{"id":21870180,"url":"https://github.com/qoomon/aws-ssm-ssh-proxy-command","last_synced_at":"2025-05-16T12:05:14.961Z","repository":{"id":44879955,"uuid":"270008031","full_name":"qoomon/aws-ssm-ssh-proxy-command","owner":"qoomon","description":"AWS SSM SSH Proxy Command","archived":false,"fork":false,"pushed_at":"2025-04-09T11:09:37.000Z","size":124,"stargazers_count":241,"open_issues_count":1,"forks_count":75,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-04-12T06:14:44.952Z","etag":null,"topics":["aws","aws-cli","aws-ssm","ec2","managed-instance","proxy-command","security","ssh","ssh-proxy-command"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/qoomon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-06T14:35:52.000Z","updated_at":"2025-04-09T12:20:27.000Z","dependencies_parsed_at":"2024-08-22T17:11:31.840Z","dependency_job_id":"3ea454a0-2314-4228-9e8e-d8270b996aaf","html_url":"https://github.com/qoomon/aws-ssm-ssh-proxy-command","commit_stats":null,"previous_names":["qoomon/aws-ssm-ssh-proxy-command"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qoomon%2Faws-ssm-ssh-proxy-command","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qoomon%2Faws-ssm-ssh-proxy-command/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qoomon%2Faws-ssm-ssh-proxy-command/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qoomon%2Faws-ssm-ssh-proxy-command/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/qoomon","download_url":"https://codeload.github.com/qoomon/aws-ssm-ssh-proxy-command/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248525138,"owners_count":21118619,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-cli","aws-ssm","ec2","managed-instance","proxy-command","security","ssh","ssh-proxy-command"],"created_at":"2024-11-28T06:10:34.880Z","updated_at":"2025-04-12T06:14:55.103Z","avatar_url":"https://github.com/qoomon.png","language":"Shell","readme":"# aws-ssm-ssh-proxy-command [![starline](https://starlines.qoo.monster/assets/qoomon/aws-ssm-ssh-proxy-command)](https://github.com/qoomon/starlines)\n\nOpen an SSH connection to your AWS SSM connected instances without the need to open any ssh port in you security groups.\n\n\u003e [!Tip]\n\u003e If you only need to connect to AWS EC2 instances you could use the `ec2-instance-connect` variant of this proxy command.\n\u003e This variant allows you to manage wich IAM identity can connect to which OS user on the target instance.\n\u003e See [EC2 Only Variant](#ec2-only-variant)\n\n## Prerequisits\n- Local Setup\n  - Install AWS CLI\n    - [AWS Docs](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html#getting-started-install-instructions)\n    - **MacOS** `brew install awscli`  \n  - Install AWS CLI Session Manager Plugin\n    - [AWS Docs](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)\n    - **MacOS** `brew install session-manager-plugin` \n  - Install the SSM SSH Proxy Command Script\n    - **Linux \u0026 MacOS**\n      - Copy [aws-ssm-ssh-proxy-command.sh](aws-ssm-ssh-proxy-command.sh) into `~/.ssh/aws-ssm-ssh-proxy-command.sh`\n      - Ensure it is executable (`chmod +x ~/.ssh/aws-ssm-ssh-proxy-command.sh`)\n    - **Windows**\n      - Copy [aws-ssm-ssh-proxy-command.ps1](aws-ssm-ssh-proxy-command.ps1) into `~/.ssh/aws-ssm-ssh-proxy-command.ps1`\n      - Ensure you are allowed to execute powershell scripts (see [Set-ExecutionPolicy](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy) command)\n  - `recommended` Setup SSH Config\n    - Add ssh config entry AWS instances to your `~/.ssh/config`. \n      - **Linux \u0026 MacOS**\n        ```ssh-config\n        host i-* mi-*\n          IdentityFile ~/.ssh/id_ed25519\n          ProxyCommand ~/.ssh/aws-ssm-ssh-proxy-command.sh %h %r %p ~/.ssh/id_ed25519.pub\n          StrictHostKeyChecking no\n        host \u003cYOUR_INSTANCE_NAME_PREFIX_OR_SUFFIX_OR_BEST_MATCH\u003e\n          IdentityFile ~/.ssh/id_ed25519\n          ProxyCommand ~/.ssh/aws-ssm-ssh-proxy-command.sh %h %r %p ~/.ssh/id_ed25519.pub\n          StrictHostKeyChecking no\n        ```\n      - **Windows**\n        ```ssh-config\n        host i-* mi-*\n          IdentityFile ~/.ssh/id_ed25519\n          ProxyCommand powershell.exe ~/.ssh/aws-ssm-ssh-proxy-command.ps1 %h %r %p ~/.ssh/id_ed25519.pub\n          StrictHostKeyChecking no\n        host \u003cYOUR_INSTANCE_NAME_PREFIX_OR_SUFFIX_OR_BEST_MATCH\u003e\n          IdentityFile ~/.ssh/id_ed25519\n          ProxyCommand powershell.exe ~/.ssh/aws-ssm-ssh-proxy-command.ps1 %h %r %p ~/.ssh/id_ed25519.pub\n          StrictHostKeyChecking no\n        ```\n    - Adjust `IdentityFile` and corresponding publickey (last argument of `ProxyCommand`) if needed.