I am able to connect to a bastion host created with a CloudFormation template from Cloudonaut using my own SSH key. I set this variable to true in the template.

But I am having trouble connecting to my cluster EC2 instance that was also built with IAMUserSSHAccess.

How is this supposed to work? Am I supposed log into the bastion host and then be able to hop to the EC2 (this is how we usually connect when using the key that was used to create the host)? And should I be connecting to ec2-user or my own user on the EC2instance?

Or am I supposed to open up SSHaccess to the EC2 in its security group then connect to the instance directly. That doesn’t work either.

The goal is to have developers be able to connect to a Docker container using their own keys so we don’t have to share the"baked in" key. I have read your fine article:

Hi @jhoadley

the following docs should explain your use case: https://templates.cloudonaut.io/en/stable/vpc/#personalized-users

Let me know if there are missing steps. I’m always happy to improve those docs.


Thank you, Michael, that works! Implied, but not mentioned is a pre-requisite of running ssh-agent and loading your key.

Follow-up question. It seems like any IAM user in the account (with a public SSH key loaded into their profile) can do this. I would like to control which hosts a given IAM user can log in to. For example devs can access staging hosts but only lead devs can access production hosts. How would you do this?

1 Like

Have you looked into SSM Session Manager and EC2 Instance Connect? They don’t support personalized Linux users but you could control on the IAM side where people can connect to.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.