SSH to private EC2 instances using AWS Session Manager

I like launching AWS EC2 instances on inaccessible private subnets for safety. That makes connecting with Ansible using SSH a pain. Instead of using a bastion/jump host or bringing up a VPN, here’s a handy procedure that supports a dynamic collection of client configurations. It uses AWS CLI to setup an SSH proxy. As long as the instance already has an Instance Profile and attached policy to use AWS Systems Manager Session Manager, this works great.

Install the AWS Systems Manager Session Manager plugin for AWS CLI by running brew install --cask session-manager-plugin on macOS. Installation instructions for lesser operating systems may be found in the AWS docs.

Given two clients, I configure sections for them in my ~/.ssh/config with a suffix following the AWS EC2 InstanceId:

Host i-*.client-a
	User ec2-user
	IdentityFile ~/.ssh/client-a-servers
	ProxyCommand sh -c "aws ssm start-session --profile client-a --region us-east-1 --target $(echo %h | sed s/\.client-a//) --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

Host i-*.client-b
	User ec2-user
	IdentityFile ~/.ssh/client-b-servers
	ProxyCommand sh -c "aws ssm start-session --profile client-b --region us-southwest-8 --target $(echo %h | sed s/\.client-b//) --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

With that in place, I can connect to either client’s instances by adding a suffix to the AWS EC2 InstanceId. For example: ssh i-hexhexhexhexhexhe.client-b

Within my Ansible inventory and configuration, I can override the username, private key, and other SSH options when needed.

I suppose I could also create a subshell to resolve tokens in the host value to dynamically choose the profile and region.

Postfix Log Stats

I made some changes to my Postfix server configuration to update my Spamhaus DNSBLs recently and I wanted to see if more junk was being blocked than before. A long time ago, I used AWStats to parse my Postfix logs and generate web pages with pretty charts. This was neat because it would build a database for long-term trend discovery. However, I no longer have the patience to mess around with a CGI scripts in Apache HTTP Server.

So, I reached for pflogsumm.pl. This Perl script has been kicking since 1999. It processes log lines on STDIN and outputs a text report. I found a GitHub project that had containerized the script at github.com/panubo/docker-pflogsumm and I forked it to add multi-architecture support so I could run it on a modern Mac. My repo fork is at github.com/jlamoree/docker-pflogsumm and the images are pushed into Docker Hub at jlamoree/pflogsumm, if you’d like to run it too.

Here’s how I grab log files and create a report:

I like to review the report in Sublime Text — it’s got my favorite monospace typeface and color scheme configured for maximum pleasure.

Screenshot of Sublime Text showing the report generated by pflogsumm.pl

Hocus Pocus Eyeball

I made an eyeball for the book from Hocus Pocus this Halloween. I created the model with some rough specs before the book was constructed. Based on those dimensions, I went with 15 kg/cm servos. These turned out to be overkill and a bit of a challenge to work with. The part designs are pretty ugly, driven by the constraints of 3D printing. Here’s the final result:


There’s just barely enough room to assemble the linkages inside the eyeball:

If I had the time to redesign it, I would put some bearings into the eyelid pivots. The Fusion 360 project is shared on AutoDesk Fusion Team.

My Arduino code for the eyeball is in the hocus-pocus-eyeball GitHub repo. It’s really important to set the servo limits; the plastic links are pretty delicate.

Here's a view of the mechanism before installation into the book: