Overview

With Opal, you can grant ssh access to any EC2 instance running on Amazon to your developers in minutes. We make this easy by using AWS's Systems Manager API. To make this available for your organization, you'll have to enable a few things.

Adding an EC2 Instance

Step 1: Enable SSM (Secure Session Manager)

By default, EC2 instances don't allow ssh sessions using Secure Session Manager.

You'll need to attach the AmazonSSMManagedInstanceCore AWS-managed policy to your EC2 instance profile. If an instance profile doesn't exist on that instance you'll have to create one. To determine if your EC2 instance already has a role attached to it, you can check in the AWS Console using the following instructions:

Step 1a: Checking with the AWS Console

First navigate to your running EC2 instances using this link*.

View your EC2 instances in the console.

View your EC2 instances in the console.

Now click on the instance ID of the EC2 in question, and verify whether a role is attached already.

EC2 instance with an IAM role already attached.

EC2 instance with an IAM role already attached.

If a role already exists then skip to Step 1c. Otherwise, proceed to Step 1b.

Step 1b: Create an IAM role

If you already had a role attached skip to the next section. Otherwise, create a new IAM role using the steps below:

Create a new IAM role.

Create a new IAM role.

Attach the AmazonSSMManagedInstanceCore and CloudWatchAgentServerPolicy policies to your new role.

Find the policy that enables SSM on your instance.

Find the policy that enables SSM on your instance.

Finally, you should attach your newly created role to your EC2 instance. Since your instance didn't originally have a role attached, you'll need to restart it. You can now skip to step 2!

Step 1c. Adding the SSM policy to your existing role

Click on the role in the EC2 dashboard to attach a role to it.

Attach policies to an existing IAM role.

Attach policies to an existing IAM role.

Now search and find the AmazonSSMManagedInstanceCore policy and attach it to your existing profile.

Optional: Enable KMS Encryption

Step 1: Create an Opal KMS key

If you'd like to use KMS encryption, you can do this very easily with Opal. To do so, you'll need to create a KMS key with the following alias: opalssmkms. Under advanced settings, make sure to make this key multi-regional!

Step 2: Enable encryption

You can enable encryption in the Session Manager console in AWS by going to Systems Manager > Session Manager > Preferences > KMS Encryption and selecting the key created in the previous step.

Step 2: Tag your EC2 instance

In order for you EC2 instance to show up in Opal, you'll need to tag it. You can do this using the AWS Console or the CLI below:

AWS Console

Navigate to your EC2 instance in the EC2 Dashboard.

Find your EC2 instance in the dashboard.

Find your EC2 instance in the dashboard.

Select Manage tags and add the opal tag as seen below.

Add an

Add an opal tag with an empty value.

AWS CLI

Shell

aws ec2 create-tags \
--resources "i-0000000000" \
--tags "Key=opal,Value="

Terraform

If you are using aws_instance in Terraform to provision EC2 nodes, add the following tags argument to the aws_instance

tags = {
opal = ""
}

If you are using an aws_eks_node_group to launch EC2 instances, add the following launch template to your Terraform file:

resource "aws_launch_template" "ec2_launch" {
instance_type = YOUR_INSTANCE_TYPE

tag_specifications {
resource_type = "instance"

tags = {
opal = ""
}
}
}

and reference the launch template in your EKS node group by adding the following argument to your EKS node group:

launch_template {
id = aws_launch_template.ec2_launch.id
version = aws_launch_template.ec2_launch.latest_version
}

Accessing your instance in Opal

If you followed the above steps to configure you EC2 instance, it should now show up in Opal under the SSH tab in the permissions view.

EC2 instances in Opal.

EC2 instances in Opal.

Permissions to EC2 instances are session-based, meaning they require your developers to initiate a session when they want to access that instance. They can do so by clicking the Connect button.

Once they're connected, they can SSH instance using an in-browser command line or in their own terminal!

Using an EC2 session in Opal.

Using an EC2 session in Opal.


NEXT UP ➡️

Did this answer your question?