HACKER Q&A
📣 helsontaveras18

AWS CloudShell Equivalent?


My engineering team has created a suite of CLI tools that can create users, interact with APIs, modify data, etc. It’s basically a CLI interface on top of our business logic.

It became so useful for testing purposes that I started using it for day-to-day operations. When ops makes a request, I SSH into our production environment (running in a secure EC2 instance) and run the CLI.

We use Retool for internal tools, but it’s become way faster to iterate on this terminal than to iterate on a UI, write the APIs, and maintain both the Retool and terminal app.

I’d like to expose this terminal application behind our private company VPN to specific team members in a controlled way. Really what I want is AWS CloudShell, and I want it to only run that specific script.

Is there a way to do this using open source tools?

  👤 awsanswers Accepted Answer ✓
I'm not 100% sure of the ask but I think Teleport can do this sort of thing. https://goteleport.com/docs/

also -

AWS has AWS Systems Manager. Any system can run AWS SSM agent and SSM Documents define scripts that can be run on machines running SSM agent. On demand or scheduled, with some dynamic inputs etc.

👤 mtmail
Users can ssh but the server admin can limit which commands they're able to run by setting a different shell command, e.g. https://www.linuxshelltips.com/restrict-ssh-user-commands/

So you could instruct users to run "ssh me@cli-server.internal 'cli-command --param1 --param2'" without them having extra access to the server.

That said even in school it was a fun game trying to get around such limitations, e.g. trying to crash the script to get shell access.

👤 perpil
I'm also not quite sure about the ask, but if you want to have a runbook or documentation that authorizes specific GitHub users/teams/orgs, prompts them for inputs and builds the exact commands they need to run, optionally with scoped temporary AWS credentials, you might check out Speedrun. https://speedrun.nobackspacecrew.com