cloudx-proxy 0.3.2__tar.gz → 0.3.4__tar.gz

{cloudx_proxy-0.3.2 → cloudx_proxy-0.3.4}/CHANGELOG.md

@@ -1,3 +1,7 @@
+## [0.3.4](https://github.com/easytocloud/cloudX-proxy/compare/v0.3.3...v0.3.4) (2025-02-09)
+
+## [0.3.3](https://github.com/easytocloud/cloudX-proxy/compare/v0.3.2...v0.3.3) (2025-02-09)
+
 ## [0.3.2](https://github.com/easytocloud/cloudX-proxy/compare/v0.3.1...v0.3.2) (2025-02-09)
 
 ## [0.3.1](https://github.com/easytocloud/cloudX-proxy/compare/v0.3.0...v0.3.1) (2025-02-09)

{cloudx_proxy-0.3.2 → cloudx_proxy-0.3.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: cloudx-proxy
-Version: 0.3.2
+Version: 0.3.4
 Summary: SSH proxy command to connect VSCode with Cloud9/CloudX instance using AWS Systems Manager
 Author-email: easytocloud <info@easytocloud.com>
 License: MIT License
@@ -63,37 +63,45 @@ cloudX-proxy enables seamless SSH connections from VSCode to EC2 instances using
 
 ## Prerequisites
 
-1. **AWS CLI v2** - [Installation Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
-2. **AWS Session Manager Plugin** - [Installation Guide](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)
-3. **OpenSSH Client**
+1. **AWS CLI v2** - Used to configure AWS profiles and credentials
+   - [Installation Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+   - Required for `aws configure` during setup
+   - Handles AWS credentials and region configuration
+
+2. **AWS Session Manager Plugin** - Enables secure tunneling through AWS Systems Manager
+   - [Installation Guide](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)
+   - Provides the secure connection channel
+   - No need for public IP addresses or direct SSH access
+
+3. **OpenSSH Client** - Handles SSH key management and connections
    - Windows: [Microsoft's OpenSSH Installation Guide](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui)
    - macOS/Linux: Usually pre-installed
-4. **uv** - Python package installer and resolver
+   - Manages SSH keys and configurations
+   - Provides the SSH client for VSCode Remote
+
+4. **uv** - Modern Python package installer and virtual environment manager
    ```bash
    pip install uv
    ```
-5. **VSCode with Remote SSH Extension** installed
-
-## AWS Credentials Setup
+   The `uvx` command from uv automatically:
+   - Creates an isolated virtual environment for each package
+   - Downloads and installs the package and its dependencies
+   - Runs the package without explicit environment activation
+   
+   This means you can run cloudX-proxy directly with `uvx cloudx-proxy` without manually managing virtual environments or dependencies.
 
-The proxy expects to find AWS credentials in a profile named 'vscode' by default. These credentials should be the Access Key and Secret Key that were created by deploying the cloudX-user stack in your AWS account. The cloudX-user stack creates an IAM user with the minimal permissions required for:
-- Starting/stopping EC2 instances
-- Establishing SSM sessions
-- Pushing SSH keys via EC2 Instance Connect
+5. **VSCode with Remote SSH Extension** - Your development environment
+   - Provides the integrated development environment
+   - Uses the SSH configuration to connect to instances
+   - Handles file synchronization and terminal sessions
 
-Once the SSH session is established, the user has to further configure the instance using `generate-sso-config` tool. This is a one-time setup unless the user's access to AWS accounts changes, in which case the user should re-run the `generate-sso-config` tool.
+## Installation
 
-It is recommended to use  --generate-directories and --use-ou-structure to create working directories for each account the user has access to.
-
-Everytime the user connects to the instance, `ssostart` will authenticate the user with AWS SSO and generate temporary credentials. 
-
-This ensures you have the appropriate AWS access both for connecting to the instance and for working within it.
-
-The proxy also supports easytocloud's AWS profile organizer. If you use multiple AWS environments, you can store your AWS configuration and credentials in `~/.aws/aws-envs/<environment>` directories and use the `--aws-env` option to specify which environment to use.
+The cloudX-proxy package is available on PyPI and can run using uvx without explicit installation.
 
 ## Setup
 
-cloudX-proxy now includes a setup command that automates the entire configuration process:
+cloudX-proxy includes a setup command that automates the entire configuration process:
 
 ```bash
 # Basic setup with defaults (vscode profile and key)
@@ -109,7 +117,7 @@ uvx cloudx-proxy setup --aws-env prod
 The setup command will:
 
 1. Configure AWS Profile:
-   - Creates/validates AWS profile with cloudX-{env}-{user} format
+   - Creates/validates AWS profile for IAM user in cloudX-{env}-{user} format
    - Supports AWS environment directories via --aws-env
    - Uses aws configure for credential input
 
@@ -130,25 +138,56 @@ The setup command will:
    - Offers to wait for setup completion
    - Monitors setup progress
 
-### Example SSH Configuration
+### SSH Configuration
 
-The setup command generates a configuration structure like this:
+The setup command configures SSH to use cloudX-proxy as a ProxyCommand, enabling seamless connections through AWS Systems Manager. For example, running:
+
+```bash
+uvx cloudx-proxy setup --profile myprofile --ssh-key mykey
+```
+
+Will create a configuration like this:
 
 ```
 # Base environment config (created once per environment)
-Host cloudx-{env}-*
+Host cloudx-dev-*
     User ec2-user
-    IdentityAgent ~/.1password/agent.sock  # If using 1Password
-    IdentityFile ~/.ssh/vscode/key.pub    # .pub for 1Password, no .pub otherwise
-    IdentitiesOnly yes                    # If using 1Password
-    ProxyCommand uvx cloudx-proxy connect %h %p --profile profile --aws-env env
-
-# Host entries (added for each instance)
-Host cloudx-{env}-hostname
-    HostName i-1234567890
+    IdentityFile ~/.ssh/vscode/mykey
+    ProxyCommand uvx cloudx-proxy connect %h %p --profile myprofile --ssh-key mykey
+
+# Host entry (added for specific instance)
+Host cloudx-dev-myserver
+    HostName i-0123456789abcdef0
+```
+
+Allowing the user to:
+
+```bash
+ssh cloudx-dev-myserver
+scp cloudx-dev-myserver:/path/to/file /local/path/to/file
 ```
+without the need to provide any further credentials.
+
+In these examples, ssh will use cloudx-proxy to connect to AWS with the `myprofile` credentials, allowing it to check the instance state and start the instance if it's stopped. Next cloudx-proxy will use `myprofile` to push the public part of the key `mykey` to the instance using SSM. Finally a tunnel is created between the local machine and the instance, using the SSM plugin, allowing SSH to connect to the instance using the private part of the `mykey` key. 
+
+VSCode will be able to connect to the instance using the same SSH configuration.
 
-When adding new instances to an existing environment, the setup command will only add the specific host entry, preserving the existing environment configuration.
+### SSH Configuration Details
+The setup command creates:
+
+1. A base configuration for each environment (cloudx-{env}-*) with:
+   - User and key settings
+   - 1Password integration if selected
+   - ProxyCommand with appropriate parameters
+
+2. Individual host entries for each instance:
+   - Uses consistent naming (cloudx-{env}-hostname)
+   - Maps to instance IDs automatically
+   - Inherits environment-level settings
+
+When adding new instances to an existing environment, you can choose to:
+- Override the environment configuration with new settings
+- Add instance-specific settings while preserving the environment config
 
 ### VSCode Configuration
 
@@ -160,7 +199,7 @@ When adding new instances to an existing environment, the setup command will onl
        "remote.SSH.connectTimeout": 90
    }
    ```
-
+This extra long timeout is necessary to account for the time it takes to start the instance and establish the connection.
 ## Usage
 
 ### Command Line Options
@@ -228,27 +267,28 @@ Note: The connect command is typically used through the SSH ProxyCommand configu
 5. VSCode will handle the rest, using cloudX-proxy to establish the connection
 
 ## AWS Permissions
+### IAM User Permissions
 
-The AWS user/role needs these permissions:
-
-```json
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:StartInstances",
-                "ec2:DescribeInstances",
-                "ssm:StartSession",
-                "ssm:DescribeInstanceInformation",
-                "ec2-instance-connect:SendSSHPublicKey"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
-```
+The AWS IAM user has to be member of the AWS IAM Group that is created as part of the cloudX environment.
+The group uses ABAC (Attribute Based Access Control) to allow access to the instances based on the tags.
+The ABAC tag defaults to `cloudxuser` and should have the value of the username of the user that owns the instance.
+
+Example:
+- AWS IAM User `cloudx-dev-user1` is connecting to an instance with the tag `cloudxuser=cloudx-dev-user1`
+
