kitchen-ec2 icon indicating copy to clipboard operation
kitchen-ec2 copied to clipboard
verified publisher icon test-kitchen

Feature Request: Add AWS SSM Session Manager Support as Transport Option

Open Neopixler opened this issue 6 months ago • 2 comments

Add support for AWS Systems Manager (SSM) Session Manager as an alternative transport method to SSH/WinRM in kitchen-ec2, enabling Test Kitchen to connect to EC2 instances without requiring direct network connectivity or SSH key management. Currently, kitchen-ec2 requires SSH (Linux) or WinRM (Windows) connectivity, which presents challenges in several scenarios:

  • Security-hardened environments where direct SSH/RDP access is disabled
  • Private subnets without bastion hosts or VPN connectivity
  • Zero-trust networks where SSM Session Manager is the preferred access method
  • Compliance requirements that mandate all shell access go through audited channels like SSM
  • Simplified key management - eliminating the need to manage SSH key pairs for testing

Neopixler avatar Jun 04 '25 09:06 Neopixler

Have you tried this? https://www.tecracer.com/blog/2022/11/test-kitchen-on-aws-2022-edition.html

williamtheaker avatar Jun 06 '25 21:06 williamtheaker

I saw the issue but was on travel - so thanks @williamtheaker for getting that link 👍

Well, it worked when I wrote that one. I am curious if that's still the case, maybe I get some time to re-validate this weekend 😅

I have been routinely using kitchen-transport-train from Chef 19 development the last months though, just not with the SSM train plugin. Small caveat though: it is using SSM-RunCommands and IIRC base64-encoding for file transfers.

I have some outdated tries around, trying to make the SSM Session Manager capabilities work instead. However, I was never able to finish reverse-engineering the (WebSocket-based) protocol. It simply was too much effort as a hobby and nobody wanted to pay for it 😅

thheinen avatar Jun 06 '25 21:06 thheinen