If you connect to the Remote Server with services such as Session Manager and MobaXterm, you can use k9s comfortably.

However, when connecting to EC2 using gossm, the values ​​of k9s are broken.

Since k9s supports windows, it doesn't seem to be a problem with powershell and cmd

First off, this is a great tool, thank you for open sourcing it...

The issue I am currently running into is that I have to specify the -p profile for every call I make, because I have multiple accounts I also have multiple profiles, the way I deal with this when using boto3 or the aws-sdk-go directly is I set the AWS_PROFILE environment variable:

By default, the SDK checks the AWS_PROFILE environment variable to determine which profile to use. If no AWS_PROFILE variable is set, the SDK uses the default profile.

• https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-profiles

It seems gossm is not respecting this environment variable and is instead always defaulting to the default profile. It would be great if this instead first checked to see if the AWS_PROFILE was set and used that instead, like all the AWS SDKs work today.

Thanks again,
-Chris

I'm Juan ,computer engineering student of Italy, i have seen that you know about course Harvard CSCI E-49.
I'm interested because I will do a master thesis about this.
Have you the slide of the course or any other kind of resources or advice?
Thanks for the attention
Bye🤗

I get the following error while trying to start a new session:

$ gossm-1.2.3 start
? Choose a region in AWS: us-east-1
? Choose a target in AWS: <some_instance>	(i-000000000)
[start-session] profile: env, region: us-east-1, target: i-000000000

Starting session with SessionId: <my_session_id>


SessionId: <my_session_id> :
----------ERROR-------
Encountered error while initiating handshake. Handshake timed out. Please ensure that you have the latest version of the session manager plugin.

The session manager plugin version I have installed in my system and for gossm are the latest:
$ session-manager-plugin --version
1.2.30.0
$ ~/.gossm/session-manager-plugin --version
1.2.30.0

Note: I am able to start a session just fine with the AWS CLI command.

This is quite useful.

Wondering if you had considered integrating AWS SSO to grab the names of the accounts in the AWS org > account > role > region > instance.

Idea would be to integrated with AWS SSO auth, enter creds once and then select the above.

Hi, recently AWS released the support to ECS exec, a way to open an interactive shell into a running container into ECS + EC2 and Fargate. What do you think to implement this functionality? I'm open to writing the necessary code.

Thanks

Hello,
I have been using gossm well with fish shell and oh-my-fish.

However, I keep getting EOF error and gossm just closed after I upgrade brew to v3.2.6.
Is there anything I can do for that?

Thank you.

[err] operation error EC2: DescribeInstances, https response error StatusCode: 400, RequestID: baec71f7-0ec1-4db4-bf27-59cfa6fc3127, api error FilterLimitExceeded: The maximum number of filter values specified on a single call is 200

This was resolved in #31 , However it looks like it was reintroduced with newer releases. End user currently has 1.4.3 installed in an OSX Environment.

안녕하세요 답변감사드립니다.

./gossm 로 접속을 해서 방향키를 사용을 하여 리즌과 서버를 고르면 privaate subnet에 있는 서버 접속이 가능합니다.
제가 알기로는 Client가 서버에 직접 붙는게 아닌 AWS를 통해 넘어가는 걸로 알고있습니다.

그래서 public subnet를 반드시 사용해야 할 필요가 없을 듯 합니다.

Originally posted by @MintChocoO2C in #7 (comment)

Hi,
could we get a filter for the list of machines?
What about filtering the machines by tag=value or with regular expressions?

Regards
Thorsten

We use the AWS SSM and when we run start-session we authenticate by sourcing credentials with an external process which does not seem to work with gossm. We have tested with other, more normal, profiles containing key and secret key definitions and those work just fine. We are wondering whether we are missing something or whether gossm just doesn't supports the credential_process way of authenticating at all?

Our ~/.aws/config file is configured something like this:

[profile my-profile]
region=us-east-1 
credential_process = "/Users/zaro0508/creds.sh" "https://acme.org" "eyJ0eXAiO...2GLQg"

creds.sh makes a request to our service and returns a json like so:

➜ ~/creds.sh "https://acme.org" "eyJ0eXAiO...2GLQg"
{"SessionToken":"FwoGZXI...lOW6uY=","Version":1,"AccessKeyId":"XXXXXX1234","SecretAccessKey":"XXXXXXXXXX6789","Expiration":"2021-07-21T22:02:17Z"}

This setup works with the AWS CLI aws ssm start-session just fine. However when we run with gossm it does not work.

