0

I created an AWS EC2 instance following Get started with deep learning using the AWS Deep Learning AMIs | AWS. Now it is up and running. It offers 3 options to connect:

enter image description here

A connection via a standalone SSH client works, but when I try a browser-based SSH connection (second option), it results in the following error:

enter image description here

Does anyone know what might be wrong and how to fix it?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
mentalmushroom
  • 2,261
  • 1
  • 26
  • 34

1 Answers1

2

Looks like you need to set up Instance Connect on the instance for the browser connection to work. Judging by the guide you linked, I would assume you are using Ubuntu 16.04-based AMI. The following was taken from this guide.

  1. Install ec2-instance-connect package.
ubuntu:~$ sudo apt-get update
ubuntu:~$ sudo apt-get install ec2-instance-connect

You should see four new files in the /usr/share/ec2-instance-connect/ folder:

eic_curl_authorized_keys
eic_harvest_hostkeys
eic_parse_authorized_keys
eic_run_authorized_keys
  1. Configure IAM permissions for the user that will be using Instance Connect. Create a policy with the following content and attach it to your IAM user (replace instance ARNs with appropriate values for your instances).
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "ec2-instance-connect:SendSSHPublicKey",
        "Resource": [
            "arn:aws:ec2:region:account-id:instance/i-1234567890abcdef0",
            "arn:aws:ec2:region:account-id:instance/i-0598c7d356eba48d7"
        ],
        "Condition": {
            "StringEquals": {
                "ec2:osuser": "ubuntu"
            }
        }
      },
      {
        "Effect": "Allow",
        "Action": "ec2:DescribeInstances",
        "Resource": "*"
      }
    ]
}

Browser connection should work now.

Dmitrii Erokhin
  • 1,347
  • 13
  • 31
  • Quite complicated.. I got stuck at creating policy. `aws iam create-policy --policy-name my-policy --policy-document file://JSON-file-name` fails with 'Unable to locate credentials. You can configure credentials by running "aws configure".' – mentalmushroom Nov 25 '19 at 11:27
  • Yes, aws-cli needs to be configured before running any commands. Alternatively, you can do everything from AWS Web Console - go to IAM service, select `Users` on the left, select your user, click `Add permissions`, then `Attach existing policies directly` and search for `EC2InstanceConnect` policy, then a couple clicks on `Next` button and you should be all set. – Dmitrii Erokhin Nov 25 '19 at 11:37
  • IAM Users list no users. Should I create one? – mentalmushroom Nov 25 '19 at 11:46
  • That means you are using the root user for the account, which has all admin privileges. In this case you don't need to create any policies, just try connecting to your instance (make sure `ec2-instance-connect` package is installed there though). – Dmitrii Erokhin Nov 25 '19 at 11:56