ec2-instace-connect on flatcar

[Simone Sciarrati]

Hi everyone,

I am new to flatcar linux and evaluating it as the default OS for Kubernetes Clusters.

We'd like to be able to use ec2-instace-connect to ssh into our instances, but i haven't been able to find any info about how this could be accomplished in flatcar, the aws guides point at other distros and there's no install from source option - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html.

Has anyone worked out a way to get this working? Any suggestion for alternative solutions? 

Thanks!

Simone

[Jeremi Piotrowski]

Hi Simone,

There is some kind of source code here: https://github.com/aws/aws-ec2-instance-connect-config.

I don't know much about ec2, but I think an alternative is AWS System Manager Session Manager: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html.

We ship the ssm agent in Flatcar EC2 images, so it should work. Do you mind trying it out and reporting back?

Best wishes,

Jeremi

[Simone Sciarrati]

Hi,

Thanks a lot for your answer. If I understand the AWS documentation correctly, ec2-instance-connect has the advantage of not requiring ssh keys management on the node, while I think SSM requires somehow the keys to be present on the instance. Since we rotate our keys daily, we would have to introduce a way to rotate the corresponding keys/config on the target ec2 instances. With ec2-instance-connect it is possible to use the aws cli to connect and have it push temporary public key to the ec2 instance metadata:

"When you connect to an instance using EC2 Instance Connect, the EC2 Instance Connect API pushes an SSH public key to the instance metadata where it remains for 60 seconds."

This seems very convenient and very secure, moving the control to users IAM roles.

I had checked the github repo you mention, from what I can see it seems very simple to "install" - there are 3 shell scripts and one config file, I have managed to run flatcar locally via QEMU and tested how it would be feasible to get it working. I will do a more complete test with a real ec2 instance and trying to add the files via butane config - I will report back.

Would the project be interested in adding ec2-instance-connect as an included feature in flatcar? It sounds like another good step towards security.

Please let me, know. Thanks for your help.

Have a great weekend

Simone

[Simone Sciarrati]

Hi,

Thanks a lot for your reply.

The advantage of using ec2-instance-connect is that when connecting using the aws cli the ssh keys are generated on the fly and the public part is pushed to the instance metadata for only 60sec while the connection is initialized. This reduces the need for key management and it improves security (or pushes it to the IAM level). 

I had looked into the source code you pointed out, it seems pretty simple to "install", I did some experiments locally on flatcar in QEMU but haven't had time to look into how I would achieve the same via butane on ec2. I will report back once I try.

In general, would the flatcar project be interested in including this feature as part of the Flatcar EC2 images?

Thanks for your help, have a great weekend

Simone

On Friday, April 12, 2024 at 4:24:18 PM UTC+2 jpiot...@microsoft.com wrote: