Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

start a session as ssm-user with runAs option #394

Open
wants to merge 1 commit into
base: mainline
Choose a base branch
from

Conversation

gurpalw
Copy link

@gurpalw gurpalw commented Jul 15, 2021

#217

Issue #217, if available:
#217

Description of changes:
If RunAs is enabled, and the RunAs user is set to ssm-user, the session will fail to start.

This change fixes that by allowing the user/role creating the ssm session to use ssm-user, and creates the account for them in the same way as when RunAs is not enabled.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@gurpalw gurpalw changed the title Fixes issue #217 Create the user ssm-user if RunAs is enabled and if the user wants to use ssm-user Jul 15, 2021
@gurpalw gurpalw changed the title Create the user ssm-user if RunAs is enabled and if the user wants to use ssm-user start a session as ssm-user with runAS option Jul 15, 2021
@gurpalw gurpalw changed the title start a session as ssm-user with runAS option start a session as ssm-user with runAs option Jul 15, 2021
@laurentlgm
Copy link

RunAs default behavior is confusing and poorly documented. If you use different roles tagged with different users for the same instances (pretty normal scenario) then one of these roles cannot be tagged with "ssm-user" until you access the instance with an existing user and create the ssm-user. If you remove the RunAs config from the SSM setup then your tagged users cannot get in...and if you do that after launching the instance then you're out of luck.
e.g. I'm creating AL2/Ubuntu instances and roles via CDK and although my sudo-capable users can access the instances using ec2-user/ubutu default users after creation, my roles with ssm-user in RunAs cannot access the instance until I either manually create ssm-user or , as I've been doing, create ssm-user via user_data script.

@carterwilliamson
Copy link

Can this move forward? This behavior is universally described by users as bad. Having this would unblock a much needed ability to protect access to machines as @laurentlgm described.

If you look at the github issues related to this topic, AWS seems to be going through and just closing them which is odd considering this is a clear use case that should be supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants