
Access your EC2 instance or ECS container seamlessly, eliminating the necessity for opening inbound ports, maintaining bastion hosts, or managing SSH keys.

MIT License


gotoaws is an interactive CLI tool that you can use to connect to your AWS resources (EC2, ECS container) using the AWS Systems Manager Session Manager. It provides secure and auditable resource management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.


  • session-manager-plugin must be installed on your client
  • SSM Agent version 2.3.672.0 or later must be installed on the instances you want to connect to through sessions
  • An instance profile with proper IAM permissions (e.g AmazonSSMManagedInstanceCore)
  • A connection to the AWS System Manager Servive via NAT or better via VPC Endpoint to further reduce the attack surface
  • Prerequisites for using ECS Exec


You can install the pre-compiled binary in several different ways

homebrew tap:

brew tap hupe1980/gotoaws
brew install gotoaws


sudo snap install --classic gotoaws


scoop bucket add gotoaws
scoop install gotoaws


Download the .deb, .rpm or .apk from the releases page and install them with the appropriate tools.


Download the pre-compiled binaries from the releases page and copy to the desired location.

How to use

  gotoaws [command]

Available Commands:
  completion  Prints shell autocompletion scripts for gotoaws
  config      Manage your local gotoaws CLI config file
  ec2         Connect to ec2
  ecs         Connect to ecs
  eks         Connect to eks
  help        Help about any command

      --config string      config file (default "$HOME/.config/configstore/gotoaws.json")
  -h, --help               help for gotoaws
      --profile string     AWS profile
      --region string      AWS region
      --silent             run gotoaws without printing logs
      --timeout duration   timeout for network requests (default 15s)
  -v, --version            version for gotoaws

Use "gotoaws [command] --help" for more information about a command.


You can connect to your instances by name, ID, DNS, IP or select an instance from a list.

  gotoaws ec2 [command]

Available Commands:
  fwd         Port forwarding
  run         Run commands
  scp         SCP over Session Manager
  session     Start a session
  ssh         SSH over Session Manager

  -h, --help   help for ec2

Global Flags:
      --config string      config file (default "$HOME/.config/configstore/gotoaws.json")
      --profile string     AWS profile
      --region string      AWS region
      --silent             run gotoaws without printing logs
      --timeout duration   timeout for network requests (default 15s)

Use "gotoaws ec2 [command] --help" for more information about a command.

Start a session

  gotoaws ec2 session [flags]

gotoaws ec2 session -t myserver

  -h, --help            help for session
  -t, --target string   name|ID|IP|DNS of the instance

Port forwarding

  gotoaws ec2 fwd [flags]

gotoaws fwd run -t myserver -l 8080 -r 8080
gotoaws fwd run -t myserver -l 5432 -r 5432 -H

  -h, --help            help for fwd
  -H, --host string     remote host to forward to
  -l, --local string    local port to use (required)
  -r, --remote string   remote port to forward to (required)
  -t, --target string   name|ID|IP|DNS of the instance

Run commands

  gotoaws ec2 run [flags] -- COMMAND [args...]

gotoaws ec2 run -- date
gotoaws ec2 run -t myserver -- date

  -h, --help            help for run
  -t, --target string   name|ID|IP|DNS of the instance

SSH over Session Manager

  gotoaws ec2 ssh [command] [flags]

gotoaws ssh -t myserver -i key.pem

  -h, --help              help for ssh
  -i, --identity string   file from which the identity (private key) for public key authentication is read (required)
  -L, --lforward string   local port forwarding
  -p, --port string       SSH port to us (default "22")
  -t, --target string     name|ID|IP|DNS of the instance
  -l, --user string       SSH user to us (default "ec2-user")

SCP over Session Manager

  gotoaws ec2 scp [source(s)] [target] [flags]

gotoaws ec2 scp file.txt /opt/ -t myserver -i key.pem

  -h, --help              help for scp
  -i, --identity string   file from which the identity (private key) for public key authentication is read (required)
  -p, --port string       SSH port to us (default "22")
  -R, --recv              receive files from target
  -t, --target string     name|ID|IP|DNS of the instance
  -l, --user string       SCP user to us (default "ec2-user")

You can directly interact with containers without needing to first interact with the host container operating system, open inbound ports, or manage SSH keys.

  gotoaws ecs [command]

Available Commands:
  exec        Execute a command in a container

  -h, --help   help for ecs

Use "gotoaws ecs [command] --help" for more information about a command.