➜  gossm start --profile my-profile
[err] ProcessProviderParseError: parse failed of credential_process output:

caused by: unexpected end of JSON input

I believe AWS_SHARED_CREDENTIALS_FILE is being overwritten by default here in order to support the new MFA feature added recently.

Would it be possible to make this an optional feature? This makes the application interact with the AWS SDK in an unexpected fashion.

In order to avoid this, users have to export AWS_SHARED_CREDENTIALS_FILE=$HOME/.aws/credentials, which forces the shared credentials file to be the default expected for use with the AWS SDK for go.

Hi Team,

I am trying to use scp and ssh using gossm(latest version)
For SCP, I am running below command:

gossm scp -e '-i mykey.pem provider.tf [email protected]:/home/ec2-user/provider.tf'

I am getting below error:

[update] aws ssm plugin
region (eu-west-1)
[←[32mscp←[0m] region: ←[33meu-west-1←[0m, target: ←[33mi-00edc94f4fd92b568←[0m
scp -i mykey.pem provider.tf [email protected]:/home/ec2-user/provider.tf
panic: interface conversion: interface {} is nil, not string

goroutine 1 [running]:
github.com/aws/SSMCLI/src/sessionmanagerplugin/session.ValidateInputAndStartSession(0xc000114000, 0x6, 0x8, 0xdd6b20, 0xc000006018)
/session-manager-plugin/build/private/src/github.com/aws/SSMCLI/src/sessionmanagerplugin/session/session.go:155 +0xc95
main.main()
/session-manager-plugin/src/sessionmanagerplugin-main/main.go:26 +0x65
kex_exchange_identification: Connection closed by remote host
lost connection
[err][internal.CallProcess:579] exit status 1
�[33mDelete Session�[0m �[33mvault-1649585555-4314-0e86e1ae247e7b16d�[0m

===================================================

For ssh also I am getting similar error:

PS C:\Users\dipander.goyal\Downloads> gossm ssh -e '-i session-mgr-euwest1.pem [email protected]'
region (eu-west-1)
[�[32mssh�[0m] region: �[33meu-west-1�[0m, target: �[33mi-00edc94f4fd92b568�[0m
ssh -i session-mgr-euwest1.pem [email protected]
panic: interface conversion: interface {} is nil, not string

goroutine 1 [running]:
github.com/aws/SSMCLI/src/sessionmanagerplugin/session.ValidateInputAndStartSession(0xc000114000, 0x6, 0x8, 0xdd6b20, 0xc000006018)
/session-manager-plugin/build/private/src/github.com/aws/SSMCLI/src/sessionmanagerplugin/session/session.go:155 +0xc95
main.main()
/session-manager-plugin/src/sessionmanagerplugin-main/main.go:26 +0x65
kex_exchange_identification: Connection closed by remote host
[err][internal.CallProcess:579] exit status 255

33mDelete Session�[0m �[33mvault-1649585555-4314-054d509536243be49�[0m

=================================================

Please advise! Thanks in advance.

On top of the already useful command set of this tool, I think it can be improved even further by adding a Port-Forwarding command.

Making use of the AWS-StartPortForwardingSession SSM Document we can start a Port-Forwarding session entirely over SSM (See here for an overview).

I have spiked this locally where I've added the fwd command. It prompts the user for the remote port to access and the local port to forward after selecting a target.

Ports can be specified before selecting a target too, using the -z and -l args.

I already have this written up and ready for a PR. Are there any objections to adding this to the existing command set?

$ gossm start -p aws-292
[err] NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
$ gossm --version
gossm version 1.3.1
$ ~/.gossm/session-manager-plugin --version
1.2.30.0

This only happens when I'm using AWS in SSO mode, it works if I copy temporary credentials from the web interface.

I think I just found a regression from version 1.2.0 onwards when using environment variables for the authentication.

