> ## Documentation Index
> Fetch the complete documentation index at: https://hoopdev-fix-add-missing-mechanic-for-session-download-button.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS SSM

> AWS SSM script permits managing EC2 instances using AWS SSM via Hoop

export const ConnectionTemplate = ({config}) => {
  const defaultConfig = {
    name: "Connection",
    description: "Connection description",
    features: {
      tlsTerminationProxy: {
        native: false,
        oneOff: false
      },
      audit: {
        native: false,
        oneOff: false
      },
      dataMaskingGoogleDLP: {
        native: false,
        oneOff: false
      },
      dataMaskingMSPresidio: {
        native: false,
        oneOff: false
      },
      guardrails: {
        native: false,
        oneOff: false
      },
      credentialsOffload: {
        native: false,
        oneOff: false
      },
      interactiveAccess: {
        native: false,
        oneOff: false
      }
    }
  };
  const finalConfig = Object.assign({}, defaultConfig, config);
  const renderIcon = enabled => {
    return enabled ? <Icon icon="check" /> : <Icon icon="xmark" />;
  };
  return <div>
      <h2>Before you start</h2>
      <p>To get the most out of this guide, you will need to:</p>
      <ul>
        <li>Either <a href="https://use.hoop.dev">create an account in our managed instance</a> or <a href="/getting-started/installation/overview">deploy your own hoop.dev instance</a></li>
        <li>You must be your account administrator to perform the following commands</li>
      </ul>

      {finalConfig.requirements && <>
          <h2>Requirements</h2>
          <p>{finalConfig.requirements.description}</p>
          {finalConfig.requirements.items && <ul>
            {finalConfig.requirements.items.map(item => <li>{item}</li>)}
          </ul>}
        </>}

      <h2>Features</h2>
      <p>The table below outlines the features available for this type of connection.</p>
      
      <ul>
        <li><strong>Native</strong> - Indicates the connectivity happens through the Hoop command line  (<code>hoop connect &lt;connection-name&gt;</code>) or acessing the protocol port directly on the gateway.</li>
        <li><strong>One Off</strong> - This term refers to accessing the resource from Hoop Web Console.</li>
      </ul>

      <table>
        <thead>
          <tr>
            <th>Feature</th>
            <th>Native</th>
            <th>One Off</th>
            <th>Description</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td>TLS Termination Proxy</td>
            <td>{renderIcon(finalConfig.features?.tlsTerminationProxy?.native)}</td>
            <td>{renderIcon(finalConfig.features?.tlsTerminationProxy?.oneOff)}</td>
            <td>The local proxy terminates the connection with TLS, enabling the connection with the remote server to be TLS encrypted.</td>
          </tr>
          <tr>
            <td>Audit</td>
            <td>{renderIcon(finalConfig.features?.audit?.native)}</td>
            <td>{renderIcon(finalConfig.features?.audit?.oneOff)}</td>
            <td>The gateway stores and audits the queries being issued by the client.</td>
          </tr>
          <tr>
            <td>Data Masking (Google DLP)</td>
            <td>{renderIcon(finalConfig.features?.dataMaskingGoogleDLP?.native)}</td>
            <td>{renderIcon(finalConfig.features?.dataMaskingGoogleDLP?.oneOff)}</td>
            <td>A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.</td>
          </tr>
          <tr>
            <td>Data Masking (MS Presidio)</td>
            <td>{renderIcon(finalConfig.features?.dataMaskingMSPresidio?.native)}</td>
            <td>{renderIcon(finalConfig.features?.dataMaskingMSPresidio?.oneOff)}</td>
            <td>A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.</td>
          </tr>
          <tr>
            <td>Guardrails</td>
            <td>{renderIcon(finalConfig.features?.guardrails?.native)}</td>
            <td>{renderIcon(finalConfig.features?.guardrails?.oneOff)}</td>
            <td>An intelligent layer of protection with smart access controls and monitoring mechanisms.</td>
          </tr>
          <tr>
            <td>Credentials Offload</td>
            <td>{renderIcon(finalConfig.features?.credentialsOffload?.native)}</td>
            <td>{renderIcon(finalConfig.features?.credentialsOffload?.oneOff)}</td>
            <td>The user authenticates via SSO instead of using database credentials.</td>
          </tr>
          <tr>
            <td>Interactive Access</td>
            <td>{renderIcon(finalConfig.features?.interactiveAccess?.native)}</td>
            <td>{renderIcon(finalConfig.features?.interactiveAccess?.oneOff)}</td>
            <td>Interactive access is available when using an IDE or connecting via a terminal to perform analysis exploration.</td>
          </tr>
        </tbody>
      </table>

