HI, I have question off topic, when switching role , does the user need to be provided some policy to allow which roles that user can assume/switch to ?
Hi there. To assume a role, the user needs to have sts:AssumeRole permissions for the respective role ARN created. Apologies, the video didn't demonstrate that correctly with respect to user permissions but hope this helps! docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
@@unmaskITnow thanks for replying. In many other demos there was no such thing as switching role. I guess that maybe because the demo was using admin account or account already have required policy attached?
A very well paced clearly explained video, thank you for taking the time to produce it. A quick question, how do I modify this IAM role, so that it is applicable for all ec2 instances in a given VPC or cidr block?
I want to use this for my Business users. But caveat is they don't have AWS Account. Traditionally they used to connect via RDP. How can my business users connect in such cases?
Hi, I have a one question, I am using that third one "Allow users to connect only from a specified source IP address range" Here i mentioned my local machine public IP but it was connected to any machine. How can i fix it?
Follow the steps, but having difficult when trying to Assume Role An error occurred (AccessDenied) when calling the AssumeRole operation: User: is not authorized to perform: sts:AssumeRole on resource: Roles and Policy hade been setup already
Hi there. To assume a role, the user needs to have sts:AssumeRole permissions for the respective role ARN created. Apologies, the video didn't demonstrate that correctly with respect to user permissions but hope this helps! docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
Thank you for subscribing. So thoughtful of you to recognize that. My intention is to organize & simplify so you dont end up having to search multiple places.
Hi , I have launched a ec2 in private subnet and created ec2 endpoint with ec2sg and endpoint sg and attached them accordingly but without creating any role I was able to connect ec2 through ec2 endpoint. Is role required here ? I was able to connect without any role
awscli.customizations.ec2instanceconnect.websocket - ERROR - [1] Encountered error with websocket: (10053, 'An established connection was aborted by the software in your host machine', None, 10053, None) [1] Closing tcp connection. i am facing this above error while trying to windows ec2
Hi there, thank you for watching. The answer to your question is yes. EC2 instance connect endpoint is for inbound access to instances in private subnet. You can still create a NAT gateway in public subnet and have a default route to the NAT gateway in private subnet for outbound internet access. Please do share and subscribe as it encourages me to make more such content.
Hi Yaseen, thank you for the question. If you're able to follow the process in the video to SSH to private instance, you should be able to use SCP utility to copy files to the private instance. Please find the link below with the AWS document for your reference. docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html#AccessingInstancesLinuxSCP
Yes, SSM offers Session Manager to connect to the instance. And that's a really good suggestion to compare the two.. I'll aim to do that next. Do subscribe so you're notified when I release it.
@@unmaskITnow Subscribed already, I have one doubt, For Single Account, Why IAM Role ? IAM Policy can be attached directly to the IAM user group right. Are you referring here cross account access using ECI endpoint? I am trying to replicate the same thing using SSO, Dev account user --> accessing prod account instance.
Yes, you can attach IAM policy directly to an IAM user but that requires you to download Access key ID and Secret access key which are long lived credentials for the user. Its AWS recommended best practice for an IAM user to assume IAM role with temporary credentials to grant necessary permissions whether it is in the same account or cross account
HI, I have question off topic, when switching role , does the user need to be provided some policy to allow which roles that user can assume/switch to ?
Hi there. To assume a role, the user needs to have sts:AssumeRole permissions for the respective role ARN created. Apologies, the video didn't demonstrate that correctly with respect to user permissions but hope this helps!
docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
@@unmaskITnow thanks for replying. In many other demos there was no such thing as switching role. I guess that maybe because the demo was using admin account or account already have required policy attached?
Thank you! This was a lifesaver.
your video was of great help.. especially the SG & IAM setup..
Thank you very much for this video.. this was very helpful for my project.
The presentation and organisation of content is excellent. The concepts are covered in great details. Keep up the good work!!
A very well paced clearly explained video, thank you for taking the time to produce it. A quick question, how do I modify this IAM role, so that it is applicable for all ec2 instances in a given VPC or cidr block?
