EC2 Remote from Windows : ec2_connect.ps1 missing

[ojacques]

Problem

When trying the new experimental feature to "connect to EC2 instance in a new Remote window" from Windows, the script ec2_connect.ps1 is missing.

Logs :

2024-12-16 13:36:48.386 [error] aws.ec2.openRemoteConnection: Error: Failed to update connect script [ConnectScriptUpdateFailed]
	 -> EntryNotFound (FileSystemError): Error: ENOENT: no such file or directory, open 'c:\Users\[redacted]\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.39.0\resources\ec2_connect.ps1' [FileNotFound]

Steps to reproduce the issue

1. Start VSCode on Windows, with AWS Toolkit 3.39
2. Enable experimental feature "ec2RemoteConnect"
3. Browse to an EC2 in AWS Toolkit explorer
4. Click the button "connect to EC2 instance in a new Remote window"
5. The error is shown

Expected behavior

I should be able to open a new VSCode window, connected to this remote EC2 through SSM.

System details (run AWS: About and/or Amazon Q: About)

• OS: Windows 11
• Visual Studio Code version: 1.96.0
• AWS Toolkit version: 3.39.0
• Amazon Q version: NA

[justinmk3]

Connecting from Windows is not yet implemented. We plan to follow up on this.

[ojacques]

Connecting from Windows is not yet implemented. We plan to follow up on this.

Thanks! So I should not expect being able to connect from WSL on Windows to a remote EC2 either? The error is different, but I'm leaving it here:

Connecting to Dev Environment requires the Remote SSH extension ('ms-vscode-remote.remote-ssh' of version >=0.74.0) to be installed and enabled.

despite the Remote SSH extension being installed (v 0.116.0).

[justinmk3]

So I should not expect being able to connect from WSL on Windows to a remote EC2 either? The error is different, but I'm leaving it here:

If you started vscode from WSL and are running the WSL (Linux) version of vscode, it should work. If you are connecting to WSL from Windows, then that is a "remote" situation which isn't currently supported (it would require remote-ssh in the remote (WSL) vscode instance, plus AWS Toolkit would need to understand this and invoke vscode in the correct way, which currently is not supported).

despite the Remote SSH extension being installed (v 0.116.0).

Is it installed in the remote WSL environment (not your local desktop vscode code)?

[ojacques]

If you started vscode from WSL

Yes, from WSL, running code .

and are running the WSL (Linux) version of vscode, it should work.

Indeed, no. VSCode is installed on Windows, with the remote extension, which I understand is not supported at the moment.

Feel free to close this issue as this is unsupported for now.

[guteksan]

Connecting from Windows is not yet implemented. We plan to follow up on this.

Ok. Are there any plans to implement it? Is there much more work to be done aparat from translating the bash version of the 'ec2_connect' scritp to powershell?

[justinmk3]

Is there much more work to be done aparat from translating the bash version of the 'ec2_connect' scritp to powershell?

That's pretty much it :) Patch welcome!

[guteksan]

Is there much more work to be done aparat from translating the bash version of the 'ec2_connect' scritp to powershell?

That's pretty much it :) Patch welcome!

I think there might be little more to it than that. I translated the shell script to ps1 using copilot, but that's not enough, and having little experience with this toolkit, I can't quickly fix it. Pretty please, provide a fix, if that's not a big problem on your side.

[nathanlisabio]

@guteksan if its not too much effort, can you drop what you have thus far? gonna give this a shot later

[jmikedupont2]

here is the ai generated version i am working on testing

#Requires -Version 5.1

# Usage:
#   When connecting to a dev environment
#   $env:AWS_REGION="…"; $env:AWS_SSM_CLI="…"; $env:STREAM_URL="…"; $env:TOKEN="…"; $env:LOG_FILE_LOCATION="…"; $env:DEBUG_LOG="…"; .\ec2_connect.ps1

