Invoke StartTerminalSession to create a session based on the Session Manager feature. You can establish a WebSocket session with an ECS instance by specifying its instance ID. Use the WebSocketUrl returned by the API to remotely connect to the ECS instance.
Operation description
API Guide
When you customize a remote connection client through code, you can invoke this API to obtain the WebSocketUrl for remotely connecting to an ECS instance. Note the following when invoking this API:
The specified ECS instance must be in the running state.
- The specified ECS instance must have the Cloud Assistant Agent installed. You can invoke DescribeCloudAssistantStatus to check whether the Cloud Assistant Agent is installed on the ECS instance and to query its version number.
If the Cloud Assistant Agent is not installed on your ECS instance, invoke InstallCloudAssistant to install it.
- The Cloud Assistant Agent version must be higher than the following versions to support the Session Manager feature. To upgrade the Cloud Assistant Agent version, see Upgrade or disable automatic upgrade of Cloud Assistant Agent.
Linux operating system: 2.2.3.256
Windows operating system: 2.1.3.256
After successful invocation of this API, the WebSocketUrl remains valid for 10 minutes.
If no data transmission occurs within 3 minutes after the session is established, Cloud Assistant shuts down the connection.
Within the same Region, the number of created and active sessions cannot exceed 1,000. The number of sessions in Connection Status per ECS instance cannot exceed 20. The bandwidth limit for a single session is 200 kb/s.
The port forwarding feature currently supports TCP port forwarding only and does not support UDP.
To permanently close a session and invalidate the WebSocketUrl, invoke the EndTerminalSession API.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
ecs:StartTerminalSession |
update |
*Instance
|
None | None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| RegionId |
string |
Yes |
The region ID. You can call the DescribeRegions operation to query the most recent region list. |
cn-hangzhou |
| RegionId |
string |
Yes |
The region ID. You can call the DescribeRegions operation to query the most recent region list. |
cn-hangzhou |
| InstanceId |
array |
Yes |
The instance IDs. |
|
|
string |
No |
The ID of instance N. You can specify up to 10 instance IDs in a single request. Valid values of N: 1 to 10. |
i-bp1eifrtpxa9tb**** |
|
| PortNumber |
integer |
No |
The port number of the ECS instance. The port is used to forward data. After this parameter is configured, Cloud Assistant Agent forwards data to the specified port. For example, you can set this parameter to 22 for data forwarding over SSH. This parameter is empty by default, which indicates that no port is configured to forward data. |
22 |
| CommandLine |
string |
No |
The command to run after the session is initiated. The command length cannot exceed 512 characters. Note
If you specify the |
ssh root@192.168.0.246 |
| TargetServer |
string |
No |
The IP address of the instance. You can use the IP address to access the destination service in a virtual private cloud (VPC). Note
If this parameter is not empty, |
192.168.0.246 |
| Username |
string |
No |
The username used for connection establishment. |
testUser |
| ConnectionType |
string |
No |
The network type of the WebSocket URL required to connect to the instance. Valid values:
|
Intranet |
| PasswordName |
string |
No |
The password name of the user when using Session Manager on a Windows instance. The length cannot exceed 255 characters. |
axtSecretPassword |
| ClientToken |
string |
No |
Ensures the idempotence of the request. Generate a unique parameter value from your client to guarantee uniqueness across different requests. ClientToken supports only ASCII characters and must not exceed 64 characters. For more information, see How to ensure idempotence. |
123e4567-e89b-12d3-a456-426655440000 |
| EncryptionOptions |
object |
No |
Session encryption configuration items. |
|
| Enabled |
boolean |
No |
Enable end-to-end encryption for the session connection. |
true |
| KMSKeyId |
string |
No |
KMS key ID.
