# How To Get A Shell

Here are some of the methods you can use to connect to an EC2 instance on the AutoPilot platform:

SSH
Session Manager Via Web Console
Session Manager Via AWS CLI
Session Manager Via Knox
EC2 Serial Console

# SSH

danger

This method should only be used for customers.

This is not the recommended way to connect to an EC2 instance. If you you absolutely must use SSH, you can add your key to the customer's deployment via the AutoPilot dashboard.

# Session Manager Via Web Console

Login to your AWS Production SSO account.
Start a session to the customer's AWS account using one of the following roles:
- ProdAutoPilotSupportLevelOne
- ProdAutoPilotSupportLevelTwo
- ProdAutoPilotFullAccess
Follow this documentation on how to connect to an instance using Session Manager.

# Session Manager Via AWS CLI

Firstly, you need to have the AWS CLI (v2) installed on your local machine. Next, you will also need to install the Session Manager plugin. You can find documentation on how to do that on your machine here.

Next, you will need to make sure your AWS config file is set up correctly. For example, we will use the following configuration:

[profile customer-one]
region = us-east-1
output = json
sso_session = my-sso-session
sso_account_id = 123456789012
sso_role_name = ProdAutoPilotSupportLevelTwo

[profile customer-two]
region = us-east-1
output = json
sso_session = my-sso-session
sso_account_id = 210987654321
sso_role_name = ProdAutoPilotSupportLevelTwo

[sso-session my-sso-session]
sso_region = us-east-1
sso_registration_scopes = sso:account:access
sso_start_url = https://d-0000000000.awsapps.com/start

Please note the following:

sso_start_url is the URL you use to login to your AWS SSO account.
sso_account_id is the account ID of the customer's AWS account.
sso_role_name is the role name you want to use.
my-sso-session can be reused for multiple profiles.

Once you have your AWS config file set up, you need to first login to your AWS SSO account.

aws sso login --sso-session my-sso-session

A browser window will open, and you will need to login to your AWS SSO account via the browser and authorize the CLI. Finally, you can start a session to the EC2 instance using the following command:

aws ssm start-session --profile customer-one --target i-00000000000000000

You will notice that you are now connected to the EC2 instance as the user ssm-user. Simply sudo su - to become the root user.

# Session Manager Via Knox

Firstly, you will need to make sure that the Session Manager plugin is installed on your local machine. You can find documentation on how to do that on your machine here. Next, make sure you have aws-knox installed on your local machine.

Your AWS config will only need to contain information about the AWS SSO session, you can have as many as you want:

[sso-session production-sso]
sso_region = us-east-1
sso_registration_scopes = sso:account:access
sso_start_url = https://d-0000000000.awsapps.com/start

[sso-session staging-sso]
sso_region = us-east-1
sso_registration_scopes = sso:account:access
sso_start_url = https://d-1111111111.awsapps.com/start

You can connect to the EC2 instance using the following command:

knox connect

You will choose the SSO session you want to use, and a browser window will open to login to your AWS SSO account. Once you have logged in, you will be prompted to choose the account and then the role you want to use. Finally, you will be prompted to choose which instance you want to connect to.

You can skip certain prompts by specifying the values via flags. Here are some variations of the command:

knox connect --sso-session production-sso
knox connect --sso-session production-sso --account-id 123456789012
knox connect --sso-session production-sso --account-id 123456789012 --role-name ProdAutoPilotSupportLevelTwo
knox connect --sso-session production-sso --account-id 123456789012 --role-name ProdAutoPilotSupportLevelTwo --instance-id i-00000000000000000

AWS Knox has a lot of other features like file transfer using rsync. For more information on how you can use or customize knox, refer to the README.md file.

# EC2 Serial Console

warning

This method will only work if the instance is having issues booting up.

If the instance is NOT failing to boot, you will be prompted with a login password that you will not have. If the instance IS failing to boot, this is a great way to troubleshoot the issue.

Start by logging into the customer's AWS account with the proper role using your AWS SSO account. Next, you can follow these instructions on how to connect to the instance using the EC2 Serial Console.