Skip to main content

Terminal access to EKS managed nodes


AWS System Session Manager is used to configure and manage a terminal access to EKS worker nodes.

All EKS clusters are created with needed permissions for AWS System Session Manager to start sessions to the worker nodes.

On the AWS Console, Services -> AWS System Manager -> Quick Setup for Host Management is configured to detect the live EKS cluster worker nodes(default & monitoring) by tag Cluster with value live.


  • AWS Console access
  • Session Manager plugin (if using AWS Cli). To install Session Manager plugin on macOS,

    brew install --cask session-manager-plugin

Steps to get terminal access via Console

  • Get the Instance Name of the node you want to login using kubectl

    kubectl get nodes
  • Login to AWS Console, Services -> EC2 and search by giving the Instance Name

  • Select the instance and then click Connect

  • Select the Connection method -> Session Manager

Steps to get terminal access via AWS cli

  • Get the Instance ID of the node you want to login using kubectl

    # To get the list of nodes and their names
    kubectl get nodes
    # To get the node ID of the node for given node name
    kubectl describe node <node name you want to shell into> | grep 'ProviderID' | awk -F '/' '{print $NF}'`
  • Start the session with cli command

    aws ssm start-session --target <Instance ID>

Access via SSH /SCP

It can be more convenient to access the nodes using the standard ssh client, esp when copying files.

To set up, add the following in ~/.ssh/config:

Host i-*
  User ssm-user
  ProxyCommand bash -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

Connect and append your ~/.ssh/ key to the /home/ssm-user/.ssh/authorized_keys file on the node.

Now you can ssh i-0abcdef or scp 1-0abcdef:file

This page was last reviewed on 16 January 2024. It needs to be reviewed again on 16 July 2024 by the page owner #cloud-platform .
This page was set to be reviewed before 16 July 2024 by the page owner #cloud-platform. This might mean the content is out of date.