Run Remote Command on EC2 via SSM

Keywords: AWS, Amazon, System, Systems, SSM

Overview

在服务器上执行命令是一个非常普遍的需求. 通常我们有这么几种方法:

• SSH 登录服务器, 然后在终端里敲命令.

• 用远程执行工具, 例如 paramiko. 你需要管理好 SSH.

• 用 Ansible 一类的自动化工具.

AWS 原生的 System Manager 服务可以用来来执行远程命令. 这种方法的好处有很多:

• 无需管理 SSH.

• 使用 IAM Role 权限管理, 非常安全.

• 自动化程度高, 可以被嵌入或者编排成各种复杂的脚本.

• 可以和 AWS 的其他服务联动.

本文我们就来看看如何用 AWS 的 System Manager 来执行远程命令.

How it Work

AWS 有一个历史悠久的服务 SSM (System Manager), 该服务对标的是 Ansible 之类的服务器运维工具, 用于批量管理虚拟机. 和 Ansible 用 SSH 来执行远程命令的方式不同, SSM 是通过在机器上安装 SSM Agent (一个由 AWS 维护的系统服务软件), 然后让 SSM Agent 将自己自动注册到 SSM Fleet Manager, 然后通过 IAM 鉴权, 然后用 AWS 内部的 API 与 SSM Agent 通信从而执行远程命令.

我们来看一看在启动一台由 SSM 管理的 EC2 的过程中, 到底发生了什么:

• 启动机器, 启动操作系统以及系统服务, 其中系统服务就包括 SSM agent.

• SSM gent 启动后就会调用 IAM 的权限, 尝试将自己注册到 SSM Fleet Manager 上.

• 一旦注册成功, 你就可以用 SSM 来远程操纵 EC2 了.

从以上内容我们可以看出来, 安装 SSM Agent 至关重要. 所幸的事 AWS 官方提供的一些 AMI (主要是 Amazon Linux) 上会预装 SSM Agent. 包括 AWS 认证过的第三方软件提供商例如 RedHat, Ubuntu 等公司提供的 AMI 也会预装 SSM Agent 并开机自动启动. 但是你用的是你自己或是 Market place 上的 AMI, 里面没有预装 SSM Agent, 你就需要自己安装了. 我们这个项目用的是 Ubuntu Server 20.04, 里面已经预装了 SSM Agent, 所以我们无需做任何额外工作.

在你启动 EC2 的时候 (包括启动新的 EC2, 或是 Stop 之后再 Start, 或是 Reboot 都可以, 因为只要启动系统服务就可以了), 只要你的 IAM Role 里有这个 由 AWS 管理的 IAM Policy arn:aws:iam::aws:policy/service-role/AmazonSSMManagedInstanceCore, 或是你创建一个自己的 Policy 有同样的权限, 那么 SSM Agent 就会自动将自己注册到 SSM Fleet Manager. 虽然 Reference 中的官方文档用的 IAM Role 有特定的名字, 但其实什么名字都可以, 只要有对应的权限就可以.

Reference:

• SSM Agent 的官方文档: https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html

Manually Install SSM Agent on EC2

下面这些文档介绍了如何手动在 EC2 上安装 SSM Agent, 我并没有动手试过, 仅供参考.

• Linux: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html

• Windows: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-win.html

• MacOS: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install-macos2.html

一些有用的命令

你可以用 AWS CLI 来查看哪些 EC2 被注册到了 SSM 管理清单上, 你到 SSM Fleet Manager Console 中看也是一样的:

aws ssm describe-instance-information --output text --profile bmt_app_dev_us_east_1

你也可以 SSH 到 EC2 上运行如下命令来检查 SSM Agent 是否已经启用 (该项目基于 ubuntu server 20.04, 其他系统请参考 官方文档):

sudo systemctl status snap.amazon-ssm-agent.amazon-ssm-agent.service

用 SSM Agent 执行远程命令

下面这段代码展示了如何用 boto3 SDK 通过 SSM 运行远程命令.

# -*- coding: utf-8 -*-

import boto3

ssm_client = boto3.client("ssm")


def send_command(
    instance_id: str,
    cmd: str,
):
    ssm_client.send_command(
        InstanceIds=[
            instance_id,
        ],
        DocumentName="AWS-RunShellScript",
        DocumentVersion="1",
        Parameters={
            "commands": [
                cmd,
            ]
        },
    )


send_command(
    instance_id="i-1a2b3c4d",
    cmd="echo 1a2b3c4d > ~/chore",
)

有了概念之后, 我们来看一个更高级的模块, 适用于生产环境的代码. 与前面的例子不同的是, 它加入了 waiter, 能用 sync 的方式等待 command 完成, 并且 command 的 output 会被写入到 S3 中持久化:

# -*- coding: utf-8 -*-

"""
This module allow you to run remote command on EC2 instance via SSM in 'sync' mode.
The original ssm_client.send_command() is 'async' call, which means you have to
poll the status of the command execution via ssm_client.get_command_invocation().
This module hides the complexity of polling and provide a simple interface.