      {finalConfig.resourceConfiguration?.credentials && <>
      <h2>Configuration</h2>
      <table>
        <thead>
          <tr>
            <th>Name</th>
            <th>Type</th>
            <th>Required</th>
            <th>Description</th>
          </tr>
        </thead>
        <tbody>
          {Object.entries(finalConfig.resourceConfiguration.credentials).map(([key, credential]) => {
    if (typeof credential === 'string' || credential.hidden) return null;
    return <tr key={key}>
                <td>{credential.name}</td>
                <td>{credential.type}</td>
                <td>{credential.required ? 'yes' : 'no'}</td>
                <td>
                  {credential.description?.split(/(\[[^\]]+\]\([^)]+\))/).map((part, index) => {
      const linkMatch = part.match(/\[([^\]]+)\]\(([^)]+)\)/);
      if (linkMatch) {
        return <a key={index} href={linkMatch[2]} target="_blank" rel="noopener noreferrer">{linkMatch[1]}</a>;
      }
      return part;
    })}
                </td>
              </tr>;
  }).filter(Boolean)}
        </tbody>
      </table>
      </>}
    </div>;
};

<ConnectionTemplate
  config={{
"id": "aws-ssm-script",
"name": "AWS SSM",
"description": "AWS SSM script permits managing EC2 instances using AWS SSM via Hoop",
"category": "cloud-services",
"icon-name": "aws",
"tags": [
"aws"
],
"overview": {
"description": "AWS SSM script permits executing ad-hoc commands or creating interactive sessions with any EC2 instance in your AWS account."
},
"setupGuide": {
"accessMethods": {
  "webapp": true,
  "cli": true,
  "runbooks": true
}
},
"resourceConfiguration": {
"credentials": [
  {
    "type": "env-var",
    "required": false,
    "name": "AWS_ACCESS_KEY_ID",
    "description": "The AWS access key id value",
    "placeholder": "AKIAIOSFODNN7EXAMPLE"
  },
  {
    "type": "env-var",
    "required": false,
    "name": "AWS_SECRET_ACCESS_KEY",
    "description": "The AWS secret access key value"
  },
  {
    "type": "env-var",
    "required": false,
    "name": "AWS_REGION",
    "description": "The AWS region to issue commands",
    "placeholder": "us-east-1"
  },
  {
    "type": "env-var",
    "required": false,
    "name": "PIPE_EXEC",
    "description": "The runtime command to be executed when running ad-hoc commands via Web Console. It defaults to /bin/bash",
    "placeholder": "/bin/bash"
  },
  {
    "type": "env-var",
    "required": false,
    "name": "INSTANCE_ID",
    "description": "The EC2 instance id to use when starting an interactive shell session. Add this value if you want to prevent users from specifying which instance to connect to.",
    "placeholder": "i-0d1a333276d48ec0d"
  }
],
"type": "custom",
"subtype": "aws-ssm",
"command": [
  "aws-ssm.sh"
]
},
"features": {
"tlsTerminationProxy": {
  "native": true,
  "oneOff": true
},
"audit": {
  "native": true,
  "oneOff": true
},
"dataMaskingGoogleDLP": {
  "native": true,
  "oneOff": true
},
"dataMaskingMSPresidio": {
  "native": true,
  "oneOff": true
},
"guardrails": {
  "native": false,
  "oneOff": true
},
"credentialsOffload": {
  "native": true,
  "oneOff": true
},
"interactiveAccess": {
  "native": true,
  "oneOff": true
}
},
"documentationConfig": {
"path": "quickstart/cloud-services/aws/aws-ssm"
}
}}
/>

### Credentials Setup

This connection can use AWS credentials which could be loaded
from EC2 instance roles or environment variables provided directly in the connection.

Make sure to add the following IAM permissions to the user or role that will be used
to connect to EC2 instances via SSM:

* ssm:StartSession \* ssm:SendCommand \* ssm:ListCommandInvocations \* ssm:GetCommandInvocation \* ssm:DescribeSessions \* ssm:TerminateSession

### Command Line Usage Examples

* **Start interactive session with a specific instance:**

```bash theme={null}
  hoop connect aws-ssm -e INSTANCE_ID=i-0d1a333276d48ec0d
```

<Tip>
  If you don't want users to specify the instance id when starting an interactive session,
  you can set the \`INSTANCE\_ID\` environment variable in the connection credentials.
</Tip>

* **Execute ad-hoc commands on a specific instance:**

If `PIPE_EXEC` is set to `/bin/bash` (default), you can run:

```bash theme={null}
  hoop exec aws-ssm <<EOF
  # instance-id=i-0d1a333276d48ec0d
  ls -l
  EOF
```

If `PIPE_EXEC` is set to `python`, you can run:

```bash theme={null}
  hoop exec aws-ssm <<EOF
  # instance-id=i-0d1a333276d48ec0d
  import os
  print('Hello From Python!')
  EOF
```
