CoreTunnel and the AWS Session Manager Plugin for the AWS CLI

I use CoreTunnel to connect to my non-public RDS databases in AWS. I am currently doing this through a standard SSH tunnel and everything is working great.

AWS recently announced AWS session manager, a new service for connecting to private AWS resources without tunneling through a publicly available box. They also introduced a plugin that makes it easier to set everything up locally: (Optional) Install the Session Manager plugin for the AWS CLI - AWS Systems Manager.

It would be great to be able to use the AWS session manager plugin with CoreTunnel. I've attempted configure CoreTunnel in two different ways.

First by using the ProxyCommand and IdentityFile settings in Advanced:

ProxyCommand = aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p`
IdentityFile - ~/.ssh/key

I set this up along with the AWS instance ID as my host. This outputs the following command:

ssh -i ~/.ssh/key -vvv -L 5439:AWSDB:5439 -o ServerAliveInterval=15 -o ProxyCommand="aws - ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p" -o ExitOnForwardFailure=yes -o ServerAliveCountMax=3 ec2-user@i-ID

I also attempted to configure this in my local ssh config file

Host i-* mi-*
    ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
    IdentityFile ~/.ssh/key
    User ec2-user

Neither of these options seem to work with CoreTunnel however both work on the command line. It could be that the AWS session-manager-plugin is binding to ssh somehow and CoreTunnel is using it's own version. Do you know if this is supported at all or if there is any plans for future support?

Thanks!

Sorry for late reply, could you please send me the connection log?

BTW, do you have Core Helper enabled?

Kindly regards,

Hi, sorry to resurrect an old topic, but I have the same exact question, and can provide redacted logs. I've installed Core Helper.

Could it be a path issue? It doesn't find the aws command without the full path, unlike my usual shells.

Equivalent Command: ssh -4 -i "/Users/aleksikallio/Library/Group Containers/E78WKS7W4U.io.coressh.ssh/.ssh/privatekey/REDACTED" -vvv -L 0.0.0.0:3306:REDACTEDDBHOST:3306 -o ExitOnForwardFailure=yes -o ProxyCommand="sh -c "/usr/local/bin/aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters \"portNumber=%p\""" -o ServerAliveInterval=300 -o ServerAliveCountMax=2 ec2-user@i-REDACTED
07:36:14 Connecting…
07:36:14 Using Core Helper 5.0 (r50)
07:36:14 OpenSSH_8.4p1, OpenSSL 1.1.1g  21 Apr 2020
07:36:14 debug1: Reading configuration data /Users/aleksikallio/.ssh/config
07:36:14 debug1: /Users/aleksikallio/.ssh/config line 54: Applying options for i-*
07:36:14 debug1: Reading configuration data /etc/ssh/ssh_config
07:36:14 debug1: /etc/ssh/ssh_config line 47: Applying options for *
07:36:14 debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/aleksikallio/.ssh/known_hosts'
07:36:14 debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/aleksikallio/.ssh/known_hosts2'
07:36:14 debug1: Executing proxy command: exec sh -c "/usr/local/bin/aws ssm start-session --target i-REDACTED --document-name AWS-StartSSHSession --parameters \\"portNumber=22\\""
07:36:14 Jumping…
07:36:14 debug1: identity file /Users/aleksikallio/Library/Group Containers/E78WKS7W4U.io.coressh.ssh/.ssh/privatekey/REDACTED type 0
07:36:14 debug1: identity file /Users/aleksikallio/Library/Group Containers/E78WKS7W4U.io.coressh.ssh/.ssh/privatekey/REDACTED-cert type -1
07:36:14 debug1: identity file /Users/aleksikallio/Google Drive File Stream/My Drive/REDACTED/REDACTED type 0
07:36:14 debug1: identity file /Users/aleksikallio/Google Drive File Stream/My Drive/REDACTED/REDACTED-cert type -1
07:36:14 debug1: Local version string SSH-2.0-OpenSSH_8.4
SessionManagerPlugin is not found. Please refer to SessionManager Documentation here: http://docs.aws.amazon.com/console/systems-manager/session-manager-plugin-not-found
07:36:17 kex_exchange_identification: Connection closed by remote host
07:36:17 Connection closed by UNKNOWN port 65535
07:36:17 Abnormal Disconnect
07:36:17 Connection failed, retry after 3s…
07:36:17 Disconnected

Hi Aleksi, thank you for the connection log, is it convenient for you share redacted .ssh/config?

Kindly Regards,

Yang

Hi Yang,

Sure, here's the relevant part.

Host i-* mi-*
  User ec2-user
  ServerAliveInterval 300
  ServerAliveCountMax 2
  IdentityFile "~/Google Drive File Stream/My Drive/REDACTED/REDACTED"
  ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters \"portNumber=%p\""

It seemed aws could not found SessionManagerPlugin, which according to the official doc:

The installer installs the Session Manager plugin at /usr/local/sessionmanagerplugin and creates the symlink session-manager-plugin in the /usr/local/bin directory.

For identifying this issue, could you please replace ~/Library/LaunchAgents/E78WKS7W4U.io.coressh.helper.plist with following content?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>EnvironmentVariables</key>
        <dict>
        <key>PATH</key>
        <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/X11/bin</string>
        </dict>
        <key>KeepAlive</key>
        <false/>
        <key>Label</key>
        <string>E78WKS7W4U.io.coressh.helper</string>
        <key>LimitLoadToSessionType</key>
        <string>Aqua</string>
        <key>MachServices</key>
        <dict>
                <key>E78WKS7W4U.io.coressh.helper</key>
                <true/>
        </dict>
        <key>ProcessType</key>
        <string>Interactive</string>
        <key>ProgramArguments</key>
        <array>
                <string>/Users/yang/Library/Group Containers/E78WKS7W4U.io.coressh/io.coressh.Helper.app/Contents/MacOS/io.coressh.Helper</string>
        </array>
</dict>
</plist>

Then execute commands in sequence:

launchctl unload ~/Library/LaunchAgents/E78WKS7W4U.io.coressh.helper.plist
launchctl load ~/Library/LaunchAgents/E78WKS7W4U.io.coressh.helper.plist

After above steps, Core Helper should able to tell aws to find the plugin from the PATH environment.

Kindly Regards,

Yang

That fixed it! So it was just a path issue, thanks for the quick fix! Is this something that could be added to the preferences screen in the future to avoid having to edit the plist file?

Thank you for help identifying. Sure, will add an option to allow passing environment variables to ssh components, in next update, hopefully

Kindly Regards,

Yang

Hi Yang,

Any timeline on the next update? Hoping to roll this out to the rest of the company.

Hi Aleksi, it is very promising to come out this month, we are working on final part of the update.

Kindly Regards,

Yang

Hi @yang ,

I can't see the environment variable setting in the new version (3.0), was it dropped from this release?

Hello Aleksi,

For making SSH infrastructure reusable in iOS version of Core Shell, the middleware between underlying SSH infrastructure and Core Shell/ Tunnel UI logic was refactored dramatically since our last conversation.

The refactoring has led the deadline of version 3 extended repeatedly, I've to postpone the implementation of environment variable preferences.

I'm sorry for didn't tell you the delay. But don't worry, it's absolutely on the list of version 3.1, we will make a release after collect sufficient bug reports, before end of this month.

Thanks,

Yang

Hi Aleksi, we just released Core Tunnel 3.5 Beta, and invited you join our Beta Program.

With 3.5 beta, you can set environment variables in Preferences -> Advanced, please let me know if you have any suggestions or bug reports on this feature.

Thanks you very much,

Yang