I want to use this for my Business users. But caveat is they don't have AWS Account. Traditionally they used to connect via RDP. How can my business users connect in such cases?
Hi, I have a one question, I am using that third one "Allow users to connect only from a specified source IP address range" Here i mentioned my local machine public IP but it was connected to any machine. How can i fix it?
Hello , We are able to connect linux server by ec2 connect. but how we can copy the file from the local machine to the ec2 instance by ec2 connect ?
Follow the steps, but having difficult when trying to Assume Role
An error occurred (AccessDenied) when calling the AssumeRole operation: User:
is not authorized to perform: sts:AssumeRole on resource:
Roles and Policy hade been setup already
Hi there. To assume a role, the user needs to have sts:AssumeRole permissions for the respective role ARN created. Apologies, the video didn't demonstrate that correctly with respect to user permissions but hope this helps!
docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
I love how you organized and presented the content! I will definitely subscribe. Thank you!
Thank you for subscribing. So thoughtful of you to recognize that. My intention is to organize & simplify so you dont end up having to search multiple places.
Your content is well organized. Keep up the good work.
Thanks mate, means a lot
Hi , I have launched a ec2 in private subnet and created ec2 endpoint with ec2sg and endpoint sg and attached them accordingly but without creating any role I was able to connect ec2 through ec2 endpoint.
Is role required here ? I was able to connect without any role
True, It works without switching the role.
awscli.customizations.ec2instanceconnect.websocket - ERROR - [1] Encountered error with websocket: (10053, 'An established connection was aborted by the software in your host machine', None, 10053, None)
[1] Closing tcp connection.
i am facing this above error while trying to windows ec2
Hi I have a mssql ec2 instance running on a similar configuration in the demo you showed can i connect via SQL server management studio
Thank you so much for this well demonstrated video, I have a question "Can those instances have an access to internet using NAT GW?"
Hi there, thank you for watching. The answer to your question is yes. EC2 instance connect endpoint is for inbound access to instances in private subnet. You can still create a NAT gateway in public subnet and have a default route to the NAT gateway in private subnet for outbound internet access.
Please do share and subscribe as it encourages me to make more such content.
@@unmaskITnow Thanks for your response and consideration. Keep your great work ♥.
amazing everything from this video
Thanks for the compliment. Please don't forget to subscribe and support the channel 🙏
Well Organized ... I loved it
Thank you so much 🙂 glad you loved it. Please do subscribe for more such content.
Thank you Mam, we learn new concept
Glad to hear that it was helpful. I post new content every week. Please do subscribe for more such content
Thank you. Now I am need to scp to the private instance. How can we use this to copy files from local directory to private instance
Hi Yaseen, thank you for the question. If you're able to follow the process in the video to SSH to private instance, you should be able to use SCP utility to copy files to the private instance. Please find the link below with the AWS document for your reference.
docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html#AccessingInstancesLinuxSCP
@@unmaskITnow Yeah I tried this. I believe there is documentation still remaining about this.
Currently used this but getting error that unable to find credentials. Please try it out and let me know. If you could find something.
Very useful video, can you add the difference between ECI endpoint and SSM, because SSM also offers similar feature.
Yes, SSM offers Session Manager to connect to the instance. And that's a really good suggestion to compare the two.. I'll aim to do that next. Do subscribe so you're notified when I release it.
@@unmaskITnow Subscribed already, I have one doubt, For Single Account, Why IAM Role ? IAM Policy can be attached directly to the IAM user group right. Are you referring here cross account access using ECI endpoint? I am trying to replicate the same thing using SSO, Dev account user --> accessing prod account instance.
Yes, you can attach IAM policy directly to an IAM user but that requires you to download Access key ID and Secret access key which are long lived credentials for the user. Its AWS recommended best
practice for an IAM user to assume IAM role with temporary credentials to grant necessary permissions whether it is in the same account or cross account
Thank you for the detailed informative and step by step video!