{"id":22477176,"url":"https://github.com/base2services/bastion-cli","last_synced_at":"2026-03-05T09:03:33.842Z","repository":{"id":44650691,"uuid":"379840969","full_name":"base2Services/bastion-cli","owner":"base2Services","description":"Launch or connect to an existing Linux or Windows bastion easily and quickly using AWS session manager","archived":false,"fork":false,"pushed_at":"2025-03-19T23:43:31.000Z","size":98,"stargazers_count":5,"open_issues_count":3,"forks_count":3,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-06-29T00:48:56.126Z","etag":null,"topics":["aws","aws-ssm","bastion"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/base2Services.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-06-24T07:30:09.000Z","updated_at":"2025-03-19T22:36:33.000Z","dependencies_parsed_at":"2025-01-16T02:20:46.675Z","dependency_job_id":"d8d3ef2b-d6b2-4f70-a8fe-cd96f15524a0","html_url":"https://github.com/base2Services/bastion-cli","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/base2Services/bastion-cli","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/base2Services%2Fbastion-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/base2Services%2Fbastion-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/base2Services%2Fbastion-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/base2Services%2Fbastion-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/base2Services","download_url":"https://codeload.github.com/base2Services/bastion-cli/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/base2Services%2Fbastion-cli/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30117490,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T08:19:04.902Z","status":"ssl_error","status_checked_at":"2026-03-05T08:17:37.148Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-ssm","bastion"],"created_at":"2024-12-06T14:09:45.313Z","updated_at":"2026-03-05T09:03:32.797Z","avatar_url":"https://github.com/base2Services.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Bastion CLI\n\nCreates and manages a temporary on-demand bastion EC2 instance and connects to it using the AWS session manager for Amazon linux and Windows operating systems.\n\n**Supported Operating Systems**\n\n| Operating System | Supported\n| --- | ---\n| Mac | Yes\n| windows | Yes\n| Linux | Yes\n\n* [About Bastion CLI](#About-Bastion-CLI)\n    * [Bastion Session Id](#Bastion-Session-Id)\n    * [Instance Management](#Instance-Management)\n    * [Spot Instances](#Spot-Instances)\n    * [Tagging](#Tagging)\n    * [IAM Permissions](#IAM-Permissions)\n* [Getting Started](#Getting-Started)\n    * [Requirements](#Requirements)\n    * [Installation](#Requirements)\n    * [Help](#Help)\n* [Launching a Bastion](#Launching-a-Bastion)\n    * [Amazon Linux](#Amazon-Linux)\n        * [Expiry](#Expiry)\n        * [SSH Sessions](#SSH-Sessions)\n        * [SSH Tunnels](#SSH-Tunnels)\n        * [Attaching a EFS Mount](#Attaching-a-EFS-Mount)\n        * [Attaching EFS Access Points](#Attaching-EFS-Access-Points)\n    * [Windows](#Windows)\n        * [RDP](#RDP)\n* [Connecting to Existing Instances](#Connecting-to-Existing-Instances)\n* [Remote Port Forwarding](#Remote-Port-Forwarding)\n* [Terminating an Instance](#Terminating-an-Instance)\n* [Cancel Expiry of Bastion](#Cancel-Expiry-of-Bastion)\n\n\n## About Bastion CLI\n\nYou can launch a new Linux or Windows EC2 bastion instance and create a connection using Amazon Session Manager, SSH or RDP.\n\n### Bastion Session Id\n\nNew bastion instances launched is assigned a session id. This session id can be used to connect back to an existing bastion instance, terminate a bastion instance or find the instance through the AWS console or cli.\n\n### Instance Management\n\nBy default bastion instances are designed to be ephemeral by having instances automatically terminate when sessions end and Linux instances will terminate after a period of time if they are still running. These behaviors can be disabled when launching a bastion instance however manual termination is then required to clean up the resources to avoid unexpected costs.\n\n### Spot Instances\n\nBy default bastion cli will launch EC2 instance with spot pricing to save on costs, however this can be set to on-demand if a more critical bastion is required.\n\n### Tagging\n\nThe bastions are tagged with the following tags:\n\n| Key | Value\n| --- | ---\n| Name | bastion-[session-id]\n| bastion:session-id | [session-id]\n| bastion:launched-by | IAM user identify of the bastion launcher\n\n### IAM Permissions\n\nAWS Session Manager requires IAM permissions to start a session on a EC2 host. Bastion cli will create a IAM policy, role and instance profile for all bastion instances in a AWS account. The resources are all created using the name `BastionCliSessionManager`.