AWS

Important

The following instructions utilize the AWS CLI as a convenience, you can use the AWS Web Console to obtain the required information.

The next step in the AutoScale Configuration is the VM Provider Details page.

  1. Select AWS from the Provider Drop Down.

  2. Provide a name for your configuration.

  3. Enter the AWS Access Key ID and the AWS Secret Access Key, follow this guide to create a AWS IAM user and credentials.

  4. Enter the AWS Region. For a list of available regions, use the following AWS CLI command, use the value RegionName field

    aws account list-regions
    
  5. Enter the EC2 AMI Id. You can find the latest AMI Id for an Image by going to the AWS Web Console and creating a new EC2 Instance. After you select an image, the AMI ID will be shown the web console. There is no need to actually create the EC2 instance. Alternatively, you can use the AWS CLI, the following is an example that lists AMIs filtering by name and sorting so that the lastest version is on the top of the list.

    aws ec2 describe-images --filter "Name=name,Values=Windows_Server-2022-English-Full-Base*" --query "sort_by(Images, &CreationDate)" | jq -r '.[] | [.Name, .ImageId] | @tsv'
    Windows_Server-2022-English-Full-Base-2023.01.11        ami-085d15593174f2582
    Windows_Server-2022-English-Full-Base-2023.01.19        ami-03cf1a25c0360a382
    Windows_Server-2022-English-Full-Base-2023.02.15        ami-0c2b0d3fb02824d92
    Windows_Server-2022-English-Full-Base-2023.03.15        ami-0e38fa17744b2f6a5
    Windows_Server-2022-English-Full-Base-2023.04.12        ami-0bde1eb2c18cb2abe
    

    Example: ami-085d15593174f2582

  6. Enter the desired EC2 Instance Type, check the AWS Instance Types page for a full list. Use the Instance Size referenced in AWS’s documentation. Not all instance types are available in all regions. A Windows server will likely require a non-bursting instance type with at least 4GB of RAM, see the minimum system requirements for the version of Windows you are using.

    Example: c5.xlarge

  7. Enter the maximum number of instances. Kasm will not provision more VMs once this maximum number is reached.

    Example: 5

  8. Enter a list of EC2 Security Group IDs in JSON format. The security groups listed will be applied to the VM. From the AWS Web Console, you can navigate to EC2->Security Groups, use the Security group ID column from the table. The following AWS CLI command can be used to display a list of security groups.

    aws ec2 describe-security-groups --query "SecurityGroups[*].[GroupName,GroupId,Description]" --output text
    

    Example: [ "sg-fdfd9a504533e9df9" ]

  9. Enter the target EC2 Subnet ID. From the AWS Web Console, you can navigate to VPC->Subnets, use the Subnet ID column’s value for the target subnet. The following AWS CLI command can be used to display a list of subnets.

    aws ec2 describe-subnets --query "Subnets[*].[SubnetId,VpcId,CidrBlock,AvailabilityZone]" --output text
    

    Example: subnet-24582b68

  10. Enter an EBS Volume Size in Gigabytes, it must the same size or larger than the source AMI.

    Example: 128

  11. Enter an EBS Volume Type. The following values are supported.

  • gp2 (recommended)

  • st1

  • standard

    Example: gp2

  1. Enter an EC2 IAM role to be applied to your VM. Enter a space to bypass this requirement. An IAM Role allows the EC2 instance to access AWS resources. This example uses an IAM role to allow the EC2 instance to send logs to CloudWatch.

    Example: MyCustomRoleName

  2. Enter any additional EC2 Custom Tags to add to the instance.

    Example: { "department": "engineering" }

  3. Enter an EC2 Startup Script. For Windows it is a PowerShell script that is wrapped in XML. The following example is maintained on this open-source project.

    This example creates a local user account with the Connection Username and Connection Password specified on the previous page. This is only relevant if you are using static credentials and will not work Active Directory integration.

