Console access with SSH / SSM

RunsOn provides SSM access to the runners, as well as optional SSH access. This means you can easily troubleshoot any issue with one of your GitHub Action workflows by directly accessing the runner’s instance.

SSM access availability

The SSM agent is always enabled on official images. You can connect using the AWS console, the AWS CLI, or the RunsOn CLI.

You must ensure that your AWS profile has the necessary permissions to access the SSM service.

Connecting using the AWS CLI

# AWS CLI
aws ssm start-session --target <RUNNER_INSTANCE_ID>

Connecting using the RunsOn CLI

# RunsOn CLI
roc connect <JOB_URL>

SSH access availability

By default, SSH access is enabled for runners, to allow easy troubleshoot should the need arises. You can disable it globally in the CloudFormation stack configuration, or per job in the job labels.

job: Test
  runs-on: runs-on=${{ github.run_id }}/runner=2cpu-linux-x64/ssh=false

SSH access instructions will be displayed into your workflow logs, under the “Set up job” section:

Restricting SSH access to a specific network

By default SSH access will be available from anywhere (0.0.0.0/0).
SSH access can be filtered to a specific network CIDR range, e.g. your company VPN.
You can also disable SSH access globally in the CloudFormation stack configuration.

Allowed SSH users

By default, the first 10 collaborators on the repository with push permission will have their public SSH keys (as declared in their GitHub settings) added to the runner.

For repositories with a higher number of collaborators, or to avoid having too many SSH keys populated on the runner, you might want to specify the list of admins yourself, in the RunsOn configuration file of the repository.

This configuration settings takes a list of GitHub usernames, whose SSH public keys will be added to the runner.

admins:
  - crohr
  - other-github-user