Output with version v1.2.0

[aws:devops-test] [pb:~/Downloads]$ gossm start 
[update] aws ssm plugin
[profile] default
NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Output with version v1.1.1

[aws:devops-test] [pb:~/Downloads]$ gossm start
[update] aws ssm plugin
? Choose a target in AWS:  [Use arrows to move, type to filter]
> xxxxx	(i-xxxxxxxxxxxxxxxxxx)
  xxxxx	(i-xxxxxxxxxxxxxxxxxx)

Did something major change with the new version?

I've got a fairly basic AWS configuration with aws-vault profile injections

[profile prod]
include_profile=default
source_profile=default
role_arn=arn:aws:iam::0123456789012:role/role-name

[profile test]
include_profile=default
source_profile=default
role_arn=arn:aws:iam::0123456789012:role/role-name

[default]
region=eu-central-1
mfa_serial=arn:aws:iam::0123456789012:mfa/[email protected]

I get the following error when I try to start a session on version >=v1.1.0

----------ERROR-------
Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: Error calling KMS GenerateDataKey API: UnrecognizedClientException: The security token included in the request is invalid.
	status code: 400, request id: b3ebe283-c1bf-4722-b553-8f08693a9694

gossm v1.0.5 works without any problem.

Hi
I use gossm all the time on my mac. Trying to get it working on my widows machine. Looks like it connects b/c it lists all my instances correctly but then crashes with "err incorrect function" so i cant choose one to connect to. Anyone seen this before?

Currently the app only lists the EC2 instances, but lacks the possibility to list and connect managed instances that exist only in SSM, not in EC2. It would be great if those instances could be listed in the gossm start subcommand.

As the title says, being able to connect to an instance via a specified tag that is commonly know as opposed to the instance ID.

AWS has announced a new functionality to perform portwarding to remote hosts via System Manager Start Session. It would be great to add this new functionality in news versions of gossm

• Announce: https://aws.amazon.com/about-aws/whats-new/2022/05/aws-systems-manager-support-port-forwarding-remote-hosts-using-session-manager/
• Documentation: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html#sessions-remote-port-forwarding

Thanks in advance and thanks for this great tool called gossm!

Some internal version component appears to not have been updated for the 1.3.0 release:

$ tar xf gossm_1.3.0_Linux_x86_64.tar.gz 
$ ./gossm --version
gossm version 1.2.3

Would love to have gossm report the version correctly 🙂

This would be nice to have. When connecting via SSH over SSM:

$ gossm ssh
? Choose a target in AWS: target-instance    (i-0000)
? Type your connect user (default: root): eskp

Instead of having to type username every time, we can look at the value of IAM user tag SSMSessionRunAs as per the docs - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-run-as.html

AWS has announced a new functionality to access your containers on AWS Fargate and Amazon EC2. ECS Exec leverages AWS Systems Manager (SSM), and specifically SSM Session Manager, to create a secure channel between the device you use to initiate the “exec“ command and the target container.

Announce: https://aws.amazon.com/pt/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/
Documentation: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html

Thanks in advance and thanks for this great tool

For packaging reasons it would be ideal to be able to tell which version of the binary is currently installed. This is usually achieved by adding a --version switch. I'd love for gossm to have such a switch.

Hello,

gossm is an ideal candidate to use SSM for CI/CD. It will be a very good wrapper for having running commands and watch its output, it only lacks non-interactive flags. Using a flag to select the instance instead of selecting it interactively going to make this tool very useful.

I will try to add a PR

Hi,

I am trying to use the gossm package on an arm64 machine, but I am getting the error:

[err][internal.CallProcess:575] fork/exec /.gossm/session-manager-plugin: bad CPU type in executable

When checking the file in my homedir, it is indeed a x86_64 plugin.

Checking the file in the assets directory, it is also an x86_64.

assets/plugin/darwin_arm64
❯ file session-manager-plugin 
session-manager-plugin: Mach-O 64-bit executable x86_64

Overwriting this with the AWS installed session-manager-plugin in the directory and installing gossm that way solves the issue.

Solution: Add proper ARM64 Arch plugin to the assets.

Hello!

First of all, thanks for gossm. This tool is awesome!

We've recently run into permissions issues after upgrading to gossm 1.4.0, due to the added API call to ssm:DescribeInstanceInformation. Would it be possible to document the permissions required to utilize gossm so that developers can be assigned minimal privileges to work with it?