|
xxx |
| Mode |
string |
No |
Encryption mode. Valid values:
Notes:
|
Auto |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
|||
| RequestId |
string |
The request ID. |
EB5173B0-8E80-564E-AAD1-3135412***** |
| SessionId |
string |
The session ID. |
s-hz023od0x9**** |
| SecurityToken |
string |
The security token included in the WebSocket request header. The system uses this token to authenticate the request. |
d86c2df2-d19c-4bd8-b817-a19ef123**** |
| WebSocketUrl |
string |
The URL of the WebSocket session that is used to connect to the instance. The URL includes the session ID ( |
wss://cn-hangzhou.axt.aliyuncs.com/session?sessionId=s-hz023od0x9****&token=d86c2df2-d19c-4bd8-b817-a19ef123**** |
Examples
Success response
JSON format
{
"RequestId": "EB5173B0-8E80-564E-AAD1-3135412*****",
"SessionId": "s-hz023od0x9****",
"SecurityToken": "d86c2df2-d19c-4bd8-b817-a19ef123****",
"WebSocketUrl": "wss://cn-hangzhou.axt.aliyuncs.com/session?sessionId=s-hz023od0x9****&token=d86c2df2-d19c-4bd8-b817-a19ef123****"
}
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | RegionId.ApiNotSupported | The api is not supported in this region. | The API operation cannot be called in the specified region. Check whether the specified RegionId parameter is valid. |
| 400 | PortNumber.Invalid | The port number is invalid. | |
| 400 | InvalidParameter.ConnectionType | The specified parameter ConnectionType is not valid. | The specified parameter ConnectionType is illegal. |
| 400 | InvalidClientToken.Malformed | The specified parameter clientToken is not valid. | |
| 500 | InternalError.Dispatch | An error occurred when you dispatched the request. | An error occurred while the request is being sent. Try again later. |
| 403 | InstanceIds.ExceedLimit | The number of instance IDs exceeds the upper limit. | The number of specified instance IDs exceeds the upper limit. |
| 403 | SessionCount.ExceedLimit | The number of sessions exceeds the upper limit. | The number of sessions in the connected state exceeds the upper limit. |
| 403 | Operation.Forbidden | The operation is not permitted. | The operation is not supported. |
| 403 | PortForwarding.NotSupported | Port forwarding is not supported currently. | Port forwarding is not supported. |
| 403 | UserBehavior.SessionManagerDisabled | The api is disabled by user behavior. | |
| 403 | InvalidCommandLine.Conflict | The parameter PortNumber or TargetServer cannot be specified with parameter CommandLine. | |
| 403 | InvalidTargetServer.MissingPortNumber | The parameter PortNumber must be specified with parameter TargetServer. | |
| 403 | InvalidCommandLine.LengthLimitExceeded | The length of the parameter CommandLine exceeded the limit of 512 characters. | |
| 403 | InvalidInstanceIds.CountLimitExceeded | The count of Instances exceeded the maximum limit of 1 when TargetServer or CommandLine parameter was specified. | |
| 403 | Username.ExceedLimit | The length of the username exceeds the upper limit. | The length of the username exceeds the upper limit. |
| 403 | InvalidOperation.SecurityGroupRuleDenied | The operation is not allowed by the security group inbound rules of the specified instance. | |
| 403 | InvalidTargetServer.LengthLimitExceeded | The length of the parameter TargetServer exceeded the limit of 128 characters. | |
| 403 | InvalidOperation.ConnectionTypeUnsupported | The operation is not supported for the parameter ConnectionType. | |
| 403 | InvalidPasswordName.LengthLimitExceeded | The length of the parameter PasswordName exceeds the limit of 255 characters. | |
| 403 | InvalidEncryptionOptionsMode.EncryptionDisabled | EncryptionOptions.Mode cannot be specified when encryption is disabled. | The parameter EncryptionOptions.Mode cannot be specified when session encryption is not on. |
| 403 | InvalidParameter.EncryptionOptionsKMSKeyId | The specified parameter EncryptionOptions.KMSKeyId is not valid. | The specified parameter EncryptionOptions.KMSKeyId is illegal. |
| 403 | InvalidParameter.EncryptionOptionsMode | The specified parameter EncryptionOptions.Mode is not valid. | The specified parameter EncryptionOptions.Mode is illegal. |
| 403 | MissingParameter.EncryptionOptionsKMSKeyId | The input parameter EncryptionOptions.KMSKeyId that is mandatory for processing this request is not supplied. | Parameter EncryptionOptions.KMSKeyId cannot be empty. |
| 403 | UnsupportedAgentVersion.Encryption | The cloud assistant agent version on instance %s do not support encryption. | |
| 403 | InvalidEncryptionOptions.Conflict | The parameter PortNumber or TargetServer cannot be specified with parameter EncryptionOptions. | When session encryption is enabled, the parameter PortNumber or TargetServer cannot be specified. |
| 403 | IdempotentParameterMismatch | The specified parameter has changed while using an already used clientToken. | |
| 403 | IdempotentProcessing | The previous idempotent request(s) is still processing. | A previous idempotent request is being processed. Try again later. |
| 404 | InvalidRegionId.NotFound | The RegionId provided does not exist in our records. | Region information error |
| 404 | InvalidInstance.NotFound | The specified instances not found. | The specified instance ID does not exist. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.