 1, 2017, you must manually install Cloud Assistant Agent. For more information, see Install Cloud Assistant Agent.

    image

    image

    For information about how to view the status of the Cloud Assistant Agent and handle anomalies, see View the status of Cloud Assistant and handle anomalies.

    Network connectivity is provided by configuring a security group

    When you use Session Manager to connect to an ECS instance, make sure that Cloud Assistant Agent running on the ECS instance is connected to the Cloud Assistant server by adding the following rules to an outbound security group:

    Compared with connection methods, such as SSH and Remote Desktop Protocol (RDP), Cloud Assistant Agent actively establishes a WebSocket connection to the Session Manager server. You need to only open the outbound WebSocket port of the Cloud Assistant server in a security rule. For information about how Session Manager works, see the How Session Manager works section of this topic.
    Important

    • If you use basic security groups including the default security group, all outbound traffic is allowed. No additional configuration is required.

    • If you use an advanced security group, all outbound traffic is denied. You must configure the relevant rules. The following table describes the rules. For information about security groups, see Basic security groups and advanced security groups.

    For information about how to add rules to a security group, see Add a security group rule.

    Action

    Priority

    Protocol type

    Port range

    Authorization object

    Description

    Allow

    1

    Custom TCP

    443

    100.100.0.0/16

    This port is used to access the Cloud Assistant server.

    Allow

    1

    Custom TCP

    443

    100.0.0.0/8

    This port is used to access the server on which the Cloud Assistant Agent installation package is stored when you want to install or update Cloud Assistant Agent.

    Allow

    1

    Custom UDP

    53

    0.0.0.0/0

    This port is used to resolve domain names.

    If you want to connect to an instance by using only Session Manager, delete the inbound rules that allow the SSH port (default 22) and RDP port (default 3389) from a security group to improve the security of the ECS instance.

    Resource Access Management (RAM) users have the required permissions on Session Manager

    If a RAM user wants to use Session Manager to connect to an instance in the ECS console, the RAM user must be granted the following permissions based on the principle of least privilege:

    • ecs:StartTerminalSession: The permission to connect to an instance by using Session Manager. You can configure the Resource parameter to specify the ECS instances to which a RAM user can connect by using Session Manager.

    • ecs:DescribeCloudAssistantStatus: The permission to query whether Cloud Assistant Agent needs to be installed on an ECS instance. The system checks this permission before you connect to an instance in the ECS console.

    • ecs:DescribeUserBusinessBehavior: The permission to query whether Session Manager is enabled. The system checks this permission before you connect to an instance in the ECS console.

    • (Optional) ecs:ModifyCloudAssistantSettings: The permission to enable or disable Session Manager. If Session Manager is enabled for the current Alibaba Cloud account, you do not need to grant this permission.

    Sample custom policy:

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecs:StartTerminalSession",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeUserBusinessBehavior",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:ModifyCloudAssistantSettings"
      ],
      "Resource": "*"
    }
  ]
}

    For information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

    Procedure

    1. Go to ECS console - Instance.

    2. In the top navigation bar, select the region and resource group of the resource that you want to manage.

    3. Click the ID of the instance to which you want to connect. On the Instance Details page, click Connect in the upper-right corner.

    4. Click Show Other Logon Methods and check whether Session management turned on (full region) is displayed in the Session Manager section. If Session management turned off is displayed, turn on the switch to enable Session Manager.

      Important

      Before you enable Session Manager as a RAM user, make sure that the RAM user has the DescribeUserBusinessBehavior permission to view Session Manager configurations and the ModifyUserBusinessBehavior permission to enable or disable Session Manager. For information about sample policies that can be attached to the RAM user to grant required permissions, see the Prerequisites section of this topic.

      image

      image

    5. Click Secret-free login.

      After the instance is connected, you are logged on as ecs-assist-user for a Linux instance or as the system user for a Windows instance. In this example, a Linux instance is used. The following figure shows that you are logged on to the Linux instance.

      image

    References

    In addition to using Session Manager to connect to an instance in the ECS console, you can use the Session Manager CLI feature on your computer. For more information, see Connect to an instance by using the Session Manager CLI (ali-instance-cli).