stackoom
  简体   繁体   中英

Handling SSH Keys for Multiple Users on Terraform-managed AWS EC2 SSH Bastion Instance

 原文  2021-10-01 15:10:43       amazon-web-services/ amazon-ec2/ ssh/ terraform/ user-management

Question

I have a stack of AWS infrastructure managed with Terraform. There is an EC2 SSH Bastion instance used by multiple users to access private ephemeral EC2 instances that are used for a variety of batch processing tasks.

Terraform provides a mechanism to include a single SSH key to an EC2 instance on creation, however I am trying to find a solution, preferably but not necessarily Terraform-based, that would allow the management of multiple users for the SSH Bastion.

Is there a solution allowing the SSH Bastion to use the SSH keys associated with IAM users such that when (for example) bob attempts to SSH to the Bastion, the Bastion can use the public key associated with bob should bob belong to the correct group, have the correct permission, have the right tag, or some other identifying feature?

And if the above question implies the wrong approach to the problem, is there a better way to look at and solve the problem?

Thank you in advance.

1 answers

solution1
 2  

If i understand this right you are asking 2 questions here:

Q1. Is there a way to automatically add users to a bastion and set their ssh credentials?

Yes you can do that with a userdata script that will run during the ec2 creation time.

The script should add the users. Assuming you run linux on you bastion server the snippet to add users would be something like

useradd -m -s /bin/bash <username>
mkdir /home/<username>/.ssh
chmod 700 /home/<username>/.ssh/


Copy the ssh key from a pre-determined location. In my case i have ssh 
public keys for users in an S3 bucket (hey they are public keys)
aws s3 cp s3://path/pub-keys/user-id_rsa.pub /home/<username>/.ssh/authorized_keys

chmod 640 /home/<username>/.ssh/authorized_keys
chown -R <username>:<group> /home/<username>/.ssh/

Add the user to some group
usermod -a -G <somegroup> <username>

Q2. Can AWS IAM credentials be used for ssh on some sort of single sign on? For this I'd recommend to read the documentation below as there are several things involved, including the distribution you are using. But I am not sure this is a good solution for the scenario you described.

https://aws.amazon.com/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SSh AWS Ec2 instance Can't SSH into AWS EC2 instance unable to connect with ssh key in terraform aws ec2 SSH reverse port forward on EC2 aws instance Can we SSH to Windows EC2 instance in AWS? AWS CDK EC2 Instance SSH with Keypair Timing out ssh -T hanging when trying to access an AWS EC2 instance What is the packer ssh key in .ssh/authorized_keys for on my ec2 instance? Not able to ssh/http into EC2 instance AWS EC2 unreachable for SSH or HTTP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM