When you connect to an Elastic Compute Service (ECS) instance by using session management, passwords and public IP addresses are not required, and SSH ports and Remote Desktop Protocol (RDP) ports do not need to be enabled. Compared with the SSH or RDP connection method, session management allows you to connect to instances in a more convenient manner. This topic describes how to connect to an instance by using session management.

Prerequisites

The instance meets the following requirements:
  • The instance is in the Running state.
  • The Cloud Assistant client is installed on the instance. The version of the client supports session management. The version of the client installed on a Linux instance must be 2.2.3.196 or later, and that on a Windows instance must be 2.1.3.196 or later. For more information about how to install the Cloud Assistant client, see Install the Cloud Assistant client.
Note Session management is enabled. The session management feature is in public preview.

Background information

Session management offers security and convenience. For information about how session management works, see How session management works.

Procedure

  1. Log on to the ECS console.
    • Both Alibaba Cloud accounts and RAM users can use the session management feature. However, you can use only Alibaba Cloud accounts to enable and disable this feature. If the session management feature is not enabled, use an Alibaba Cloud account or contact the owner of an Alibaba Cloud account to enable this feature.
    • If you want to use the session management feature as a RAM user, make sure that the RAM user is attached policies to call the StartTerminalSession operation. For information about sample policies, see the Sample policies section of this topic. Proceed with caution when you attach policies to RAM users. Otherwise, unauthorized operations may be performed due to improper management of or unintended authorizations to RAM users.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, find the instance to which you want to connect and click Connect in the Actions column.
  5. In the Workbench Connection section of the Connection and Command dialog box, make sure that Enabled for All Regions is displayed above the Password-free Logon button. If Disabled is displayed, turn on the switch of the session management feature.
    Note You can enable the session management feature to connect to instances without using passwords, which is more convenient. However, if you use RAM users to connect to instances without using passwords, proceed with caution when you attach policies to the RAM users. Otherwise, unauthorized operations may be performed due to improper management of or unintended authorizations to RAM users.
    session-mgr-switch
  6. Click Password-free Logon.
    The instance is connected by using the user named ecs-assist-user by default, as shown in the following figure. session-mgr-logon

Sample policies

After RAM users are attached policies to call the StartTerminalSession operation, the RAM users can be used to use session management to connect to instances. For information about how to create policies and attach policies to RAM users, see Create a custom policy and Grant permissions to a RAM user. The following sections provide examples of policies:
  • The policy that allows a RAM user to connect to all instances
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StartTerminalSession"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ],
        "Version": "1"
    }
  • The policy that allows a RAM user to connect a specified instance
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StartTerminalSession"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-****",
                    "acs:ecs:*:*:instance/i-****"
                ]
            }
        ],
        "Version": "1"
    }
    Note Replace i-**** with the ID of the instance to which you want to connect.
  • The policy that allows a RAM user to connect to an instance that has a specified tag added
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StartTerminalSession"
                ],
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ecs:tag/key-****": "value-****"
                    }
                }
            }
        ],
        "Version": "1"
    }
    Note Replace key-**** with the key of the specified tag and replace value-**** with the value of the specified tag.
  • The policy that allows a RAM user to connect to an instance from a specified IP address
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StartTerminalSession"
                ],
                "Resource": "*",
                "Condition": {
                    "IpAddress": {
                        "acs:SourceIp": [
                            "192.168.XX.XX",
                            "192.168.XX.XX/24"
                        ]
                    }
                }
            }
        ],
        "Version": "1"
    }
    Note Replace 192.168.XX.XX with the specified IP address or replace 192.168.XX.XX/24 with the specified CIDR block.