You can use Session Manager to connect to an Elastic Compute Service (ECS) instance without the need for a password. Compared with SSH and Remote Desktop Protocol (RDP), Session Manager allows you to connect to instances in a more convenient and secure manner. This topic describes how to connect to an instance by using Session Manager in the ECS console.
Prerequisites
The ECS instance to which you want to connect is in the Running state
You can view the status of the instance on the Instance page in the ECS console.
For information about how to check the status of the instance, see View instance information.
Cloud Assistant Agent is installed on the instance
Session Manager is implemented based on Cloud Assistant. You need to install Cloud Assistant Agent on the instance. You can view the status of Cloud Assistant Agent on the ECS Cloud Assistant page in the ECS console.
Cloud Assistant Agent is pre-installed on ECS instances that are created from Alibaba Cloud public images on or after December 1, 2017. For ECS instances created before December 1, 2017, you must manually install Cloud Assistant Agent. For more information, see Install Cloud Assistant Agent.
For information about how to view the status of the Cloud Assistant Agent and handle anomalies, see View the status of Cloud Assistant and handle anomalies.
Network connectivity is provided by configuring a security group
When you use Session Manager to connect to an ECS instance, make sure that Cloud Assistant Agent running on the ECS instance is connected to the Cloud Assistant server by adding the following rules to an outbound security group:
Compared with connection methods, such as SSH and Remote Desktop Protocol (RDP), Cloud Assistant Agent actively establishes a WebSocket connection to the Session Manager server. You need to only open the outbound WebSocket port of the Cloud Assistant server in a security rule. For information about how Session Manager works, see the How Session Manager works section of this topic.
Important If you use basic security groups including the default security group, all outbound traffic is allowed. No additional configuration is required.
If you use an advanced security group, all outbound traffic is denied. You must configure the relevant rules. The following table describes the rules. For information about security groups, see Basic security groups and advanced security groups.
For information about how to add rules to a security group, see Add a security group rule.
Action | Priority | Protocol type | Port range | Authorization object | Description |
Allow | 1 | Custom TCP | 443 | 100.100.0.0/16
| This port is used to access the Cloud Assistant server. |
Allow | 1 | Custom TCP | 443 | 100.0.0.0/8
| This port is used to access the server on which the Cloud Assistant Agent installation package is stored when you want to install or update Cloud Assistant Agent. |
Allow | 1 | Custom UDP | 53 | 0.0.0.0/0
| This port is used to resolve domain names. |
If you want to connect to an instance by using only Session Manager, delete the inbound rules that allow the SSH port (default 22) and RDP port (default 3389) from a security group to improve the security of the ECS instance.
Resource Access Management (RAM) users have the required permissions on Session Manager
If a RAM user wants to use Session Manager to connect to an instance in the ECS console, the RAM user must be granted the following permissions based on the principle of least privilege:
ecs:StartTerminalSession: The permission to connect to an instance by using Session Manager. You can configure the Resource parameter to specify the ECS instances to which a RAM user can connect by using Session Manager.
ecs:DescribeCloudAssistantStatus: The permission to query whether Cloud Assistant Agent needs to be installed on an ECS instance. The system checks this permission before you connect to an instance in the ECS console.
ecs:DescribeUserBusinessBehavior: The permission to query whether Session Manager is enabled. The system checks this permission before you connect to an instance in the ECS console.
(Optional) ecs:ModifyCloudAssistantSettings: The permission to enable or disable Session Manager. If Session Manager is enabled for the current Alibaba Cloud account, you do not need to grant this permission.
Sample custom policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:StartTerminalSession",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:DescribeUserBusinessBehavior",
"ecs:DescribeCloudAssistantStatus",
"ecs:ModifyCloudAssistantSettings"
],
"Resource": "*"
}
]
}
For information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.
Procedure
Log on to the ECS console. In the left-side navigation pane, choose . In the upper-left part of the page, select the resource group and region in which the instance resides. On the Instance page, find the instance to which you want to connect and click Connect in the Actions column.
| 
|
Click Show Other Logon Method and check whether Session management turned on (full region) is displayed in the Session Manager section. If Session management turned off is displayed, turn on the button.
Important Before you enable Session Manager as a RAM user, make sure that the RAM user has the DescribeUserBusinessBehavior permission to view Session Manager configurations and the ModifyUserBusinessBehavior permission to enable or disable Session Manager. For more information about sample policies, see the Prerequisites section of this topic.
| 
|
Click Secret-free login. After the instance is connected, you are logged on as ecs-assist-user for a Linux instance or as the system user for a Windows instance. In this example, a Linux instance is used. The following figure shows logon to the Linux instance.
| 
|
