SSH into AWS machines
This document explains how to SSH into machines in AWS, and what commands exist to navigate machines and applications quickly.
In AWS, there are no static hostnames, so we can’t have
to SSH to like in Carrenza. EC2 instances have dynamically assigned IPs, which means
ip-10-1-5-53.eu-west-1.compute.internal. Each Puppeted instance has a
“node class” (backend, frontend, …) and the list of instances belonging to these
classes is accessible via
govuk_node_list when logged onto the environment.
Local dev machine
If you know the class of machine you want, you can SSH straight from the command line:
$ gds govuk connect ssh -e staging cache
This will automatically SSH into a random
cache machine on AWS.
If a class exists in multiple clouds, you will need to choose which one to SSH into:
$ gds govuk connect ssh -e staging backend error: ambiguous hosting for backend in staging
You’ll need to prefix it with
$ gds govuk connect ssh -e staging aws/backend
You can find out which class of machine you need (and which cloud it lives in) by finding the corresponding app page.
Alternatively, you can use the jumpbox.
$ gds govuk connect ssh -e integration jumpbox
The jumpbox is a special node that knows about all of the other nodes in its environment.
List the IP addresses of every node in the environment:
This long list of IPs is not very useful on its own, but you can filter it by node class:
jumpbox$ govuk_node_list -c backend
And if you can’t remember the names of the node classes, there’s a built-in helper:
jumpbox$ govuk_node_list --classes
Once you have found the IP of the machine you want to SSH into, you can manually SSH directly from the jumpbox machine:
jumpbox$ ssh ip-10-1-5-22.eu-west-1.compute.internal
You can also do this from your local machine by appending the environment to the address:
local$ ssh ip-10-1-5-22.eu-west-1.compute.internal.integration
Now you’re on the node running the application you want to explore. There are two main ways of interacting with the running application.
You can start up an application console (typically Rails):
…or you can start up a database console (typically PostgreSQL):
These common commands, along with
govuk_node_list, live in
Sometimes you might try to ssh into a server and nothing happens. Double-check that you
have added the key into the keychain like so:
ssh-add -K ~/.ssh/id_rsa.
Make sure you have been granted access. For example, if you have yet to be granted access to production, your attempt to SSH into a production node will fail silently.