3

aws ssm start-session returns url and token to open WebSocket Connection. https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_StartSession.html#API_StartSession_ResponseSyntax

Tried a client to open WebSocket connection: https://hashrocket.com/blog/posts/development-of-a-simple-command-line-websocket-client

But I am getting following error when trying to send input like {"type": "echo", "payload": "whoami"}

websocket: close 1003 (unsupported data): Channel : request to open data channel does not contain token.

I tried setting headers with multiple options like 

headers := make(http.Header)
headers.Add("Authorization", "Bearer " + token)
headers.Add("token_type", "bearer")
headers.Add("access_token", token)
headers.Add("token", token)
headers.Add("Authentication", token)

//  "github.com/gorilla/websocket"
ws, _, err := websocket.DefaultDialer.Dial(url, headers)

Most of the code is same as in 2nd link mentioned above except trying for wss (not ws).

I guess I am missing something in header. Any idea? Thx

Expected Behavior: Should be able to send requests (like above) and get responses successfully.

Stranger
  • 31
  • 5
  • 2
    *Questions seeking debugging help ("why isn't this code working?") must include the desired behavior, a specific problem or error and the shortest code necessary to reproduce it in the question itself.* – Adrian Oct 18 '18 at 19:15
  • You are going to have to show a little more code. Specifically the Dial and any other pertinent code. – RayfenWindspear Oct 18 '18 at 19:45
  • Are you able to connect to the websocket using the prescribed methods using a stable prebuilt tool? – RayfenWindspear Oct 18 '18 at 21:47

2 Answers2

1

From the godoc for DialContext, which I realize you are just using dial, but it applies. Emphasis mine

https://godoc.org/github.com/gorilla/websocket#Dialer.DialContext

If the WebSocket handshake fails, ErrBadHandshake is returned along with a non-nil *http.Response so that callers can handle redirects, authentication, etcetera. The response body may not contain the entire response and does not need to be closed by the application.

Please try not discarding the response so you can inspect it to determine how to fix the problem.

As a general rule, if something isn't working out, and you are ignoring some return value, check and see what you are ignoring and you'll often find the solution.

Let me know if this helps or not and I can update/delete the answer.

RayfenWindspear
  • 6,116
  • 1
  • 30
  • 42
  • If I understood correctly, you meant setting Sec-Websocket-Accept to token. – Stranger Oct 18 '18 at 21:59
  • {101 Switching Protocols 101 HTTP/1.1 1 1 map[Server:[Server] Date:[Thu, 18 Oct 2018 21:41:42 GMT] Connection:[upgrade] Upgrade:[websocket] Sec-Websocket-Accept:[mytokenhere]] {0xc4201dca80} 0 [] false false map[] 0xc4203e2700 } – Stranger Oct 18 '18 at 22:03
  • @Stranger It seems to be asking to upgrade the connection, but my knowledge of websockets is basically nil. I'd look into code 101 with regard to gorilla websockets, and specifically you probably want to look into the following struct and it's methods. https://godoc.org/github.com/gorilla/websocket#Upgrader Also, one of my google queries landed me to someone who eventually contacted AWS and discovered it was a configuration issue on the AWS side, so that would be worth looking into. https://github.com/gorilla/websocket/issues/335 – RayfenWindspear Oct 18 '18 at 22:07
  • @ RayfenWindspear THANKS A LOT for your time/suggestions/help. Appreciated!!! I think I'll change my approach. Luckily I do have alternatives to solve my problem. – Stranger Oct 18 '18 at 22:31
1

You can use the Default Dialer with the ssm.StartSessionOutout.StreamUrl, without any auth headers:

conn, _, err := websocket.DefaultDialer.Dial(*ssmStartSessionOutput.StreamUrl, 
 nil)
if err != nil {
    log.Fatal(err)
}
defer conn.Close()

Then, send the ssm.StartSessionOutput token over the websocket connection. This will get you past the error in question:

v := struct {
    TokenValue string `json:"TokenValue"`
}{
    TokenValue: ssmStartSessionOutput.TokenValue,
 }
err := conn.WriteJSON(v)
if err != nil {
    return err
}

But, SSM StartSession's websocket implementation is virtually undocumented and rife with mysterious responses. I've had better luck starting the session-manager-plugin as a subprocess, passing the JSON-ified ssm.StartSessionOutput: 

v := struct {
    SessionID  string `json:"SessionId"`
    StreamURL  string `json:"StreamUrl"`
    TokenValue string `json:"TokenValue"`
}{
    SessionID:  ssmSessionOutput.SessionId,
    StreamURL:  ssmSessionOutput.StreamUrl,
    TokenValue: ssmSessionOutput.TokenValue,
}
j, err := json.Marshal(v)
if err != nil {
    return nil, err
}

cmd := exec.Command("session-manager-plugin", string(j), region, "StartSession")
cmd.Stdout = os.Stdout
cmd.Stdin = os.Stdin
cmd.Stderr = os.Stderr
err = cmd.Run()
stinkyfingers
  • 11
  • 2