Browse the Repo
Browse the Repo
Manage SSH access to EC2 Instances using groups in AWS IAM or your Identity Provider (e.g., ADFS, Google, Okta, etc).
This module can configure a Linux server to manage SSH access to the server via an Identity Provider (IdP). Via AWS Identity and Access Management (IAM), developers in certain IAM Groups will be able to SSH to your servers using their IAM user name and the SSH key they uploaded to their IAM user account.
Automatically sync user accounts from your identity provider (e.g., IAM, Google, ADFS) to your servers, so each developer can have their own user name (e.g. "susan", "jim") rather than everyone using a shared user (e.g. "ubuntu", "ec2-user").
Each developer uses their own SSH keys to connect to servers (instead of a single, shared Key Pair).
Quickly use IAM to rotate old keys and upload a new one
Revoke SSH access to servers from the centralized IdP
AWS has a similar service in EC2 Instance Connect. There are pros and cons to each service. For example, with
ssh-grunt, there is no additional client-side tooling required beyond the native SSH that you have already. Connection is a one step process of SSHing to your target instance. With EC2 Instance Connect, in order to use native SSH, you must first use the AWS CLI to push your key up to AWS.
EC2 Instance Connect is installed by default in recent AWS AMIs, including Ubuntu 20.04. It conflicts with
ssh-grunt due to both services relying on SSH’s AuthorizedKeysCommand. In order to make
ssh-grunt work properly, you’ll need to uninstall the
ssh-grunt will detect if
ec2-instance-connect is installed and halt.
|This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!|
If you just want to try this repo out for experimenting and learning, check out the following resources:
If you want to deploy this module in production, check out the following resources:
IAM policy with permissions for ssh-grunt: Production-ready sample code for IAM entites that can be used for managing SSH grunt access.
IAM cross account roles in an app account: Production-ready sample code for cross account IAM roles, from the Reference Architecture.
IAM cross account roles as defined in a service module: Service module code for IAM roles that can be used for a production-ready app account, as in the production example above.
If you need help with this repo or anything else related to infrastructure or DevOps, Gruntwork offers Commercial Support via Slack, email, and phone/video. If you’re already a Gruntwork customer, hop on Slack and ask away! If not, subscribe now. If you’re not sure, feel free to email us at firstname.lastname@example.org.
Contributions to this repo are very welcome and appreciated! If you find a bug or want to add a new feature or even contribute an entirely new module, we are very happy to accept pull requests, provide feedback, and run your changes through our automated test suite.
Please see Contributing to the Gruntwork Infrastructure as Code Library for instructions.
We're here to talk about our services, answer any questions, give advice, or just to chat.