# Exit on errors
$ErrorActionPreference = "Stop"

# Date command equivalent
function Get-DateString {
    return Get-Date -Format "yyyy/MM/dd HH:mm:ss"
}

function Write-Log {
    param (
        [Parameter(Mandatory=$true)]
        [string]$Message
    )
    "$(Get-DateString) $Message" | Out-File -FilePath $env:LOG_FILE_LOCATION -Append
}

function Test-RequiredNoLog {
    param (
        [string]$Name,
        [string]$Value
    )
    if ([string]::IsNullOrEmpty($Name) -or [string]::IsNullOrEmpty($Value)) {
        Write-Log "error: missing required arg: $Name"
        exit 1
    }
}

function Test-Required {
    param (
        [string]$Name,
        [string]$Value
    )
    Test-RequiredNoLog -Name $Name -Value $Value
    Write-Log "$Name=$Value"
}

function Start-EC2Session {
    param (
        [string]$AWSSSMCLI,
        [string]$AWSRegion,
        [string]$StreamURL,
        [string]$Token,
        [string]$SessionID
    )
    
    $jsonPayload = @{
        streamUrl = $StreamURL
        tokenValue = $Token
        sessionId = $SessionID
    } | ConvertTo-Json -Compress
    
    # Execute the SSM CLI command
    & $AWSSSMCLI $jsonPayload $AWSRegion "StartSession"
}

function Main {
    Write-Log "=============================================================================="
    
    Test-Required -Name "DEBUG_LOG" -Value $env:DEBUG_LOG
    Test-Required -Name "AWS_REGION" -Value $env:AWS_REGION
    
    Test-Required -Name "SESSION_ID" -Value $env:SESSION_ID
    Test-RequiredNoLog -Name "STREAM_URL" -Value $env:STREAM_URL
    Test-RequiredNoLog -Name "TOKEN" -Value $env:TOKEN

    # Only log file paths when debug level is enabled
    if ([int]$env:DEBUG_LOG -eq 1) {
        Test-Required -Name "AWS_SSM_CLI" -Value $env:AWS_SSM_CLI
        Test-Required -Name "LOG_FILE_LOCATION" -Value $env:LOG_FILE_LOCATION
    }
    else {
        Test-RequiredNoLog -Name "AWS_SSM_CLI" -Value $env:AWS_SSM_CLI
        Test-RequiredNoLog -Name "LOG_FILE_LOCATION" -Value $env:LOG_FILE_LOCATION
    }

    Start-EC2Session -AWSSSMCLI $env:AWS_SSM_CLI `
                    -AWSRegion $env:AWS_REGION `
                    -StreamURL $env:STREAM_URL `
                    -Token $env:TOKEN `
                    -SessionID $env:SESSION_ID
}

# Execute main function
Main

[nathanlisabio]

some updates:

1. just by using the above script (small modification to the input args), was able to get the terminal button to connect successfully
2. however, using the connect using vscode method got me to a brand new error. If anyone has any hints, please drop:

2025-03-06 21:58:23.729 [error] aws.ec2.openRemoteConnection: Error: Unable to connect to target instance {the instance id redacted} on region us-east-1. Testing SSM connection to instance failed: Connection closed by UNKNOWN port 65535 [EC2SSMTestConnect] 2025-03-06 22:00:56.941 [info] telemetry: sent batch (size=19)

[justinmk3]

Testing SSM connection to instance failed: Connection closed by UNKNOWN port 65535 [EC2SSMTestConnect]

Before connecting, AWS Toolkit tries a test command to ensure that things will actually work:

aws-toolkit-vscode/packages/core/src/shared/extensions/ssh.ts

Line 150 in 1d79df7

const process = new ProcessClass(sshPath, ['-T', `${user}@${hostname}`, 'echo "test connection succeeded" && exit'])

That is failing from a Connection closed by UNKNOWN port 65535 error, which seems like a network or permissions issue.

[georgerouse]

I would also be interested in seeing a working Windows solution.

[nathanlisabio]

updates:

1. got connect via vscode to work (with caveats)

   • only works if target is ubuntu
   • does not seem to work if the OS is Amazon Linux (2025-03-18 01:29:48.370 [error] aws.ec2.openRemoteConnection: Error: Unrecognized OS name Amazon Linux AMI on instance i-0890259255f2712c1 [UnknownEc2OS] )
     • the connect via terminal does not have this issue
   • seems to have another failure connect condition, unsure about this one tho:
     • 2025-03-18 01:42:59.750 [warning] ec2: failed to clean keys: 'Error: Failed in sending command to target i-0e190c5ec1e3c650c\n' + '\t -> Error: {"state":"FAILURE","reason":{"$metadata":{"httpStatusCode":200,"requestId":"20d8db59-60ef-4154-8e28-40e3b8e1bec5","attempts":1,"totalRetryDelay":0},"CloudWatchOutputConfig":{"CloudWatchLogGroupName":"","CloudWatchOutputEnabled":false},"CommandId":"7f86a4b0-b395-40d7-b0d7-340096b4fe65","Comment":"","DocumentName":"AWS-RunShellScript","DocumentVersion":"$DEFAULT","ExecutionElapsedTime":"PT0.004S","ExecutionEndDateTime":"2025-03-18T05:42:54.732Z","ExecutionStartDateTime":"2025-03-18T05:42:54.732Z","InstanceId":"i-0e190c5ec1e3c650c","PluginName":"aws:runShellScript","ResponseCode":1,"StandardErrorContent":"","StandardErrorUrl":"","StandardOutputContent":"","StandardOutputUrl":"","Status":"Failed","StatusDetails":"Failed"},"observedResponses":{"400: UnknownError":1,"200: OK":1}}'
2025-03-18 01:43:05.175 [error] aws.ec2.openRemoteConnection: Error: Failed in sending command to target i-0e190c5ec1e3c650c -> Error: {"state":"FAILURE","reason":{"$metadata":{"httpStatusCode":200,"requestId":"564bfa05-8b95-4785-a444-781de4f48a3f","attempts":1,"totalRetryDelay":0},"CloudWatchOutputConfig":{"CloudWatchLogGroupName":"","CloudWatchOutputEnabled":false},"CommandId":"85f11865-f926-4e34-9d4a-63fcdbeaaab5","Comment":"","DocumentName":"AWS-RunShellScript","DocumentVersion":"$DEFAULT","ExecutionElapsedTime":"PT0S","ExecutionEndDateTime":"2025-03-18T05:43:00.136Z","ExecutionStartDateTime":"2025-03-18T05:43:00.136Z","InstanceId":"i-0e190c5ec1e3c650c","PluginName":"aws:runShellScript","ResponseCode":1,"StandardErrorContent":"","StandardErrorUrl":"","StandardOutputContent":"","StandardOutputUrl":"","Status":"Failed","StatusDetails":"Failed"},"observedResponses":{"400: UnknownError":1,"200: OK":1}}
2025-03-18 01:43:09.860 [info] telemetry: sent batch (size=9)
     • connect via terminal does not encounter this issue

2. powershell.exe (the default come-with pwsh) does not pass the testSshConnection function, causing the unknown port issue mentioned earlier. By changing it to pwsh (v7.5.0), it just worked... (sshConfig.ts). I'm unsure which direction to go to debug why v5.1 encounters this issue

   • this is an issue bc pwsh7 would require external installation dependencies

3. during testing, encountered other issues that are not related to this issue

   • when changing aws connections/accounts, the explorer is unable to refresh it's contents. I needed to close the debugging session and re-open to refresh the contents

#6802

[georgerouse]

Thanks @nathanlisabio, I've made the local changes to add in the new file (packages/core/resources/ec2_connect.ps1) but where do I need to make the packages/core/src/shared/sshConfig.ts changes locally?

