All Products
Search
Document Center

Elastic Compute Service:Connect to an instance by using Session Manager in the ECS console

Last Updated:Feb 18, 2025

You can use Session Manager to connect to an Elastic Compute Service (ECS) instance without the need for a password. Compared with SSH and Remote Desktop Protocol (RDP), Session Manager allows you to connect to instances in a more convenient and secure manner. This topic describes how to connect to an instance by using Session Manager in the ECS console.

Important

The Session Manager logon method also allows you to use the CLI to connect to Linux and Windows instances.

If you want to use the Session Manager GUI to connect to a Windows instance, you can use the port forwarding feature to map the remote access port of the Windows instance to the on-premises computer and use RDP to connect to the instance.

Prerequisites

The ECS instance to which you want to connect is in the Running state

You can view the status of the instance on the Instance page in the ECS console.

For information about how to check the status of the instance, see View instance information.

image

image

Cloud Assistant Agent is installed on the instance

Session Manager is implemented based on Cloud Assistant. You need to install Cloud Assistant Agent on the instance. You can view the status of Cloud Assistant Agent on the ECS Cloud Assistant page in the ECS console.

Cloud Assistant Agent is pre-installed on ECS instances that are created from Alibaba Cloud public images on or after December 1, 2017. For ECS instances created before December 1, 2017, you must manually install Cloud Assistant Agent. For more information, see Install Cloud Assistant Agent.

image

image

For information about how to view the status of the Cloud Assistant Agent and handle anomalies, see View the status of Cloud Assistant and handle anomalies.

Network connectivity is provided by configuring a security group

When you use Session Manager to connect to an ECS instance, make sure that Cloud Assistant Agent running on the ECS instance is connected to the Cloud Assistant server by adding the following rules to an outbound security group:

Compared with connection methods, such as SSH and Remote Desktop Protocol (RDP), Cloud Assistant Agent actively establishes a WebSocket connection to the Session Manager server. You need to only open the outbound WebSocket port of the Cloud Assistant server in a security rule. For information about how Session Manager works, see the How Session Manager works section of this topic.
Important
  • If you use basic security groups including the default security group, all outbound traffic is allowed. No additional configuration is required.

  • If you use an advanced security group, all outbound traffic is denied. You must configure the relevant rules. The following table describes the rules. For information about security groups, see Basic security groups and advanced security groups.

For information about how to add rules to a security group, see Add a security group rule.

Action

Priority

Protocol type

Port range

Authorization object

Description

Allow

1

Custom TCP

443

100.100.0.0/16

This port is used to access the Cloud Assistant server.

Allow

1

Custom TCP

443

100.0.0.0/8

This port is used to access the server on which the Cloud Assistant Agent installation package is stored when you want to install or update Cloud Assistant Agent.

Allow

1

Custom UDP

53

0.0.0.0/0

This port is used to resolve domain names.

If you want to connect to an instance by using only Session Manager, delete the inbound rules that allow the SSH port (default 22) and RDP port (default 3389) from a security group to improve the security of the ECS instance.

Resource Access Management (RAM) users have the required permissions on Session Manager

If a RAM user wants to use Session Manager to connect to an instance in the ECS console, the RAM user must be granted the following permissions based on the principle of least privilege:

  • ecs:StartTerminalSession: The permission to connect to an instance by using Session Manager. You can configure the Resource parameter to specify the ECS instances to which a RAM user can connect by using Session Manager.

  • ecs:DescribeCloudAssistantStatus: The permission to query whether Cloud Assistant Agent needs to be installed on an ECS instance. The system checks this permission before you connect to an instance in the ECS console.

  • ecs:DescribeUserBusinessBehavior: The permission to query whether Session Manager is enabled. The system checks this permission before you connect to an instance in the ECS console.

  • (Optional) ecs:ModifyCloudAssistantSettings: The permission to enable or disable Session Manager. If Session Manager is enabled for the current Alibaba Cloud account, you do not need to grant this permission.

Sample custom policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecs:StartTerminalSession",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeUserBusinessBehavior",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:ModifyCloudAssistantSettings"
      ],
      "Resource": "*"
    }
  ]
}

For information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

Procedure

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the upper-left part of the page, select the resource group and region in which the instance resides.

  4. On the Instance page, find the instance to which you want to connect and click Connect in the Actions column.

image

  1. Click Show Other Logon Method and check whether Session management turned on (full region) is displayed in the Session Manager section. If Session management turned off is displayed, turn on the button.

    Important

    Before you enable Session Manager as a RAM user, make sure that the RAM user has the DescribeUserBusinessBehavior permission to view Session Manager configurations and the ModifyUserBusinessBehavior permission to enable or disable Session Manager. For more information about sample policies, see the Prerequisites section of this topic.

image

image

  1. Click Secret-free login.

    After the instance is connected, you are logged on as ecs-assist-user for a Linux instance or as the system user for a Windows instance. In this example, a Linux instance is used. The following figure shows logon to the Linux instance.

image

image

References

In addition to using Session Manager to connect to an instance in the ECS console, you can use the Session Manager CLI feature on your computer. For more information, see Connect to an instance by using the Session Manager CLI (ali-instance-cli).