Hi,
Thanks a lot for your answer. If I understand the AWS documentation correctly, ec2-instance-connect has the advantage of not requiring ssh keys management on the node, while I think SSM requires somehow the keys to be present on the instance. Since we rotate our keys daily, we would have to introduce a way to rotate the corresponding keys/config on the target ec2 instances. With ec2-instance-connect it is possible to use the aws cli to connect and have it push temporary public key to the ec2 instance metadata:
"
When you connect to an instance using EC2 Instance Connect, the EC2 Instance Connect API pushes an SSH public key to the instance metadata where it remains for 60 seconds."
This seems very convenient and very secure, moving the control to users IAM roles.
I had checked the github repo you mention, from what I can see it seems very simple to "install" - there are 3 shell scripts and one config file, I have managed to run flatcar locally via QEMU and tested how it would be feasible to get it working. I will do a more complete test with a real ec2 instance and trying to add the files via butane config - I will report back.
Would the project be interested in adding ec2-instance-connect as an included feature in flatcar? It sounds like another good step towards security.
Please let me, know. Thanks for your help.
Have a great weekend
Simone