Problem:
当我尝试使用 AWS System Session Manager CLI 命令在本地连接到正在运行的 EC2 实例时:aws ssm start-session --target i-123456
我收到错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
背景:
- 托管在自定义 VPC 内的私有子网上的 Linux 2 实例
- VPC 端点 https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html用于将 System Manager 连接到托管实例,无需 NAT GW 或 IGW。
- 端点服务名称:
com.amazonaws.us-west-2.s3
com.amazonaws.us-west-2.ec2
com.amazonaws.us-west-2.ec2messages
com.amazonaws.us-west-2.ssm
com.amazonaws.us-west-2.ssmmessages
- AWS CLI == 2.0.40
- Python==3.7.4
- 自定义 Terraform 模块,用于在私有子网之一内启动气流实例(请参阅下面的模块“airflow_aws_resources”)
- 与此问题相关的唯一 .tf 文件是气流.tf https://github.com/marshall7m/tf_modules/blob/master/airflow-aws-resources/airflow.tf在模块“airflow_aws_resources”内。此文件包含通过 SSM 连接的 EC2 实例的安全组和实例配置文件配置。
使用 Terraform 重现:
module "airflow_aws_resources" {
source = "github.com/marshall7m/tf_modules/airflow-aws-resources"
resource_prefix = "test"
vpc_id = module.vpc.vpc_id
env = "testing"
private_bucket = "test-bucket"
private_subnets_ids = module.vpc.private_subnets
private_subnets_cidr_blocks = module.vpc.private_subnets_cidr_blocks
create_airflow_instance = true
create_airflow_instance_sg = true
create_airflow_db = false
create_airflow_db_sg = false
airflow_instance_ssm_access = true
airflow_instance_ssm_region = "us-west-2"
airflow_instance_ami = "ami-0841edc20334f9287"
airflow_instance_type = "t2.micro"
}
resource "aws_security_group" "vpc_endpoints" {
name = "test-vpc-endpoint-sg"
description = "Default security group for vpc endpoints"
vpc_id = module.vpc.vpc_id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
#private subnet cidr blocks
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
egress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
egress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "2.44.0"
name = "test-vpc"
cidr = "10.0.0.0/24"
azs = ["us-west-2a", "us-west-2b"]
private_subnets = ["10.0.0.32/28", "10.0.0.64/28"]
private_dedicated_network_acl = true
private_subnet_suffix = "private"
public_subnets = ["10.0.0.96/28", "10.0.0.128/28"]
public_dedicated_network_acl = true
public_subnet_suffix = "public"
enable_s3_endpoint = true
enable_ec2messages_endpoint = true
ec2messages_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_ec2_endpoint = true
ec2_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_ssm_endpoint = true
ssm_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_ssmmessages_endpoint = true
ssmmessages_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_nat_gateway = false
single_nat_gateway = false
enable_vpn_gateway = false
create_database_subnet_route_table = false
create_database_internet_gateway_route = false
create_database_subnet_group = false
manage_default_network_acl = false
enable_dns_hostnames = true
enable_dns_support = true
private_inbound_acl_rules = [
{
"description": "Allows inbound https traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 443,
"to_port": 443,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 101
},
{
"description": "Allows inbound http traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 102
}
]
private_outbound_acl_rules = [
{
"description": "Allows outbound https traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 443,
"to_port": 443,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 101
},
{
"description": "Allows outbound http traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 102
}
]
vpc_endpoint_tags = {
type = "vpc-endpoint"
}
}
尝试:
#1
我尝试了 EC2 控制台 SSM 中的故障排除提示(AWS Ec2 控制台 >> 实例 ID >> 连接 >> 会话管理器):
-
SSM 代理已预安装在 AWS Linux 实例类型上。尽管我通过 SSH 访问实例并运行进行了双重检查sudo status amazon-ssm-agent
返回:amazon-ssm-agent start/running, process 1234
-
上面显示的 EC2 实例配置文件包含所需的AmazonSSMManagedInstanceCore
policy
-
我已完成会话管理器先决条件。
#2
附加AmazonSSMFullAccess
使用以下命令的用户:aws ssm start-session --target i-123456
通过 SSM 连接实例时出现同样的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
#3
将 HTTPS 入站/出站流量从 VPC 终端节点的关联私有子网添加到 EC2 实例安全组(请参阅气流.tf https://github.com/marshall7m/tf_modules/blob/master/airflow-aws-resources/airflow.tf)
同样的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
#4
在系统管理器控制台中,我使用了“快速设置”选项,并使用中指定的实例配置文件配置了“快速设置”气流.tf https://github.com/marshall7m/tf_modules/blob/master/airflow-aws-resources/airflow.tf以及具有默认角色的系统管理员角色。 ec2 实例在快速设置页面中成功注册了“托管实例”。
同样的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
#5
鉴于这是一个测试 VPC 和 EC2 实例,我尝试允许来自所有 IPv4 源 (0.0.0.0/0) 的所有类型的流量访问以下资源:
- 私有子网 NACL
- EC2实例安全组
- 与以下接口/网关端点关联的安全组:
com.amazonaws.us-west-2.s3
com.amazonaws.us-west-2.ec2
com.amazonaws.us-west-2.ec2messages
com.amazonaws.us-west-2.ssm
com.amazonaws.us-west-2.ssmmessages
通过 SSM 连接实例时出现同样的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.