Requirements:

    func_args>=0.1.1,<1.0.0

Example:

.. code-block:: python

    import boto3
    from s3pathlib import S3Path

    instance_id = "i-1a2b3c"
    commands = [
        "echo hello"
    ]
    ssm_client = boto3.client("ssm")

    # make sure your EC2 has the IAM permission to write to this location
    s3dir_command_output = S3Path(f"s3://my-bucket/ssm-command-output/").to_dir()

    res = ssm_client.send_command(
        InstanceIds=[instance_id],
        DocumentName="AWS-RunShellScript",
        DocumentVersion="1",
        Parameters={
            "commands": commands
        },
        OutputS3BucketName=s3dir_command_output.bucket,
        OutputS3KeyPrefix=s3dir_command_output.key,
    )
    command_id = res["Command"]["CommandId"]

    wait_until_command_succeeded(
        ssm_client=ssm_client,
        command_id=command_id,
        instance_id=instance_id,
        delays=3,
        timeout=60,
        verbose=True,
    )

    for s3path in (
        s3dir_command_output.joinpath(
            command_id,
            instance_id,
            "awsrunShellScript",
        )
        .to_dir()
        .iter_objects()
    ):
        print(f"--- {s3path.uri} ---")
        print(f"{s3path.read_text()}")

.. _send_command: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ssm/client/send_command.html
.. _get_command_invocation: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ssm/client/get_command_invocation.html
"""

import typing as T
import sys
import enum
import time
import itertools
import dataclasses

from func_args import resolve_kwargs, NOTHING

if T.TYPE_CHECKING:
    from mypy_boto3_ssm.client import SSMClient  # pip install "boto3_stubs[ssm]"


class Waiter:
    """
    Simple retry / poll with progress.
    """

    def __init__(
        self,
        delays: T.Union[int, float],
        timeout: T.Union[int, float],
        indent: int = 0,
        verbose: bool = True,
    ):
        self.delays = itertools.repeat(delays)
        self.timeout = timeout
        self.tab = " " * indent
        self.verbose = verbose

    def __iter__(self):
        start = time.time()
        end = start + self.timeout
        for attempt, delay in enumerate(self.delays, 1):
            now = time.time()
            remaining = end - now
            if remaining < 0:
                raise TimeoutError(f"timed out in {self.timeout} seconds!")
            else:
                time.sleep(min(delay, remaining))
                elapsed = int(now - start + delay)
                if self.verbose:
                    sys.stdout.write(
                        f"\r{self.tab}on {attempt} th attempt, "
                        f"elapsed {elapsed} seconds, "
                        f"remain {self.timeout - elapsed} seconds ..."
                    )
                    sys.stdout.flush()
                yield attempt, int(elapsed)


class CommandInvocationStatusEnum(str, enum.Enum):
    Pending = "Pending"
    InProgress = "InProgress"
    Delayed = "Delayed"
    Success = "Success"
    Cancelled = "Cancelled"
    TimedOut = "TimedOut"
    Failed = "Failed"
    Cancelling = "Cancelling"


@dataclasses.dataclass
class CommandInvocation:
    """
    Reference:

    - get_command_invocation_
    """

    CommandId: T.Optional[str] = dataclasses.field(default=None)
    InstanceId: T.Optional[str] = dataclasses.field(default=None)
    Comment: T.Optional[str] = dataclasses.field(default=None)
    DocumentName: T.Optional[str] = dataclasses.field(default=None)
    DocumentVersion: T.Optional[str] = dataclasses.field(default=None)
    PluginName: T.Optional[str] = dataclasses.field(default=None)
    ResponseCode: T.Optional[int] = dataclasses.field(default=None)
    ExecutionStartDateTime: T.Optional[str] = dataclasses.field(default=None)
    ExecutionElapsedTime: T.Optional[str] = dataclasses.field(default=None)
    ExecutionEndDateTime: T.Optional[str] = dataclasses.field(default=None)
    Status: T.Optional[str] = dataclasses.field(default=None)
    StatusDetails: T.Optional[str] = dataclasses.field(default=None)
    StandardOutputContent: T.Optional[str] = dataclasses.field(default=None)
    StandardOutputUrl: T.Optional[str] = dataclasses.field(default=None)
    StandardErrorContent: T.Optional[str] = dataclasses.field(default=None)
    StandardErrorUrl: T.Optional[str] = dataclasses.field(default=None)
    CloudWatchOutputConfig: T.Optional[dict] = dataclasses.field(default=None)