    <powershell>
    
    $pass = ConvertTo-SecureString -String "{connection_password}" -AsPlainText -Force
    
    New-LocalUser -Name {connection_username} -Description 'Programatically generated Kasm user account' -Password $pass -PasswordNeverExpires -AccountNeverExpires | Add-LocalGroupMember -Group administrators | Add-LocalGroupMember -Group "Remote Desktop Users"
    
    Start-Service -Name "Audiosrv"
    </powershell>
    

    This example installs the Kasm Desktop Service and registers it with the deployment. With this service installed, Kasm can manage local Windows user accounts automatically.

    <powershell>
    New-EventLog -LogName Application -Source kasm_startup_script
    Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Information -Message "Downloading Windows Service"
    
    # Download and install the Kasm Service
    Invoke-Webrequest -URI https://kasm-static-content.s3.amazonaws.com/kasm_windows_service_installer_x86_64_1.1.2b3f26b.exe -OutFile C:\Users\Public\Downloads\kasm_service_installer.exe
    
    Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Information -Message "Installing Windows Service"
    C:\Users\Public\Downloads\kasm_service_installer.exe /S
    
    for ($i = 1; $i -le 20; $i++) {{
        Start-Sleep -s 3
        $service = Get-Service -Name W32Time -ErrorAction SilentlyContinue
    
        if ($service.Length -gt 0 -And (Test-Path -Path "C:\Users\Public\Downloads\kasm_service_installer.exe" -PathType Leaf)) {{
            # Register the Kasm Service with the deployment
            Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Information -Message "Registering the Desktop Service with the Kasm deployment at {upstream_auth_address}"
    
            net stop kasm
            cd "C:\Program Files\Kasm"
            .\agent.exe --register-host {upstream_auth_address} --register-port 443 --server-id  {server_id} --register-token {registration_token}
        
            if ($?) {{
                net start kasm
                Start-Service -Name "Audiosrv"
                Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Information -Message "Successfully installed and registered agent"
                Exit 0
            }} else {{
                Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Error -Message "Registration of Agent failed: Check log output of kasm_service in EventViewer"
                
                Exit 1
            }}
        }} else {{
            Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Information -Message "Service not found, trying again..."
        }}
    }}
    
    Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Error -Message "Timed out waiting for Kasm Desktop Service to be registered."
    Exit 1
    </powershell>
    
  4. The Retrieve Windows VM Password from AWS option allows Kasm to retrieve the random password generated by AWS for the administrator account. If this checkbox is checked and the Connection Password field on the previous page is left empty, Kasm will use the SSH key (covered next) to retrieve and decrypt the password. The password will then be used by users connecting to the server. You do not need to check this box if using the example script in step 14 or if you are using SSO with Active Directory integration.

  5. Click the Upload New Key Pair button, paste in an RSA PEM formatted private SSH Key and optionally provide a passphrase for the key.

  6. Click Finish

It can take a minute or two for the first server to show up in the Servers list for the Pool and a few minutes for the server to become accessible. You can see all servers by going to Compute->Servers in the Kasm Admin Dashboard. You can see only the Servers in the Pool you created for AWS by going to Compute->Pools and selected Edit on the desired Pool.

Next create a Workspace to allow access to the Servers in this Pool.

AWS IAM User

Kasm uses programmatic access keys to manage resources. These programmatic access keys are associated with an IAM user. Follow this process to create a user with minimal permissions and no access to the AWS Web Console.

  1. Create an AWS IAM User for Kasm.

    • In the AWS Web Console, navigate to IAM->Users.

    • Click Add User.

    • Provide a User name. Example: kasm-auto-scaling

    • On the permissions options page, click Attach Policies Directly

    • Search for AmazonEC2FullAccess, check the box next to it and Click Next

    • On the final page click Create User

  2. Create AWS Access Keys for the Kasm User in AWS.

    • In the AWS Web Console, navigate to IAM->Users.

    • Find the user created in step 3 and click the username to edit.

    • Click the Security Credentials Tab.

    • Scroll down to Access Keys and click Create Access Keys.

    • On the next screen select Third Party Service

    • Check the box indicating you understand the recommendation and click Next.

    • Optionally add tags on the next step and then click Create access key.

    • On the final screen you will be shown the Access Key and Secret access key. This will be the only opportunity you will have to get the secret access key. Save both of them in a secure place.