\n\nThe policy contains the following allowed actions:\n\n```json\n{\n    \"Effect\": \"Allow\",\n    \"Action\": [\n        \"ec2messages:GetMessages\",\n        \"ssm:ListAssociations\",\n        \"ssm:ListInstanceAssociations\",\n        \"ssm:UpdateInstanceInformation\",\n        \"ssmmessages:CreateDataChannel\",\n        \"ssmmessages:OpenDataChannel\",\n        \"ssmmessages:OpenControlChannel\",\n        \"ssmmessages:CreateControlChannel\"\n    ],\n    \"Resource\": \"*\"\n}\n```\n\n\n## Getting Started\n\n### Requirements\n\n* The [AWS session manager plugin](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html) is required to be installed\n* RDP client installed\n    * MacOS - [Microsoft Remote Desktop](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-mac)\n    * Windows - [mstsc](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc)\n    * Linux - Not support yet for opening a rdp client\n\n### Installation\n\nInstall the binary by downloading from the latest [releases](https://github.com/base2Services/bastion-cli/releases) and copy it to your $PATH\n\n### Help\n\nUse the help flag to see all available commands and options\n\n```sh\nbastion --help\nbastion [command] --help\n```\n\n\n## Launching a Bastion\n\n### Amazon Linux\n\nTo launch a new bastion run the `launch` command. Make sure you select a subnet that has outbound internet access or access to a [SSM VPC endpoint](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html)\n\n```sh\nbastion launch\n```\n\n#### Expiry\n\nBy default Bastion Amazon Linux instances will self terminate after 2 hours. You can extend this period or disable the expiry when launching a instance.\n\nTo extend the expiry period by providing the `--expire-after` flag with the amount of minutes you want to have the instance expire after\n\n```sh\nbastion launch --expire-after 300\n```\n\nTo disable the expiry provide the `--no-expire` boolean flag\n\n```sh\nbastion launch --no-expire\n```\n\nTo disable automatic termination of the bastion instance provide the `--no-terminate` flag\n\n```sh\nbastion launch --no-terminate\n```\n\n\n#### SSH Sessions\n\nBastion CLI supports starting a ssh session through AWS session manager. A public key is require on the bastion instance for the session to connect.\n\n```sh\nbastion launch --ssh --ssh-key ~/.ssh/id_rsa.pub\n```\n\n#### SSH Tunnels\n\nBastion CLI supports starting a ssh tunnels session through AWS session manager. A public key is require on the bastion instance for the session to connect.\nUse the `--ssh-opt` flag to proved the ssh tunnel option `-L local-port:destination-address:destination-port`\n\n```sh\nbastion launch --ssh --ssh-key ~/.ssh/id_rsa.pub --ssh-opts '-L 3306:db.internal.example.com:3306' \n```\n\n#### Attaching a EFS Mount\n\nBastion CLI can mount a EFS file system so when your session starts you can get straight into your efs data!\n\n```sh\nbastion launch --efs fs-123456789\n```\n\nthe volume is mounted in the `/efs` directory\n\n#### Attaching EFS Access Points\n\nBastion CLI can also mount any number of Access Points for a EFS file system. \nProvide the `--efs` flag to specify your file system id, and the `--access-points` flag with a comma-delimted string of access point id's for the given file system.\n\n```sh\nbastion launch --efs fs-123456789 --access-points fsap-12345678900000000,fsap-12345678900000001\n```\n\nEach access point specified will be mounted in a directory in `/efs` with its id value (eg. `/efs/fsap-12345678900000000`)\n\n### Windows\n\nTo launch a new bastion run the `launch-windows` command. Make sure you select a subnet that has outbound internet access or access to a [SSM VPC endpoint](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html)\n\n```sh\nbastion launch-windows\n```\n\n#### RDP\n\nBastion CLI supports creating RDP sessions and opening up your remote desktop client by creating a tunnel through Amazon session manager.\n\n```sh\nbastion launch-windows --rdp\n```\n\nOnce the tunnel is open the Bastion CLI will start your remote desktop client and provide the Windows Administrator password in your clipboard for you to paste in to the login form.\n\n**Linux Users:** Opening up the RDP client is no yet supported on linux, the port will be printed to the console in which you can then manually launch your RDP client and connect to localhost:PORT as the Administrator user.\n\n\n## Connecting to Existing Instances\n\nYou can connect to any existing EC2 instance that has the Amazon Session Manager agent running and IAM Role connected.\n\n```sh\nbastion start-session\n```\n\nThis will discover all available EC2 instances that can be connected to. You can also use this to connect to SSH and RDP sessions.\n\n## Remote Port Forwarding\n\nBastion provides the user the capabality to remote port forward to an instance via a configurable bastion instance. The feature provides inbuilt support to connect to RDS instances, however the ability to connect to other instance types such as EC2 exist via the ‘–remote host’ flag.\n\nThe command to create a remote port forward session is as follows.\n\n```sh\nbastion port-forward --remote-port 5432 --region ap-southeast-2\n```\n\nA detailed walkthrough of creating the session can be found [here](https://releases.prod.tools.aws.base2.services/posts/bastion-cli-portforwarding/bastion-cli-port-forwarding.html).\n\n## Terminating an Instance\n\nTo manually terminate a bastion instance\n\n```sh\nbastion terminate --session-id \u003csession-id\u003e\n```\n\nthis will cleanup any additional resources that may have been created when launching the bastion instance\n\n## Cancel Expiry of Bastion\n\nBy default linux bastions launched expire after 120 minutes. If you've launched your bastion and wish to cancel the expiry you can by cancelling the future halt operation with the `atrm` command as the root user.\n\n```sh\natrm 1\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbase2services%2Fbastion-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbase2services%2Fbastion-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbase2services%2Fbastion-cli/lists"}