# EC2 Cloud Connector
## About You can store SSH Keys and Windows passwords in your Keeper vault for connecting to EC2 instances alongside the KCM Cloud Connector. See the [AWS EC2 Discovery documentation](/en/keeper-connection-manager/vault-integration/ec2-cloud-connector.md) for more details on connecting KCM with AWS EC2 instances. ## Setup ### Enable The feature must first be enabled using either the Docker environment variable or the guacamole properties. #### Docker Environment Variable For Auto Docker Install and Docker Compose Install methods, in the `keeper/guacamole-db-mysql` image, a new environmental variable must be defined: `AWS_DISCOVERY_KSM_CONFIG` This must contain a Keeper Secrets Manager configuration. It can be the same config used with the `KSM_CONFIG` variable. For example: ``` guacamole: image: keeper/guacamole:2 restart: unless-stopped ...... AWS_DISCOVERY_KSM_CONFIG: "eyJob3N0bmFtZSI6ICJrZWVwZX.....==" ``` For Advanced Linux Install method, update the guacamole.properties file.
Property NameDefault ValueDescription
aws-discovery-ksm-configfalseEnable the use of Cloud Connect credentials from KSM connected vaults
#### Remove volume mount for PEM key files If you are using Keeper to store the PEM key files, you can remove the volume mount in the Docker Compose file that references the location `/var/lib/guac_keys/` as this will not be used. ### Configure a Record for use with Cloud Connect The EC2 cloud connector recognizes Keeper records with specific fields automatically. To create a record for use with the EC2 Cloud connector, you can either create a record that contains a pem file attachment containing your key, or a record that contains the key as text. ### PEM File Record Create a new record which will contain the pem file. The File Attachment record type is a good match, but any type other than General will work. The record can have any title, In this example we're using "AWS key: my-machine"

Create a new record to attach your pem file to

With the record created, attach the pem file.

Attach your pem file to the new record

{% hint style="info" %} Optionally, if you include a Hostname/IP and Port field in your record, KCM will automatically associate the pem file with EC2 connections having a matching Hostname/IP. {% endhint %} Lastly, ensure that the new record is in a shared folder that is accessible to KCM via the Secrets Manager vault connection.

Move the new record to a shared folder attached to Secrets Manager

### Private Key Record Create a new record which will contain your machine's private key. The record is required to have a "private key" field. The SSH standard record type can be used for this. The record can have any title.

Create a new record with a private key field (standard SSH type works)

The new record will need a custom text field named "Instance ID". Add a "Text" type custom field from the Custom Field menu, click "Edit Label" and enter "Instance ID". {% hint style="info" %} The Instance ID field can also be titled anything which begins with "AWS" or "EC2" {% endhint %}

Add a custom text field labeled "ID Instance"

With the record ready, enter your machine's private key into the Private Key field, and your AWS instance ID in the new custom field. Lastly, make sure that the record is in a shared folder that is accessible to KCM via Secrets Manager integration.

Fill in the record details and place the record in a Secrets Manager accessible shared folder

{% hint style="info" %} Optionally, if you include a Hostname and Port field in your record, KCM will automatically associate the private key with EC2 connections with a matching IP address {% endhint %} {% hint style="success" %} The record is now complete, and will be picked up automatically by KCM if the feature is enabled. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/en/keeper-connection-manager/vault-integration/ec2-cloud-connector.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.