Workbench is a remote connection tool provided by Alibaba Cloud that lets you connect to Elastic Compute Service (ECS) instances directly from a browser without installing any software.
What is Workbench?
Introduction
Workbench is a web-based remote connection tool provided by Alibaba Cloud. You can use it directly from your browser without needing to install it. The following figure illustrates how to connect to an ECS instance using Workbench.
Features
Multiple connection methods
You can connect to instances using various methods, such as the Secure Shell (SSH) protocol for Linux instances, the Remote Desktop Protocol (RDP) for Windows instances.
References
Public and private network connections
When you use Workbench to connect to an instance using SSH or RDP, you can use the private or public IP address of the instance.
More features
In addition to connecting to instances, Workbench supports the following features.
File management: You can visually manage files on Linux instances, and upload or download files. For more information, see File management.
AI Agent mode: In AI Agent mode, you can use natural language instructions to plan and run Linux operations and maintenance (O&M) tasks. This simplifies operations such as software installation and troubleshooting. For more information, see AI Agent mode.
Terminal Assistant: You can generate scripts and commands for O&M tasks. For more information, see Terminal Assistant.
Intelligent command completion: This feature predicts and lists subsequent commands, parameters, or options in real time as you type in the command line. For more information, see Intelligent command completion.
System management: You can centrally manage users, logon logs, and system services on Linux instances, and monitor the system status in real time. For more information, see System management.
Script library: You can save frequently used commands or script snippets in Workbench and run them with a single click in any instance session. For more information, see Script library.
Multi-terminal: You can connect to multiple ECS instances at the same time and run the same commands on all instances simultaneously. For more information, see Multi-terminal.
Software installation: You can use AI Agent or Operation Orchestration Service (OOS) predefined packages in Workbench to automatically deploy software such as Docker and MySQL. For more information, see Software installation.
Basic workflow
The following figure shows the workflow for connecting to an instance using Workbench.
Find the instance to which you want to connect.
Establish a network connection between Workbench and the ECS instance.
To establish a connection, you must configure security group rules and instance firewall rules to allow inbound traffic from Workbench.
Use Workbench to connect to the instance.
In the console, select the option to connect to the instance using Workbench. Then, enter the required username and password or key pair information.
Create the service-linked role.
If the service-linked role has not been created, you are prompted to grant Workbench the required permissions to access the ECS instance. This action creates the service-linked role.
Connect to the instance and perform O&M tasks.
Service-linked role for Workbench
Workbench requires permissions to operate on your ECS instances. When you use Workbench to connect to an instance for the first time, you are prompted to create the AliyunServiceRoleForECSWorkbench service-linked role. Workbench assumes this role to access your ECS instances. For more information, see Service-linked roles.
The first time you connect to an instance, a dialog box appears, as shown in the following figure. Click OK to automatically create the service-linked role.
If you are a RAM user, contact your Alibaba Cloud account owner or an administrator to attach the AliyunECSWorkbenchFullAccess system policy to your RAM user. This permission is required to create the service-linked role for Workbench.
Permissions for RAM users
After the service-linked role is created, a Resource Access Management (RAM) user must be granted the permissions in the following access policy to use Workbench. This policy allows the user to connect to all ECS instances using Workbench.
{
"Version": "1",
"Statement": [
{
"Action": "ecs-workbench:LoginInstance",
"Resource": "*",
"Effect": "Allow"
}
]
}To limit the instances that a RAM user can connect to using Workbench, modify the `Resource` field as follows:
{
"Version": "1",
"Statement": [
{
"Action": "ecs-workbench:LoginInstance",
"Resource": [
"acs:ecs-workbench:{#regionId}:{#accountId}:workbench/{#instanceId}",
"acs:ecs-workbench:{#regionId}:{#accountId}:workbench/{#instanceId}"
],
"Effect": "Allow"
}
]
}The following table describes the parameters.
{#regionId}: The ID of the region where the instance is located. You can use a wildcard character (*).{#accountId}: The ID of your Alibaba Cloud account. You can use a wildcard character (*).{#instanceId}: The ID of the target instance. You can use a wildcard character (*).
Workbench-related security group settings
When you use Workbench to connect to an instance using SSH or RDP, you must add a security group rule to the security group of the instance. The rule must allow inbound traffic from the Workbench server. Configure the security group rule as described in the following table. For more information, see Add a security group rule.
If a firewall is enabled on the instance, you must also modify the firewall rules to match the security group rules.
Authorization Policy | Priority | Protocol Type | Port Range | Authorization object |
Allow | 1 | Custom TCP | The port that you configure depends on the port of the remote connection service that runs on your instance.
Important If you changed the port of the remote connection service on your instance, specify the actual port. |
Warning If you set the authorization object to |