+Note: This user should be created using the cloudX-user product from Service Catalog in the AWS Console. This assures proper permissions and naming conventions. The user in the example is member of the `dev` group, part as part of the `cloudx-dev` environment.
+
+The EC2 instance should have the tag `cloudxuser` with the value of the username of the user that is connecting to the instance. This is automatically set when the instance is created using the cloudX-instance product from Service Catalog in the AWS Console.
+
+### EC2 Instance Permissions
+
+The EC2 instance has a profile/role that provides enough permissions to allow the AWS SSM agent to connect to the instance, as well as
+- CodeArtifact read only access, to use as a source for pip
+- CodeCommit read only access, to pull code from the repository for installation
+- Organizations read only access, to create aws sso configuration
+- EC2 basic access, to allow the instance to introspect for tags and other metadata
+
+These permissions are required to bootstrap the instance, so that after creation the instance can perform software installation and configuration without a user being present.
 
 ## Troubleshooting
 

{cloudx_proxy-0.3.2 → cloudx_proxy-0.3.4}/README.md

@@ -13,37 +13,45 @@ cloudX-proxy enables seamless SSH connections from VSCode to EC2 instances using
 
 ## Prerequisites
 
-1. **AWS CLI v2** - [Installation Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
-2. **AWS Session Manager Plugin** - [Installation Guide](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)
-3. **OpenSSH Client**
+1. **AWS CLI v2** - Used to configure AWS profiles and credentials
+   - [Installation Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+   - Required for `aws configure` during setup
+   - Handles AWS credentials and region configuration
+
+2. **AWS Session Manager Plugin** - Enables secure tunneling through AWS Systems Manager
+   - [Installation Guide](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)
+   - Provides the secure connection channel
+   - No need for public IP addresses or direct SSH access
+
+3. **OpenSSH Client** - Handles SSH key management and connections
    - Windows: [Microsoft's OpenSSH Installation Guide](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui)
    - macOS/Linux: Usually pre-installed
-4. **uv** - Python package installer and resolver
+   - Manages SSH keys and configurations
+   - Provides the SSH client for VSCode Remote
+
+4. **uv** - Modern Python package installer and virtual environment manager
    ```bash
    pip install uv
    ```
-5. **VSCode with Remote SSH Extension** installed
-
-## AWS Credentials Setup
+   The `uvx` command from uv automatically:
+   - Creates an isolated virtual environment for each package
+   - Downloads and installs the package and its dependencies
+   - Runs the package without explicit environment activation
+   
+   This means you can run cloudX-proxy directly with `uvx cloudx-proxy` without manually managing virtual environments or dependencies.
 
-The proxy expects to find AWS credentials in a profile named 'vscode' by default. These credentials should be the Access Key and Secret Key that were created by deploying the cloudX-user stack in your AWS account. The cloudX-user stack creates an IAM user with the minimal permissions required for:
-- Starting/stopping EC2 instances
-- Establishing SSM sessions
-- Pushing SSH keys via EC2 Instance Connect
+5. **VSCode with Remote SSH Extension** - Your development environment
+   - Provides the integrated development environment
+   - Uses the SSH configuration to connect to instances
+   - Handles file synchronization and terminal sessions
 
-Once the SSH session is established, the user has to further configure the instance using `generate-sso-config` tool. This is a one-time setup unless the user's access to AWS accounts changes, in which case the user should re-run the `generate-sso-config` tool.
+## Installation
 
-It is recommended to use  --generate-directories and --use-ou-structure to create working directories for each account the user has access to.
-
-Everytime the user connects to the instance, `ssostart` will authenticate the user with AWS SSO and generate temporary credentials. 
-
-This ensures you have the appropriate AWS access both for connecting to the instance and for working within it.
-
-The proxy also supports easytocloud's AWS profile organizer. If you use multiple AWS environments, you can store your AWS configuration and credentials in `~/.aws/aws-envs/<environment>` directories and use the `--aws-env` option to specify which environment to use.
+The cloudX-proxy package is available on PyPI and can run using uvx without explicit installation.
 
 ## Setup
 
-cloudX-proxy now includes a setup command that automates the entire configuration process:
+cloudX-proxy includes a setup command that automates the entire configuration process:
 