Execute a command in a container

  gotoaws ecs exec [flags] -- COMMAND [args...]

gotoaws ecs exec --cluster demo-cluster

      --cluster string     arn or name of the cluster (default "default")
      --container string   name of the container. A container name only needs to be specified for tasks containing multiple containers
  -h, --help               help for exec
      --task string        arn or id of the task

  gotoaws eks [command]

Available Commands:
  exec              Execute a command in a container
  fwd               Port forwarding
  get-token         Get a token for authentication with an Amazon EKS cluster
  logs              Print the logs for a container in a pod
  update-kubeconfig Configures kubectl so that you can connect to an Amazon EKS cluster

  -h, --help   help for eks

Use "gotoaws eks [command] --help" for more information about a command.

Execute a command in a container

  gotoaws eks exec [flags] -- COMMAND [args...]

gotoaws eks exec --cluster gotoaws --role cluster-admin
gotoaws eks exec --cluster gotoaws --role cluster-admin -- /bin/sh
gotoaws eks exec --cluster gotoaws --role cluster-admin -- cat /etc/passwd
gotoaws eks exec --cluster gotoaws --role cluster-admin --namespace default --pod nginx -- date

      --cluster string     arn or name of the cluster
  -c, --container string   name of the container
  -h, --help               help for exec
  -n, --namespace string   namespace of the pod (default "all namespaces"
  -p, --pod string         name of the pod
      --role string        arn or name of the role

Port forwarding

  gotoaws eks fwd [flags]

gotoaws eks fwd --cluster gotoaws --role cluster-admin --pod nginx
gotoaws eks fwd --cluster gotoaws --role cluster-admin --pod nginx --local 8000 --remote 80

      --cluster string     arn or name of the cluster
  -h, --help               help for fwd
  -l, --local int32        the local port
  -n, --namespace string   namespace of the pod (default "all namespaces"
  -p, --pod string         name of the pod
  -r, --remote int32       the container port
      --role string        arn or name of the role

Get a token for authentication with an Amazon EKS cluster

  gotoaws eks get-token [flags]

      --cluster string   arn or name of the cluster
  -h, --help             help for get-token
      --role string      arn or name of the role
      --token-only       Return only the token for use with Bearer token based tools

Print the logs for a container in a pod

  gotoaws eks logs [flags]

gotoaws eks logs --cluster gotoaws --role cluster-admin --pod nginx
gotoaws eks logs --cluster gotoaws --role cluster-admin --pod nginx --container nginx

      --cluster string     arn or name of the cluster
  -c, --container string   name of the container
  -h, --help               help for logs
  -n, --namespace string   namespace of the pod (default for finder "all namespaces"
  -p, --pod string         name of the pod
      --role string        arn or name of the role

Configures kubectl so that you can connect to an Amazon EKS cluster

  gotoaws eks update-kubeconfig [flags]

      --alias string     alias for the cluster context name (default "arn of the cluster"
      --cluster string   arn or name of the cluster
  -h, --help             help for update-kubeconfig
      --role string      arn or name of the role

Manage your local gotoaws CLI config file

  gotoaws config [command]

Available Commands:
  get         Print a config value
  set         Create a new config value
  unset       Remove a config value

  -h, --help   help for config

Use "gotoaws config [command] --help" for more information about a command.

Supported KEY values:

Key Description
profile AWS profile
region AWS region
timeout timeout for network requests
silent run gotoaws without printing logs