Also, in our testing, it seems like the following permissions need to be granted on all resources without restriction in order to use gossm:

      "ssm:GetConnectionStatus",
      "ec2:DescribeInstances",
      "ssm:DescribeSessions",
      "ssm:DescribeInstanceProperties",
      "ssm:DescribeInstanceInformation"

Is there any way to reduce the permissions required to use this tool?

I usually use the STS assume role or MFA verification that gives the session token. After that, I put it to the environment variable and use the AWS CLI. However, this application cannot get the env. variables, just read the ~/.aws/credentials file only. Can you add this feature?

Something seems to have changed with v1.2.0 and environment variables aren't being picked up.
The account defined in my ~/.aws/credentials file basically has no permissions other than the ability to assume roles in other accounts.

I use assume-role which sets all the environment variables for me (debug snippet below).

➜ assume-role <aws_account> <role_name>
Success! IAM session envars are exported.
AWS_CONFIG_REGION="ap-southeast-2";
AWS_USERNAME="xxxxxxx";
MFA_DEVICE_ARGS="--user-name xxxxxxxxx --query MFADevices[0].SerialNumber --output text --profile default";
MFA_DEVICE="arn:aws:iam::xxxxxxxxxx:mfa/xxxxxxxxxx";
SESSION_ARGS="";
SESSION="";
ROLE_SESSION_ARGS="--role-arn arn:aws:iam::xxxxxxxxxx:role/xxxxxxxx --external-id xxxxxxxxxxx --duration-seconds 3600 --role-session-name 1609835656";
ROLE_SESSION="{
    "Credentials": {
        "AccessKeyId": "xxxxxxxxxxxxxxx",
        "SecretAccessKey": "xxxxxxxxxxxxx",
        "SessionToken": "xxxxxxxxxxxxxxx",
        "Expiration": "2021-01-05T09:34:17+00:00"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "xxxxxxxxxxxxx",
        "Arn": "arn:aws:sts::xxxxxxxxxx:assumed-role/xxxxxxxx/1609835656"
    }
}";
SESSION_TIMEOUT="43200";
ROLE_SESSION_TIMEOUT="3600";
AWS_PROFILE_ASSUME_ROLE="";

But then when I use gossm v1.2.0 it's still using the default account defined in ~/.aws/credentials - if I use v1.1.1 it works as expected.

➜ gossm start
AccessDeniedException: User: arn:aws:iam::xxxxxxxxxxxx:user/xxxxxxxxxxx is not authorized to perform: ssm:DescribeInstanceInformation on resource: arn:aws:ssm:ap-southeast-2:xxxxxxxxxxxx:*
	status code: 400, request id: c73de091-f822-4189-b4f8-0abf646b6edb

Just had an issue here (and I haven't had time to confirm it) but it looks like the user had some AWS_ environment vars set and gossm wasn't attempting to pick up ~/.aws/credentials

Would be nice to have a note on how gossm looks for creds (pretty sure it just uses the AWS lib, right?)

인라인으로 접속 할때 에러를 발생합니다.

./gossm -r ap-northeast-1 -t i-XXXXXXXXXXX
[err] don't exist running instances

디버깅을 해 보니 PublicDNS가 없는 서버에 접속할때만 발생하는걸 확인하였습니다.

Hi,

Today I downloaded gossm to see if it works for us.

But when I run:

gossm -p ****REDACTED**** start

It immediately fails with this error:

AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

The profile I use, looks like:

[profile ****REDACTED****]
region = eu-west-1
source_profile = ****REDACTED****
role_arn = arn:aws:iam::****REDACTED****:role/****REDACTED****
mfa_serial = arn:aws:iam::****REDACTED****:mfa/****REDACTED****
cli_pager =

How can I make this work?

Kind regards

Wim

Started getting this error:

Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: Error calling KMS GenerateDataKey API: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors

However, starting a session through aws cli connects successsfully.

gossm start
? Choose a region in AWS: us-east-1
FilterLimitExceeded: The maximum number of filter values specified on a single call is 200
status code: 400, request id: 4732950f-40c4-4c2a-a613-XXXXXXXXXXXXXXXXX

Is this an issue with the API or is this something that can be resolved on your side?

Hello, as I see in code you're using ec2 describe-instances to filter running instances. But in my case my hybrid instances doesn't appear as ec2 instances but are still available for connection.