 ```bash
 # Basic setup with defaults (vscode profile and key)
@@ -59,7 +67,7 @@ uvx cloudx-proxy setup --aws-env prod
 The setup command will:
 
 1. Configure AWS Profile:
-   - Creates/validates AWS profile with cloudX-{env}-{user} format
+   - Creates/validates AWS profile for IAM user in cloudX-{env}-{user} format
    - Supports AWS environment directories via --aws-env
    - Uses aws configure for credential input
 
@@ -80,25 +88,56 @@ The setup command will:
    - Offers to wait for setup completion
    - Monitors setup progress
 
-### Example SSH Configuration
+### SSH Configuration
 
-The setup command generates a configuration structure like this:
+The setup command configures SSH to use cloudX-proxy as a ProxyCommand, enabling seamless connections through AWS Systems Manager. For example, running:
+
+```bash
+uvx cloudx-proxy setup --profile myprofile --ssh-key mykey
+```
+
+Will create a configuration like this:
 
 ```
 # Base environment config (created once per environment)
-Host cloudx-{env}-*
+Host cloudx-dev-*
     User ec2-user
-    IdentityAgent ~/.1password/agent.sock  # If using 1Password
-    IdentityFile ~/.ssh/vscode/key.pub    # .pub for 1Password, no .pub otherwise
-    IdentitiesOnly yes                    # If using 1Password
-    ProxyCommand uvx cloudx-proxy connect %h %p --profile profile --aws-env env
-
-# Host entries (added for each instance)
-Host cloudx-{env}-hostname
-    HostName i-1234567890
+    IdentityFile ~/.ssh/vscode/mykey
+    ProxyCommand uvx cloudx-proxy connect %h %p --profile myprofile --ssh-key mykey
+
+# Host entry (added for specific instance)
+Host cloudx-dev-myserver
+    HostName i-0123456789abcdef0
+```
+
+Allowing the user to:
+
+```bash
+ssh cloudx-dev-myserver
+scp cloudx-dev-myserver:/path/to/file /local/path/to/file
 ```
+without the need to provide any further credentials.
+
+In these examples, ssh will use cloudx-proxy to connect to AWS with the `myprofile` credentials, allowing it to check the instance state and start the instance if it's stopped. Next cloudx-proxy will use `myprofile` to push the public part of the key `mykey` to the instance using SSM. Finally a tunnel is created between the local machine and the instance, using the SSM plugin, allowing SSH to connect to the instance using the private part of the `mykey` key. 
+
+VSCode will be able to connect to the instance using the same SSH configuration.
 