\n    \n- AWS IAM Setup    \n  - Ensure IAM Permissions for Your IAM Identity\n    - [IAM Policy Template](aws-ssm-ssh-iam-policy.json)\n      - `ssm:StartSession` for DocumentName: `AWS-StartSSHSession` and Target Instance\n        - [AWS Documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html)\n      - `ssm:SendCommand` for DocumentName: `AWS-RunShellScript` and Target Instance\n        - [AWS Documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-rc-setting-up.html)\n\n- Target Instance Setup\n    - Ensure IAM Permissions for SSM Agent\n      - [AWS Docs](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up.html)\n      - For EC2 Instances use [Instance Profiles](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html)\n    - Install SSM Agent on Linux Instances\n      - Already preinstalled on all AWS Linux AMIs\n      - [AWS Docs - Linux](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-linux.html)\n      - [AWS Docs - Windows](https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-multicloud-ssm-agent-install-windows.html)\n\n## Usage\n- Ensure AWS CLI environemnt variables are set properly \n  - **Linux \u0026 MacOS** `export AWS_PROFILE=...` or `AWS_PROFILE=... ssh...`\n  - **Windows** `$env:AWS_PROFILE = ...` or `$env:AWS_PROFILE = ...; ssh.exe...`\n- Open SSH Connection to AWS SSM connected instance\n  - **Linux \u0026 MacOS with InstanceId** `ssh \u003cINSTACEC_USER\u003e@\u003cINSTANCE_ID\u003e` e.g. `ssh ec2-user@i-1234567890`\n  - **Linux \u0026 MacOS with InstanceName** `ssh \u003cINSTACEC_USER\u003e@\u003cINSTANCE_NAME\u003e` e.g. `ssh ec2-user@aws-ec2-custom-name-instance`\n  - **Windows with InstanceId** `ssh.exe \u003cINSTACEC_USER\u003e@\u003cINSTANCE_ID\u003e` e.g. `ssh.exe ec2-user@i-1234567890`\n    - ⚠️ Unfortunately on Windows is not possible to show output while running ProxyCommand, script output is interpreted as SSH banner which is available with SSH verbose options.\n  - **Windows with InstanceName** `ssh.exe \u003cINSTACEC_USER\u003e@\u003cINSTANCE_NAME\u003e` e.g. `ssh.exe ec2-user@aws-ec2-custom-name-instance`\n    - ⚠️ Unfortunately on Windows is not possible to show output while running ProxyCommand, script output is interpreted as SSH banner which is available with SSH verbose options.\n- [EC2 Intances Only] If default region does not match instance region you need to provide it as part of hostname\n  - `\u003cINSTACEC_USER\u003e@\u003cINSTANCE_ID\u003e--\u003cINSTANCE_REGION\u003e`\n  - e.g. `ec2-user@i-1234567890--eu-central-1`\n  \n#### Usage without SSH Config\nIf you have not setup an SSH Config you can use the following ssh command options to use this proxy command.\n- **Linux \u0026 MacOS** `ssh -i \"~/.ssh/id_ed25519\" -o ProxyCommand=\"~/.ssh/aws-ssm-ssh-proxy-command.sh %h %r %p ~/.ssh/id_ed25519.pub\" ...`\n- **Windows** `ssh.exe -i \"~/.ssh/id_ed25519\" -o ProxyCommand=\"powershell.exe ~/.ssh/aws-ssm-ssh-proxy-command.ps1 %h %r %p ~/.ssh/id_ed25519.pub\" ...`\n\n## EC2 Only Variant\nIf you only want to connect to EC2 instances you can make use of EC2 Instance Connect `SendSSHPublicKey` command as a drop in replacement for the SSM `SendCommand` to temporary add your public key to the target instance.\n\nThe advantage from this variant is that you don't need to grant `ssm:SendCommand` to users and there by the permission to execute everything as `ssm-user` or `root`.\nInstead you grant `ec2-instance-connect:SendSSHPublicKey` permission and optionaly restrict it to a specific OS user e.g. `ec2-user`.\n\nTo do so just use **Proxy Command Script** and **IAM Policy Template** from the [ec2-instance-connect folder](ec2-instance-connect) instead.\n- Proxy Command Script\n  - **Linux \u0026 MacOS** [aws-ssm-ssh-proxy-command.sh](ec2-instance-connect/aws-ssm-ssh-proxy-command.sh)\n  - **Windows** [aws-ssm-ssh-proxy-command.ps1](ec2-instance-connect/aws-ssm-ssh-proxy-command.ps1)\n- [IAM Policy Template](ec2-instance-connect/aws-ssm-ssh-iam-policy.json)\n  - `ssm:StartSession` for DocumentName: `AWS-StartSSHSession` and Target Instance\n    - [AWS Documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html)\n  - `ec2-instance-connect:SendSSHPublicKey`\n    - [AWS Documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-rc-setting-up.html)\n    - You may need to adjust `ec2:osuser` to match your needs. Default is `ec2-user`\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqoomon%2Faws-ssm-ssh-proxy-command","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fqoomon%2Faws-ssm-ssh-proxy-command","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqoomon%2Faws-ssm-ssh-proxy-command/lists"}