OP AWS CLI Plugin with AWS SSM via SSH config

robhenley
robhenley
Community Member
in SSH

I just started using the AWS CLI Plugin which works great. I can for example run aws s3 ls with no problems. The issue that I haven't managed to solve yet is how do I use it with SSH over AWS SSM. The AWS docs describe the ~/.ssh/config like the following:

 host i-* mi-*
 User <user>
 IdentityFile ~/.ssh/<identity>
 ProxyCommand sh -c "aws --region <region> --profile default ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

Which works great without the 1Password AWS CLI plugin. With the plugin enabled and the credentials deleted from ~/.aws/credentials I get the following:

Unable to locate credentials. You can configure credentials by running "aws configure".
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

My first pass at fixing this was adjusting the ProxyCommand to include op plugin run like the following:

ProxyCommand sh -c "op plugin run -- aws --region <region> --profile default ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

That prompted for authorization like it was going to work but unfortunately didn't fix it.

NOTE: I also go the following error:

An error occurred (TargetNotConnected) when calling the StartSession operation: i-<instance id> is not connected.
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

Lastly, I tried adjusting the ProxyCommand shell like the following thinking their may be some environment issue (the plugins are setup in ~/.bashrc).

ProxyCommand bash -c ...

Can anyone provide direction on making this work?

1Password 8.10.26
OP CLI 2.25.0
Mac 14.3.1

1Password Version: 2.25.0
Extension Version: Not Provided
OS Version: 14.3.1
Browser: Not Provided

Comments

  • robhenley
    robhenley
    Community Member

    UPDATE: It turns out the following command was working:

    ProxyCommand sh -c "op plugin run -- aws --region <region> --profile default ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

    There was just an issue with the specific instance I tried to connect to. Carry on folks!

This discussion has been closed.