1回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
If I understand your question correctly you need some local users on your ec2-instance and you need some solution that e.g. IAM users or federated users which can access the instance with their own local user.
Here is the documentation how to enable this with linux instances: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-run-as.html
There is also a blog post which describe some solution to provide access for AD users: https://aws.amazon.com/blogs/mt/configuring-aws-systems-manager-session-manager-support-federated-users-using-session-tags/
回答済み 1年前
Thank you for sharing the details. But, I am trying to:
First of all ec2-user is not used at all by the SSM. By default it has it's own user, i.e. ssm-user. The blog describes the following solution: Corporate user browses to the ADFS portal sign-in page and provides Active Directory authentication credentials. The IdP authenticates the user and returns a SAML assertion that includes the PrincipalTag:SSMSessionRunAs=username. Client posts the assertion to the AWS SAML endpoint. The endpoint validates the assertion with an AWS STS endpoint and requests temporary security credentials on behalf of the user. Temporary credentials are returned using AWS STS AssumeRoleWithSAML. The session will be tagged with PrincipalTag:SSMSessionRunAs The endpoint sends the sign-in URL back to the client as a redirect. The client browser is redirected to AWS Management Console. The client accesses the AWS Systems Manager console and starts the Session Manager session for a Linux instance. Session Manager starts the session using the user name specified for the SSMSessionRunAs tag for the federated session. Session starts in the given AD user context and a browser-based shell opens in a new tab.