-When adding new instances to an existing environment, the setup command will only add the specific host entry, preserving the existing environment configuration.
+### SSH Configuration Details
+The setup command creates:
+
+1. A base configuration for each environment (cloudx-{env}-*) with:
+   - User and key settings
+   - 1Password integration if selected
+   - ProxyCommand with appropriate parameters
+
+2. Individual host entries for each instance:
+   - Uses consistent naming (cloudx-{env}-hostname)
+   - Maps to instance IDs automatically
+   - Inherits environment-level settings
+
+When adding new instances to an existing environment, you can choose to:
+- Override the environment configuration with new settings
+- Add instance-specific settings while preserving the environment config
 
 ### VSCode Configuration
 
@@ -110,7 +149,7 @@ When adding new instances to an existing environment, the setup command will onl
        "remote.SSH.connectTimeout": 90
    }
    ```
-
+This extra long timeout is necessary to account for the time it takes to start the instance and establish the connection.
 ## Usage
 
 ### Command Line Options
@@ -178,27 +217,28 @@ Note: The connect command is typically used through the SSH ProxyCommand configu
 5. VSCode will handle the rest, using cloudX-proxy to establish the connection
 
 ## AWS Permissions
+### IAM User Permissions
 
-The AWS user/role needs these permissions:
-
-```json
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:StartInstances",
-                "ec2:DescribeInstances",
-                "ssm:StartSession",
-                "ssm:DescribeInstanceInformation",
-                "ec2-instance-connect:SendSSHPublicKey"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
-```
+The AWS IAM user has to be member of the AWS IAM Group that is created as part of the cloudX environment.
+The group uses ABAC (Attribute Based Access Control) to allow access to the instances based on the tags.
+The ABAC tag defaults to `cloudxuser` and should have the value of the username of the user that owns the instance.
+
+Example:
+- AWS IAM User `cloudx-dev-user1` is connecting to an instance with the tag `cloudxuser=cloudx-dev-user1`
+
+Note: This user should be created using the cloudX-user product from Service Catalog in the AWS Console. This assures proper permissions and naming conventions. The user in the example is member of the `dev` group, part as part of the `cloudx-dev` environment.
+
+The EC2 instance should have the tag `cloudxuser` with the value of the username of the user that is connecting to the instance. This is automatically set when the instance is created using the cloudX-instance product from Service Catalog in the AWS Console.
+
+### EC2 Instance Permissions
+
+The EC2 instance has a profile/role that provides enough permissions to allow the AWS SSM agent to connect to the instance, as well as
+- CodeArtifact read only access, to use as a source for pip
+- CodeCommit read only access, to pull code from the repository for installation
+- Organizations read only access, to create aws sso configuration
+- EC2 basic access, to allow the instance to introspect for tags and other metadata
+
+These permissions are required to bootstrap the instance, so that after creation the instance can perform software installation and configuration without a user being present.
 
 ## Troubleshooting
 

{cloudx_proxy-0.3.2 → cloudx_proxy-0.3.4}/cloudx_proxy/_version.py

@@ -12,5 +12,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.3.2'
-__version_tuple__ = version_tuple = (0, 3, 2)
+__version__ = version = '0.3.4'
+__version_tuple__ = version_tuple = (0, 3, 4)

{cloudx_proxy-0.3.2 → cloudx_proxy-0.3.4}/cloudx_proxy.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: cloudx-proxy
-Version: 0.3.2
+Version: 0.3.4
 Summary: SSH proxy command to connect VSCode with Cloud9/CloudX instance using AWS Systems Manager
 Author-email: easytocloud <info@easytocloud.com>
 License: MIT License
@@ -63,37 +63,45 @@ cloudX-proxy enables seamless SSH connections from VSCode to EC2 instances using
 
