There are some cases when SSH-ing into an AWS Cortex instance may be necessary.
This can be done via the AWS web UI or via the terminal. The first 5 steps are identical for both approaches.
From the AWS EC2 dashboard, locate the instance you would like to connect to (it will start with something like
cortex-ng-cortex-worker). Then in the "Security groups" section in the "Description", locate the group that is named something like
eksctl-cortex-cluster-ClusterSharedNodeSecurityGroup-*** and click on it.
On the Security Groups page, locate the same security group again and click on its ID.
Click "Edit inbound rules".
Click "Add rule".
Select "SSH" for "Type" and "Anywhere" for "Source", and click "Save rules" (if you would like to have narrower access, this Stack Overflow answer describes how).
Back on the AWS EC2 dashboard, select the worker instance again and click "Connect".
Select "EC2 Instance Connect (browser-based SSH connection)" and click "Connect".
You should be SSH'd in!
Note: some browsers may not be compatible with the AWS EC2 Instance Connect window and may throw a timeout. It is therefore recommended to switch to Google Chrome if it doesn't work.
Take note of the "Instance ID", "Availability Zone", and "Public DNS (IPv4)" for your worker instance.
Generate a new RSA key pair. OpenSSH and SSH2 are supported with 2048 and 4096 bit lengths.
ssh-keygen -t rsa -f my_rsa_key
Provide the public key to the worker instance with
aws ec2-instance-connect send-ssh-public-key command. The key is removed from the instance metadata within a 60 second timeframe. The public key can be reused any number of times.
aws ec2-instance-connect send-ssh-public-key \--instance-id <Instance ID> \--availability-zone <Availability Zone> \--instance-os-user root \--ssh-public-key file://my_rsa_key.pub && \ssh -i my_rsa_key <Public DNS (IPv4)>