How to enable ec2 instance connect from user-data

[vasu-git]

Image I'm using:
Bottlerocket OS 1.7.0 (aws-k8s-1.21)

I'm trying to use bottlerocket in my eks cluster(it uses karpenter with a custom launch template)
I also need to enable ssh access to the instance by default using ec2 instance connect.(it works seamlessly for non-bottlerocket based instances)

I was able to enable admin container by default by adding the following the the user-data for the launch template

[settings.host-containers.admin]
enabled = true

However I'm still not able to connect to the instance using mssh probably since authorized-keys-command and authorized-keys-command-user are not set in the admin-container? Reference: #39

How do I set these from the user-data of a launch template?

[jpculp]

Hi @vasu-git, thanks for reaching out. By default the only authentication method that is enabled is traditional SSH using the key you set when you created the instance. If you'd like to use EC2 Instance Connect instead, you need to set the admin container's userdata with the addition of a base64-encoded block like so:

[settings.host-containers.admin]
enabled = true
user-data = YOURBASE64BLOCKHERE

The base64-encoded block should contain the following JSON:

{
  "ssh": {
    "authorized-keys-command": "/opt/aws/bin/eic_run_authorized_keys %u %f",
    "authorized-keys-command-user": "ec2-instance-connect"
  }
}

For more authentication options, see Authenticating with the Admin Container.

[vasu-git]

Thanks @jpculp.
That worked :)

[jpculp]

Glad it worked out!