Skip to content

AWS - SSM workflow

In restricted environments, direct access to AWS services or private VPC endpoints is often not possible. For example: Developers need access to private services but are not allowed to connect directly such as a private EKS endpoint

The standard workaround is to route traffic through an EC2 instance that acts as a proxy. AWS Systems Manager (SSM) Session Manager supports port forwarding, which makes this possible without requiring SSH keys or VPNs.

However, managing these SSM sessions manually is cumbersome:

  • CI jobs must open/close sessions on their own.
  • Port conflicts can occur if multiple tunnels are opened.
  • Cleanup on job termination is unreliable without automation.

It would be great if the aws-auth-provider managed this. We could create an endpoint that creates the SSM session and return the url