I have a working AWS Elastic Beanstalk instance with an attached RDS database and want to enable SSH from my development machine. What's the best way to do that? Specifically,
- can I do it from the AWS Console and
- will I be able to preserve all of the my current EB settings and structure?
I tired eb ssh --setup
but got an error
ERROR: Updating Auto Scaling launch configuration failed Reason: API: autoscaling:CreateLaunchConfiguration User: arn:aws:iam::123456789123:user/myiamusername is not authorized to perform: iam:PassRole on resource: arn:aws:iam:: 123456789123:role/aws-elasticbeanstalk-ec2-role
and am not sure how to proceed.
I guess I could add jam:PassRole
to the user (if I could figure out which policy that corresponds to in the AWS Console's list of templates), or I could add a new user and switch to that for SSH setup and perhaps access (if I knew how to do that) or I could use my root user on the AWS console to add SSH support (if that's possible; but even if it is, I don't see how). I'm not sure which, if any of these, is the best approach; or how to accomplish any of them?
What's the best way to add SSH access to my existing AWS-EB instance?
To add ssh to your EB instances, first make sure you know which policy it currently uses. In your EB web console, go to the environment and then Configuration and then Instances. You'll see the Instance profile name there.
Now go to the your IAM console and locate that role. Here's the policy I have there, which allows me to add SSH to the environment:
{ "Version": "2015-01-14", "Statement": [ { "Action": [ "autoscaling:Describe*", "cloudwatch:*" ], "Effect": "Allow", "Resource": "*" } ] }
Using the EB CLI to do
eb ssh --setup
is the most straightforward way. But it will require you to have permissions to pass roles, and access ec2 security groups.In order to add ssh to any environment, all you need to do is assign an ssh keypair to the environment. If you already have an ec2 keypair setup, then you can make this assignment using the Elastic Beanstalk Web console. Otherwise, you will have to create a keypair first.