aws ssm start-session returns url and token to open WebSocket Connection. https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_StartSession.html#API_StartSession_ResponseSyntax
Tried a client to open WebSocket connection: https://hashrocket.com/blog/posts/development-of-a-simple-command-line-websocket-client
But I am getting following error when trying to send input like {"type": "echo", "payload": "whoami"}
websocket: close 1003 (unsupported data): Channel : request to open data channel does not contain token.
I tried setting headers with multiple options like
headers := make(http.Header)
headers.Add("Authorization", "Bearer " + token)
headers.Add("token_type", "bearer")
headers.Add("access_token", token)
headers.Add("token", token)
headers.Add("Authentication", token)
// "github.com/gorilla/websocket"
ws, _, err := websocket.DefaultDialer.Dial(url, headers)
Most of the code is same as in 2nd link mentioned above except trying for wss (not ws).
I guess I am missing something in header. Any idea? Thx
Expected Behavior: Should be able to send requests (like above) and get responses successfully.
From the godoc for DialContext, which I realize you are just using dial, but it applies. Emphasis mine
https://godoc.org/github.com/gorilla/websocket#Dialer.DialContext
If the WebSocket handshake fails, ErrBadHandshake is returned along with a non-nil *http.Response so that callers can handle redirects, authentication, etcetera. The response body may not contain the entire response and does not need to be closed by the application.
Please try not discarding the response so you can inspect it to determine how to fix the problem.
As a general rule, if something isn't working out, and you are ignoring some return value, check and see what you are ignoring and you'll often find the solution.
Let me know if this helps or not and I can update/delete the answer.
You can use the Default Dialer with the ssm.StartSessionOutout.StreamUrl, without any auth headers:
conn, _, err := websocket.DefaultDialer.Dial(*ssmStartSessionOutput.StreamUrl,
nil)
if err != nil {
log.Fatal(err)
}
defer conn.Close()
Then, send the ssm.StartSessionOutput token over the websocket connection. This will get you past the error in question:
v := struct {
TokenValue string `json:"TokenValue"`
}{
TokenValue: ssmStartSessionOutput.TokenValue,
}
err := conn.WriteJSON(v)
if err != nil {
return err
}
But, SSM StartSession's websocket implementation is virtually undocumented and rife with mysterious responses. I've had better luck starting the session-manager-plugin as a subprocess, passing the JSON-ified ssm.StartSessionOutput:
v := struct {
SessionID string `json:"SessionId"`
StreamURL string `json:"StreamUrl"`
TokenValue string `json:"TokenValue"`
}{
SessionID: ssmSessionOutput.SessionId,
StreamURL: ssmSessionOutput.StreamUrl,
TokenValue: ssmSessionOutput.TokenValue,
}
j, err := json.Marshal(v)
if err != nil {
return nil, err
}
cmd := exec.Command("session-manager-plugin", string(j), region, "StartSession")
cmd.Stdout = os.Stdout
cmd.Stdin = os.Stdin
cmd.Stderr = os.Stderr
err = cmd.Run()