EXC

Instance Connect

Instance Connect lets you SSH into an Excloud VM without ever distributing a persistent public key to the instance. Every session pushes a fresh one-time key (typically valid for ~60 seconds), which is consumed by the next SSH handshake. Concept is the same as AWS EC2 Instance Connect; the implementation is Excloud’s own.

The benefits:

  • Keyless access — nothing to rotate, nothing to revoke off-host.
  • Audited — every connect call goes through IAM (compute:instance:connect) and is logged with the requesting identity.
  • Short blast radius — even if a session key is captured in transit, it’s already useless by the time anyone notices.

Quick connect

If you have the exc CLI installed and are authenticated:

exc compute connect --vm_id 42 --user ubuntu

That single command:

  1. Asks the compute API for a short-lived key pair scoped to VM 42 and the ubuntu user.
  2. Pushes the public half to the VM.
  3. Opens an interactive SSH session using the private half.
  4. Discards the keys when the session ends.

For one-off commands instead of an interactive shell:

exc compute exec --vm-id 42 --command 'systemctl status nginx'

To transfer files:

exc compute scp --vm-id 42 --src ./deploy.tar.gz --dst /tmp/deploy.tar.gz

For the other direction (remote → local), add --download:

exc compute scp --vm-id 42 --download --src /var/log/syslog --dst ./syslog

To open a serial console (useful when SSH is broken):

exc compute console --vm_id 42

Required permissions

The caller needs compute:instance:connect on the target VM. The default Admin policy grants this. For a least-privileged operator role:

{
  "Version": "2024-03-05",
  "Statements": [
    { "Effect": "Allow", "Action": "compute:instance:connect", "Resource": "exc:compute:instance/42" }
  ]
}

Replace 42 with the instance ID, or use exc:compute:instance/* for any VM in the org. See the Policies guide.

Older VMs

Pre-June-2025 instances

VMs created after June 2025 ship with Instance Connect support built into the image. Older VMs need the exc-instance-connect agent installed once before they can accept short-lived keys.

On Debian/Ubuntu:

# 1. Trust the Excloud package repository
curl -fsSL https://repo.excloud.in/RepoKey.gpg \
  | sudo gpg --dearmor -o /usr/share/keyrings/excloud-apt.gpg

# 2. Add the repo
echo "deb [signed-by=/usr/share/keyrings/excloud-apt.gpg] \
  https://repo.excloud.in stable main" \
  | sudo tee /etc/apt/sources.list.d/excloud.list

# 3. Install
sudo apt update
sudo apt install exc-instance-connect

Once installed, the agent runs on demand — no daemon to keep alive.

How it works under the hood

  1. exc compute connect calls POST /compute/instance/connect, passing the VM ID and the desired Linux user.
  2. The compute API generates an ephemeral SSH key pair, pushes the public half to the VM through Excloud’s internal control channel, and returns the private half to the CLI.
  3. The CLI uses the private key to open a normal SSH session. The public key expires server-side after a short window, so even a leaked private key has a brief useful life.
  4. There is also a WebSocket variant at GET /compute/instance/connect/ws/:id used by the browser console.

You can perform step 1 yourself from any HTTP client — see the Compute Swagger UI — and then use the returned key with ssh -i directly. That’s how exc compute connect works internally.

Prev
Deploying Ubuntu
Next
Drive Excloud from an AI Coding Agent