Every team member can get access to any of the team’s EC2 instances by using the Più command line tool:
$ sudo pip3 install --upgrade stups-piu $ # assumptions: region is Ireland, team name is "myteam", private EC2 instance has IP "172.31.146.1" $ piu 172.31.146.1 "Troubleshoot problem XY" # enter even URL (e.g. https://even.stups.example.org) # enter odd hostname "odd-eu-west-1.myteam.example.org" $ ssh -A odd-eu-west-1.myteam.example.org # agent-forwarding must be used! $ ssh 172.31.146.1 # jump from bastion to private instance
--connect flag to directly connect to the EC2 instance so you do not need to execute the SSH command yourself.
Use the interactive mode to experience an easy way to access instances. This mode prompts you for the AWS region where your instance is located, so it can present you a list of enumerated deployed stacks from which you can choose the one you want to access and provide a reason for it.
To get the most of this mode, it’s recommended that piu is invoked with the
--connect flag so you get into the instance as soon as the odd host authorizes your request:
$ piu request-access --interactive --connect. Alternatively, you can set the
PIU_INTERACTIVE environment variables in your shell profile so you can invoke the command with the mentioned features enabled just with:
$ piu request-access.
If executing a piu command results in a message
Access to host odd-eu-west-1.myteam.example.org for user <myuser> was granted., but you get an error
Permission denied (publickey)., you can solve this by installing an ssh-agent and executing
ssh-add prior to piu.
--clip option to copy the output of piu to your clipboard.
On Linux it requires the package
xclip. On OSX it works out of the box.
senza instances to quickly get the IP address of your EC2 instance.
See the Senza reference for details.
$ piu 172.31.1.1 test -O odd-eu-west-1.myotherteam.example.org
All user actions are logged for auditing reasons, therefore all SSH sessions must be kept free of any sensitive and/or personal information.
Check the asciicast how using Più looks like:
As all access to an EC2 instance has to go through the odd SSH jump host, copying files from and to the EC2 instance appears unnecessary hard at first.
scp supports jump hosts with the
ProxyCommand configuration option:
$ scp -o ProxyCommand="ssh -W %h:%p odd-eu-west-1.myteam.example.org" mylocalfile.txt 172.31.146.1:
See also the OpenSSH Cookbook on Proxies and Jump Hosts.
SSH Access Revocation¶
SSH access will automatically be revoked by even after the request’s lifetime (default: 60 minutes) expired.
You can specify a non-default lifetime by using Più’s
Listing Access Requests¶
The even SSH access granting service stores all access requests and their status in a database. This information is exposed via REST and can be shown using Più’s “list-access-requests” command.
All current and historic access requests can be listed on the command line:
$ piu list # list the most recent requests to my odd host $ piu list -U jdoe -O '*' # list most recent requests by user "jdoe" $ piu list -O '*' -s GRANTED # show all active access requests