4

I have a working AWS Elastic Beanstalk instance with an attached RDS database and want to enable SSH from my development machine. What's the best way to do that? Specifically,

  • can I do it from the AWS Console and
  • will I be able to preserve all of the my current EB settings and structure?

I tired eb ssh --setup but got an error

ERROR: Updating Auto Scaling launch configuration failed Reason: API: autoscaling:CreateLaunchConfiguration User: arn:aws:iam::123456789123:user/myiamusername is not authorized to perform: iam:PassRole on resource: arn:aws:iam:: 123456789123:role/aws-elasticbeanstalk-ec2-role

and am not sure how to proceed.

I guess I could add jam:PassRole to the user (if I could figure out which policy that corresponds to in the AWS Console's list of templates), or I could add a new user and switch to that for SSH setup and perhaps access (if I knew how to do that) or I could use my root user on the AWS console to add SSH support (if that's possible; but even if it is, I don't see how). I'm not sure which, if any of these, is the best approach; or how to accomplish any of them?

What's the best way to add SSH access to my existing AWS-EB instance?

Nick Humrich
  • 14,905
  • 8
  • 62
  • 85
orome
  • 45,163
  • 57
  • 202
  • 418
  • This is probably related to my [non-understanding for what the appropriate policies for a developer of an EB application are](http://stackoverflow.com/q/27830090/656912). – orome Jan 13 '15 at 17:05

2 Answers2

4

Using the EB CLI to do eb ssh --setup is the most straightforward way. But it will require you to have permissions to pass roles, and access ec2 security groups.

In order to add ssh to any environment, all you need to do is assign an ssh keypair to the environment. If you already have an ec2 keypair setup, then you can make this assignment using the Elastic Beanstalk Web console. Otherwise, you will have to create a keypair first.

Nick Humrich
  • 14,905
  • 8
  • 62
  • 85
  • How do I assign the user permissions to "pass roles" (and what is that)? – orome Jan 13 '15 at 19:54
  • `iam:PassRole` its a policy that allows you to assign Roles to instances. – Nick Humrich Jan 13 '15 at 19:58
  • Wouldn't it be better for someone who has all these abilities (like me as root) to set up SSH for the instance? Failing that, can I temporarily give the user who will be running `eb ssh --setup` what he needs to do so (and where do I do that in the console)? – orome Jan 13 '15 at 20:07
  • You can always do that if you would like. You can give users permission, including temporary permissions using IAM. Go to the IAM section in the AWS Console. – Nick Humrich Jan 13 '15 at 20:14
  • And what should I give them (in terms of templates)? – orome Jan 13 '15 at 20:17
  • And (again, sorry to be thick) wouldn't it be better for someone who has all these abilities (like me as root, in the Console) to set up SSH for the instance? The user really shouldn't acquire these abilities, even temporarily. – orome Jan 13 '15 at 20:23
  • Would [`ElasticBeanstalkFullAccess`](http://stackoverflow.com/a/27929291/656912) do the trick? (I've tried that but now get other errors: `ERROR: Updating Auto Scaling group failed Reason: Template error: DBInstance aaabbbcccdddeee doesn't exist`. – orome Jan 13 '15 at 20:34
  • @raxacoricofallapatorius this question isnt about best practice or security policies, so im not going to begin to tell you best practice for permissions. – Nick Humrich Jan 13 '15 at 21:13
  • @raxacoricofallapatorius You might want to post your problem with the DBinstance doesn't exist on the AWS EB Forums. – Nick Humrich Jan 13 '15 at 21:18
  • Posted [there](https://forums.aws.amazon.com/thread.jspa?threadID=169344) (and [here](http://stackoverflow.com/q/27946927/656912)). – orome Jan 14 '15 at 15:55
1

To add ssh to your EB instances, first make sure you know which policy it currently uses. In your EB web console, go to the environment and then Configuration and then Instances. You'll see the Instance profile name there.
Now go to the your IAM console and locate that role. Here's the policy I have there, which allows me to add SSH to the environment:
{ "Version": "2015-01-14", "Statement": [ { "Action": [ "autoscaling:Describe*", "cloudwatch:*" ], "Effect": "Allow", "Resource": "*" } ] }

Tal
  • 7,827
  • 6
  • 38
  • 61
  • That (and some other approaches too) seem to get me going; but then I have [an error](http://stackoverflow.com/q/27946927/656912) that I don't understand how to get past. – orome Jan 14 '15 at 22:08