 ## Prerequisites
 
-1. **AWS CLI v2** - [Installation Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
-2. **AWS Session Manager Plugin** - [Installation Guide](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)
-3. **OpenSSH Client**
+1. **AWS CLI v2** - Used to configure AWS profiles and credentials
+   - [Installation Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+   - Required for `aws configure` during setup
+   - Handles AWS credentials and region configuration
+
+2. **AWS Session Manager Plugin** - Enables secure tunneling through AWS Systems Manager
+   - [Installation Guide](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)
+   - Provides the secure connection channel
+   - No need for public IP addresses or direct SSH access
+
+3. **OpenSSH Client** - Handles SSH key management and connections
    - Windows: [Microsoft's OpenSSH Installation Guide](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui)
    - macOS/Linux: Usually pre-installed
-4. **uv** - Python package installer and resolver
+   - Manages SSH keys and configurations
+   - Provides the SSH client for VSCode Remote
+
+4. **uv** - Modern Python package installer and virtual environment manager
    ```bash
    pip install uv
    ```
-5. **VSCode with Remote SSH Extension** installed
-
-## AWS Credentials Setup
+   The `uvx` command from uv automatically:
+   - Creates an isolated virtual environment for each package
+   - Downloads and installs the package and its dependencies
+   - Runs the package without explicit environment activation
+   
+   This means you can run cloudX-proxy directly with `uvx cloudx-proxy` without manually managing virtual environments or dependencies.
 
-The proxy expects to find AWS credentials in a profile named 'vscode' by default. These credentials should be the Access Key and Secret Key that were created by deploying the cloudX-user stack in your AWS account. The cloudX-user stack creates an IAM user with the minimal permissions required for:
-- Starting/stopping EC2 instances
-- Establishing SSM sessions
-- Pushing SSH keys via EC2 Instance Connect
+5. **VSCode with Remote SSH Extension** - Your development environment
+   - Provides the integrated development environment
+   - Uses the SSH configuration to connect to instances
+   - Handles file synchronization and terminal sessions
 
-Once the SSH session is established, the user has to further configure the instance using `generate-sso-config` tool. This is a one-time setup unless the user's access to AWS accounts changes, in which case the user should re-run the `generate-sso-config` tool.
+## Installation
 
-It is recommended to use  --generate-directories and --use-ou-structure to create working directories for each account the user has access to.
-
-Everytime the user connects to the instance, `ssostart` will authenticate the user with AWS SSO and generate temporary credentials. 
-
-This ensures you have the appropriate AWS access both for connecting to the instance and for working within it.
-
-The proxy also supports easytocloud's AWS profile organizer. If you use multiple AWS environments, you can store your AWS configuration and credentials in `~/.aws/aws-envs/<environment>` directories and use the `--aws-env` option to specify which environment to use.
+The cloudX-proxy package is available on PyPI and can run using uvx without explicit installation.
 
 ## Setup
 
-cloudX-proxy now includes a setup command that automates the entire configuration process:
+cloudX-proxy includes a setup command that automates the entire configuration process:
 
 ```bash
 # Basic setup with defaults (vscode profile and key)
@@ -109,7 +117,7 @@ uvx cloudx-proxy setup --aws-env prod
 The setup command will:
 
 1. Configure AWS Profile:
-   - Creates/validates AWS profile with cloudX-{env}-{user} format
+   - Creates/validates AWS profile for IAM user in cloudX-{env}-{user} format
    - Supports AWS environment directories via --aws-env
    - Uses aws configure for credential input
 
@@ -130,25 +138,56 @@ The setup command will:
    - Offers to wait for setup completion
    - Monitors setup progress
 
-### Example SSH Configuration
+### SSH Configuration
 
-The setup command generates a configuration structure like this:
+The setup command configures SSH to use cloudX-proxy as a ProxyCommand, enabling seamless connections through AWS Systems Manager. For example, running:
+
+```bash
+uvx cloudx-proxy setup --profile myprofile --ssh-key mykey
+```
+
+Will create a configuration like this:
 
 ```
 # Base environment config (created once per environment)
-Host cloudx-{env}-*
+Host cloudx-dev-*
     User ec2-user
-    IdentityAgent ~/.1password/agent.sock  # If using 1Password
-    IdentityFile ~/.ssh/vscode/key.pub    # .pub for 1Password, no .pub otherwise
-    IdentitiesOnly yes                    # If using 1Password
-    ProxyCommand uvx cloudx-proxy connect %h %p --profile profile --aws-env env
-
-# Host entries (added for each instance)
-Host cloudx-{env}-hostname
-    HostName i-1234567890
+    IdentityFile ~/.ssh/vscode/mykey
+    ProxyCommand uvx cloudx-proxy connect %h %p --profile myprofile --ssh-key mykey
+
+# Host entry (added for specific instance)
+Host cloudx-dev-myserver
+    HostName i-0123456789abcdef0
+```
+
+Allowing the user to:
+
+```bash
+ssh cloudx-dev-myserver
+scp cloudx-dev-myserver:/path/to/file /local/path/to/file
 ```
+without the need to provide any further credentials.
+
+In these examples, ssh will use cloudx-proxy to connect to AWS with the `myprofile` credentials, allowing it to check the instance state and start the instance if it's stopped. Next cloudx-proxy will use `myprofile` to push the public part of the key `mykey` to the instance using SSM. Finally a tunnel is created between the local machine and the instance, using the SSM plugin, allowing SSH to connect to the instance using the private part of the `mykey` key. 
+
+VSCode will be able to connect to the instance using the same SSH configuration.
 
-When adding new instances to an existing environment, the setup command will only add the specific host entry, preserving the existing environment configuration.
+### SSH Configuration Details
+The setup command creates:
+
+1. A base configuration for each environment (cloudx-{env}-*) with:
+   - User and key settings
+   - 1Password integration if selected
+   - ProxyCommand with appropriate parameters
+
+2. Individual host entries for each instance:
+   - Uses consistent naming (cloudx-{env}-hostname)
+   - Maps to instance IDs automatically
+   - Inherits environment-level settings
+
+When adding new instances to an existing environment, you can choose to:
+- Override the environment configuration with new settings
+- Add instance-specific settings while preserving the environment config
 
 ### VSCode Configuration
 
@@ -160,7 +199,7 @@ When adding new instances to an existing environment, the setup command will onl
        "remote.SSH.connectTimeout": 90
    }
    ```
-
+This extra long timeout is necessary to account for the time it takes to start the instance and establish the connection.
 ## Usage
 
 ### Command Line Options
@@ -228,27 +267,28 @@ Note: The connect command is typically used through the SSH ProxyCommand configu
 5. VSCode will handle the rest, using cloudX-proxy to establish the connection
 
 ## AWS Permissions
+### IAM User Permissions
 
-The AWS user/role needs these permissions:
-
-```json
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:StartInstances",
-                "ec2:DescribeInstances",
-                "ssm:StartSession",
-                "ssm:DescribeInstanceInformation",
-                "ec2-instance-connect:SendSSHPublicKey"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
-```
+The AWS IAM user has to be member of the AWS IAM Group that is created as part of the cloudX environment.
+The group uses ABAC (Attribute Based Access Control) to allow access to the instances based on the tags.
+The ABAC tag defaults to `cloudxuser` and should have the value of the username of the user that owns the instance.
+
+Example:
+- AWS IAM User `cloudx-dev-user1` is connecting to an instance with the tag `cloudxuser=cloudx-dev-user1`
+
+Note: This user should be created using the cloudX-user product from Service Catalog in the AWS Console. This assures proper permissions and naming conventions. The user in the example is member of the `dev` group, part as part of the `cloudx-dev` environment.
+
+The EC2 instance should have the tag `cloudxuser` with the value of the username of the user that is connecting to the instance. This is automatically set when the instance is created using the cloudX-instance product from Service Catalog in the AWS Console.
+
+### EC2 Instance Permissions
+
+The EC2 instance has a profile/role that provides enough permissions to allow the AWS SSM agent to connect to the instance, as well as
+- CodeArtifact read only access, to use as a source for pip
+- CodeCommit read only access, to pull code from the repository for installation
+- Organizations read only access, to create aws sso configuration
+- EC2 basic access, to allow the instance to introspect for tags and other metadata
+
+These permissions are required to bootstrap the instance, so that after creation the instance can perform software installation and configuration without a user being present.
 
 ## Troubleshooting