[AWS]use aws session manage in your on-premise server
@ GordonWei · Tuesday, Jul 7, 2020 · 2 minute read · Update at Jul 7, 2020

If you want use aws ssm manager your on-premise vm or server.

You can follow these steps.

Step 1 : Add IAM Role

create SSM.json file for ssm service

{
            "Version": "2012-10-17",
            "Statement": {
                "Effect": "Allow",
                "Principal": {"Service": "ssm.amazonaws.com"},
                "Action": "sts:AssumeRole"
            }
            }

add role

aws iam create-role --role-name SsmForOnPremise --assume-role-policy-document file://SSM.json 

attach role policy

aws iam attach-role-policy --role-name SsmForOnPremise --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

create hybrid-activation

aws ssm create-activation --default-instance-name wei-home-server --iam-role SSMForOnPremise --registration-limit 20 --region us-east-1

will result

------------------------------------------------------------------
|                        CreateActivation                        |
+-----------------------+----------------------------------------+
|    ActivationCode     |             ActivationId               |
+-----------------------+----------------------------------------+
|  YourActivationCode   |  YourActivationID                      |
+-----------------------+----------------------------------------+

ssh to your on-premise vm/machine

get ssm agent package and install it

must change Region to your region

wget https://s3.Region.amazonaws.com/amazon-ssm-Region/latest/debian_amd64/amazon-ssm-agent.deb

sudo dpkg -i amazon-ssm-agent-deb

after installed, stop service and register vm to system manager

service amazon-ssm-agent stop
amazon-ssm-agent -register -code "YourActivationCode" -id "YourActivationID" -region Region

go back to aws ssm console

in hybrid activations

in session manager console

using aws cli

aws ssm describe-instance-information --region YourRegion

----------------------------------------------------------------
|                  DescribeInstanceInformation                 |
+--------------------------------------------------------------+
||                   InstanceInformationList                  ||
|+-------------------+----------------------------------------+|
||  ActivationId     |  YourActivationID                      ||
||  AgentVersion     |  2.3.1319.0                            ||
||  ComputerName     |  YourOnPremiseVMName                   ||
||  IPAddress        |  YourPrivateIP                         ||
||  IamRole          |  SSMForOnPremise                       ||
||  InstanceId       |  YourInstanceID                        ||
||  IsLatestVersion  |  True                                  ||
||  LastPingDateTime |  1593409185.939                        ||
||  Name             |  gordon-server                         ||
||  PingStatus       |  Online                                ||
||  PlatformName     |  Ubuntu                                ||
||  PlatformType     |  Linux                                 ||
||  PlatformVersion  |  18.04                                 ||
||  RegistrationDate |  1593403332.991                        ||
||  ResourceType     |  ManagedInstance                       ||
|+-------------------+----------------------------------------+|

then use aws ssm start-session to connect

aws ssm start-session --target YourInstanceID --region Yourregion

Ref: AWS System Manager Doc

P.S: Doc step 3 Install a TLS certificate on on-premises servers and VMs.

If you OS very very old, maybe you need install CAs in your OS.Ref: How to Prepare for AWS’s Move to Its Own Certificate Authority.

Thanks AWS Hero Scott Liao!

comments powered by Disqus

GordonWei's blog

4g-dongle 4g-lte 518 active-directory activity ad alcatel always-free amd-apu apache arm associate aws aws-cdk aws-certified aws-cli aws-efs aws-lex aws-nuke aws-s3 aws-saa aws-security aws-ssm aws-sso bind bind-view blog brew build-image catalina centos-7 centos7 cfn-flip change-swap chatbot clean-cache clean-resources cloudfront cups deeplearning delete-sns developer directory-service dlink-dcs930l docker docker-compose docker-error domain dvac01 ec2 ec2-mount-efs ec2-ssm error export-ovf fail2ban fat32-to-ntfs freeradius gcloud gcp gcp-change-account git git-error github github-error google-adsens google-cloud-platform grub hh41 homebridge homekit homekit-ui http https huawei-e3372 hugo hugo-blog hugo-post ios ios-run-python iphone-backup ipv6-apt iso-to-usb job-bank json json-dumps keras lambda latin ldap ldap3 letsencrypt likecoin linux linux-vnc lte-dongle mac mac-backup mail-server mi-home migration ms-ad multiple-account mysql mysql-error mysql-federated netapp npm npm-upgrade ntfs ntp-server oai on-premise openvpn openwebmail oracle-cloud orange-pi peering permission-deny pip-error pip-install printer python python-access-ad python-ftp python2 python3 radius radius-mysql radius3.0 raspberry-pi raspberry-pi-zero reset-password resize-img resize-sd-partition root router rpi-camera s3 s3-error s3-policy samba samba-error scs-c01 security selinux session-manage sns solution-architect-associate ssl ssm sysops system-manager systems-manager table-sync time-machine time_wait timezone tls typeerror ubuntu ubuntu-18.04 ubuntu16.04 uniout update-error usb usb-install vmware-player volume-lock vpc vpn vpn-server web-server win10 windows xiaomi yaml zimbra 廣告 永久免費 無法更新索引 燒光碟 自動搶 阿爾卡特
aws
gcp
iot
mac
oci

© 2020 GordonWei's Blog

Powered by Hugo with theme Dream.

Experience

2020 - Now / 趣遊科技 - 資深SRE工程師

2019 - 2020 / 104人力銀行 - DevOps 工程師

2018 - 2019 / 104人力銀行 - Net 工程師

2016 - 2018 / 全林實業股份有限公司 - 系統部協理

2015 – 2016 / 恩據優資訊工作室 – 負責人

2014 – 2015 / 安盟科技股份有限公司 – 資深IT工程師

2013 – 2014 / 上海鷺豐農業科技有限公司 – 系統工程師

2010 – 2012 / 104 人力銀行 – 維護工程師

2008 - 2009 / 典匠資訊 – MIS

Projects

  • 2019/09 - now 104人力銀行 - AWS Account 回收暨IaC專案
  • 2018/10 - 2018/12 104人力銀行 - DR Site 協助建置
  • 2018/03 - 2018/05 全林實業 - 工研院人臉辨識與使用者行為分析專案
  • 2018/04 - 2018/05 全林實業 - 嘉義公車站無線網路專案
  • 2017/06 - 2018/05 全林實業 - 新加坡無線網路專案
  • 2017/05 - 2018/05 全林實業 - 捷運無線網路專案
  • 2017/01 - 2017/04 全林實業 - 弋楊科技遊覽車專案
  • 2016/12 - 2017/04 全林實業 - 亞太好行網重構、建置
  • 2016/12 - 2017/02 全林實業 - 愛巴士無線網路專案
  • 2016/11 - 2017/01 全林實業 - 泰國Free AD Wifi專案
  • 2016/10 - 2016/12 全林實業 - 桃園客運無線網路專案
  • 2016/09 - 2016/12 全林實業 - 怡客咖啡廳無線網路專案
  • 2016/07 - 2017/07 全林實業 - 主要系統規劃、重構與建置
  • 2014/09 - 2015/04 安盟科技 - 機房架構規劃rebuild / CRM系統開發客製
  • 2013/07 – 2014/07 上海鷺豐農業科技 - 研發農業環境監控系統(Arduino)
  • 2011/11 – 2012/06 104人力銀行 - 協助導入虛擬化技術專案 (Citrix Xen Server、Desktop)

About

GordonWei

小弟是一位沒錢又沒閒的普通人, 只能靠自學以及不斷的實作來吸取經驗。

希望可以把自己的經驗留存下來,讓彼此的能力更進一步!!

認證