[nathanlisabio]

if you're asking about the location/path to change the sshConfig.ts on your locally installed vsCode to get this working on your aws toolkit extension.. i don't know.

what i've been doing is running debug mode via vsCode on the aws toolkit project, which installs the extension using my local repo into a spawned vsCode.

the exact changes i applied are basically what's shown in the draft PR (changing from powershell.exe to pwsh)
@georgerouse

[nathanlisabio]

additional debugging for pwsh v5:

• added -vvv to const process = new ProcessClass(sshPath, ['-T', '-vvv', ${user}@${hostname}, 'echo "test connection succeeded" && exit']) to get more info:
  • 2025-03-18 11:33:44.252 [error] aws.ec2.openRemoteConnection: Error: Unable to connect to target instance i-0df73531fe3a6d689 on region us-east-1. Testing SSM connection to instance failed: OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2
debug1: Reading configuration data C:\\Users\\nathan/.ssh/config
debug1: C:\\Users\\nathan/.ssh/config line 204: Applying options for aws-ec2-*
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> 'C:\\Users\\nathan/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> 'C:\\Users\\nathan/.ssh/known_hosts2'
debug1: Executing proxy command: exec "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -ExecutionPolicy RemoteSigned -File "c:\\Users\\nathan\\AppData\\Roaming\\Code\\User\\globalStorage\\amazonwebservices.aws-toolkit-vscode\\ec2_connect.ps1" aws-ec2-i-0df73531fe3a6d689
debug3: spawning "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -ExecutionPolicy RemoteSigned -File "c:\\Users\\nathan\\AppData\\Roaming\\Code\\User\\globalStorage\\amazonwebservices.aws-toolkit-vscode\\ec2_connect.ps1" aws-ec2-i-0df73531fe3a6d689 as subprocess
debug3: w32_getpeername ERROR: not sock :2
debug1: identity file c:\\Users\\nathan\\AppData\\Roaming\\Code\\User\\globalStorage\\amazonwebservices.aws-toolkit-vscode\\aws-ec2-key type 3
debug3: Failed to open file:c:/Users/nathan/AppData/Roaming/Code/User/globalStorage/amazonwebservices.aws-toolkit-vscode/aws-ec2-key-cert error:2
debug3: Failed to open file:c:/Users/nathan/AppData/Roaming/Code/User/globalStorage/amazonwebservices.aws-toolkit-vscode/aws-ec2-key-cert.pub error:2
debug3: failed to open file:c:/Users/nathan/AppData/Roaming/Code/User/globalStorage/amazonwebservices.aws-toolkit-vscode/aws-ec2-key-cert error:2
debug1: identity file c:\\Users\\nathan\\AppData\\Roaming\\Code\\User\\globalStorage\\amazonwebservices.aws-toolkit-vscode\\aws-ec2-key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_9.5
debug1: kex_exchange_identification: banner line 0: Cannot perform start session: invalid character 's' looking for beginning of object key string
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535 [EC2SSMTestConnect]

[georgerouse]

@nathanlisabio Thanks for the info, I managed to track it down and change the file locally and also have it working!
I had to edit the contents of .vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.50.0\dist\src\extensionNode.js to replace three occurrences of powershell.exe with pwsh

[justinmk3]

We're certainly open to changing

aws-toolkit-vscode/packages/core/src/shared/extensions/ssh.ts

Line 72 in 1d79df7

const result = await new ChildProcess('powershell.exe', ['-Command', script], options).run({

if that's the code you are referring to. Or could update that function to try both powershell.exe and pwsh, and use the first one that succeeds.

[georgerouse]

@justinmk3 If this change can be added that would be great!

[nathanlisabio]

We're certainly open to changing

aws-toolkit-vscode/packages/core/src/shared/extensions/ssh.ts

Line 72 in 1d79df7
const result = await new ChildProcess('powershell.exe', ['-Command', script], options).run({
if that's the code you are referring to. Or could update that function to try both powershell.exe and pwsh, and use the first one that succeeds.

@justinmk3
I double checked this file, the use of powershell.exe here is restricted to internal processes (the ssh-agent), so it actually doesn't matter whether it's the windows powershell or pwsh core. Only the portions that were directly related to ssm seemed to benefit from using pwsh core.

[nathanlisabio]

updates on not being able to work with amazon-linux here: #6802 (comment)