    @classmethod
    def from_get_command_invocation_response(
        cls, response: dict
    ) -> "CommandInvocation":
        """
        Reference:

        - get_command_invocation_
        """
        kwargs = {
            field.name: response.get(field.name) for field in dataclasses.fields(cls)
        }
        return cls(**kwargs)

    @classmethod
    def get(
        cls,
        ssm_client: "SSMClient",
        command_id: str,
        instance_id: str,
        plugin_name: T.Optional[str] = NOTHING,
    ) -> "CommandInvocation":
        """
        Reference:

        - get_command_invocation_
        """
        response = ssm_client.get_command_invocation(
            **resolve_kwargs(
                CommandId=command_id,
                InstanceId=instance_id,
                PluginName=plugin_name,
            )
        )
        return cls.from_get_command_invocation_response(response)


def wait_until_command_succeeded(
    ssm_client: "SSMClient",
    command_id: str,
    instance_id: str,
    plugin_name: T.Optional[str] = NOTHING,
    delays: int = 3,
    timeout: int = 60,
    verbose: bool = True,
):
    """
    Reference:

    - get_command_invocation_
    """
    for _ in Waiter(delays=delays, timeout=timeout, verbose=verbose):
        command_invocation = CommandInvocation.get(
            ssm_client=ssm_client,
            command_id=command_id,
            instance_id=instance_id,
            plugin_name=plugin_name,
        )
        if command_invocation.Status == CommandInvocationStatusEnum.Success.value:
            if verbose:
                print("")
            break
        elif command_invocation.Status in [
            CommandInvocationStatusEnum.Cancelled.value,
            CommandInvocationStatusEnum.TimedOut.value,
            CommandInvocationStatusEnum.Failed.value,
            CommandInvocationStatusEnum.Cancelling.value,
        ]:
            raise Exception(f"Command failed, status: {command_invocation.Status}")
        else:
            pass


if __name__ == "__main__":
    import boto3
    from s3pathlib import S3Path

    instance_id = "i-1a2b3c"
    commands = ["echo hello"]
    ssm_client = boto3.client("ssm")

    # make sure your EC2 has the IAM permission to write to this location
    s3dir_command_output = S3Path(f"s3://my-bucket/ssm-command-output/").to_dir()

    # run remote command, this is an async operation
    res = ssm_client.send_command(
        InstanceIds=[instance_id],
        DocumentName="AWS-RunShellScript",
        DocumentVersion="1",
        Parameters={"commands": commands},
        # store the command output to S3
        OutputS3BucketName=s3dir_command_output.bucket,
        OutputS3KeyPrefix=s3dir_command_output.key,
    )
    command_id = res["Command"]["CommandId"]

    # wait until the command succeeds
    wait_until_command_succeeded(
        ssm_client=ssm_client,
        command_id=command_id,
        instance_id=instance_id,
        delays=3,
        timeout=60,
        verbose=True,
    )

    # print the command output
    for s3path in (
        s3dir_command_output.joinpath(
            command_id,
            instance_id,
            "awsrunShellScript",
        )
        .to_dir()
        .iter_objects()
    ):
        print(f"--- {s3path.uri} ---")
        print(f"{s3path.read_text()}")

Reference:

• 用 SSM 远程执行命令的官方教程: https://aws.amazon.com/getting-started/hands-on/remotely-run-commands-ec2-instance-systems-manager/

• 发送命令的 Python API 文档: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ssm.html#SSM.Client.send_command

总结

1. 在创建 EC2 之前就要配置好你的 IAM Role.

2. 确保你给 EC2 的 IAM Role 有这个 AmazonSSMManagedInstanceCore IAM Policy.

3. 启动 EC2 的时候使用这个 IAM Role. 如果启动的时候忘记给 IAM Role, 那么你可以启动后指定 IAM Role 然后重启即可.

4. 然后就可以用 SSM 的 API 来远程执行命令了.

Remote Command 还能用来干什么

很多自动化脚本由于网络连接的缘故是必须要在 EC2 上运行的. 所以我们可以在世界的任意地点用 SSM agent 来执行远程命令. 而而关于传输数据, 我建议通过 S3 做媒介, 让 EC2 将命令执行后的数据写入到 S3 上. 这样你就可以在任意地点读取这些数据了.