How can Hybrid SSM Activation be used to provide IAM credentials to all users
I am using a Hybrid SSM Activation https://docs.aws.amazon.com/systems-manager/latest/userguide/activations.html to manage a physical device.
I would like to allow this device to use some AWS services, but that requires deploying long lived credentials to the device.
SSM Agent is deploying AWS credentials (and rotating them) to /root/.aws/credentials, and these credentials are for the instance role that I assigned to the SSM Agent when deploying it. I would like to make these credentials available the non-root user without having to prefix all aws-cli commands with sudo, so that I can assign additional permissions (like s3:Get) to the instance role and allow the user account to assume these credentials
pi@pi-001:~$ aws sts get-caller-identity
Unable to locate credentials. You can configure credentials by running "aws configure".
pi@pi-001:~$ sudo aws sts get-caller-identity
{
"UserId": "[censored]:mi-[censored]",
"Account": "[censored]",
"Arn": "arn:aws:sts::[censored]:assumed-role/DevelopmentSSMHybridPolicy/mi-[censored]"
}
pi@pi-001:~$ sudo ls /root/.aws
credentials
Is there a supported method to allow the non-root account of an SSM managed Hybrid Instance to assume the instance credentials? Failing that, are there any other methods to accomplish this?
- 新しい順
- 投票が多い順
- コメントが多い順
Hello.
How about setting AWS credentials for each Linux user?
Since the AWS credentials set for the root user are for using SSM, I think it is generally better not to share them between Linux users.
Therefore, I think it is a good idea to create the minimum required IAM policy and IAM user for Linux users and set AWS authentication information.
Also, if you need temporary AWS credentials, you may want to set up IAM Identity Center and use temporary credentials instead of using an IAM user.
https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
関連するコンテンツ
AWS公式更新しました 3年前
