how can I changed to ec2-user automatically when I access aws linux ec2 via Session Manager

Question

Hello All,

I have a solution to allow customers to access ec2 linux instance via Session manager, but after login, the user is ssm-user,  Is there any way to changed to ec2-user automatically. That means customers do not need to change to ec2-user manaually?

Thanks,
Mingtong

Accepted Answer

Hello,

When you run `aws ssm start-session` without specifying a document name, SSM will use a default document called `SSM-SessionManagerRunShell`that is owned by you.

If you check the session document schema in AWS doc [Session document schema](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-schema.html) You will see two properties that can help you change the user you connect as : `runAsEnabled` and `runAsDefaultUser`.

If you go back to the definition of the default session document `SSM-SessionManagerRunShell` you will see that it is defined as follows:

```
{
  "schemaVersion": "1.0",
  "description": "Document to hold regional settings for Session Manager",
  "sessionType": "Standard_Stream",
  "inputs": {
    "s3BucketName": "",
    "s3KeyPrefix": "",
    "s3EncryptionEnabled": true,
    "cloudWatchLogGroupName": "",
    "cloudWatchEncryptionEnabled": true,
    "idleSessionTimeout": "20",
    "maxSessionDuration": "",
    "cloudWatchStreamingEnabled": true,
    "kmsKeyId": "",
    "runAsEnabled": false,
    "runAsDefaultUser": "",
    "shellProfile": {
      "windows": "",
      "linux": ""
    }
  }
}
```

What you can do to connect as a different user is to use one of the following:

* **Create a new document to connect with:**

Create a new document called for example `SSM-SessionManagerRunShellAsEc2User` and in its definition you set `runAsEnabled` to `true` and you put the user name in the field `runAsDefaultUser`

```
{
  "schemaVersion": "1.0",
  "description": "Document to hold regional settings for Session Manager",
  "sessionType": "Standard_Stream",
  "inputs": {
    "s3BucketName": "",
    "s3KeyPrefix": "",
    "s3EncryptionEnabled": true,
    "cloudWatchLogGroupName": "",
    "cloudWatchEncryptionEnabled": true,
    "cloudWatchStreamingEnabled": true,
    "idleSessionTimeout": "20",
    "maxSessionDuration": "",
    "kmsKeyId": "",
    "runAsEnabled": true,
    "runAsDefaultUser": "ec2-user",
    "shellProfile": {
      "windows": "",
      "linux": ""
    }
  }
}
```
then you can connect to your instance using this document  `SSM-SessionManagerRunShellAsEc2User` instead of the default one  `SSM-SessionManagerRunShell` by specifying the document name in the command:

```
aws ssm start-session --document-name SSM-SessionManagerRunShellAsEc2USer --target INSTANCE_ID 
```

However you need to make sure that the user exists in the target.

*  **Change the run as user in Session Manager preferences**

In the Session Manager preferences you can override the default user like showed in the image bellow:

![Enter image description here](https://repost.aws/media/postImages/original/IMiNFJH3jRQGyaU_MSjTjqwA)

*  **Use Session Manager preferences and SSMSessionRunAs tag**

You can also use  "Enable Run As support for Linux instances." in  session manager preferences and use the tag `SSMSessionRunAs` to specify the user in IAM for users and roles as described here [Turn on run as support for Linux and macOS managed nodes](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-run-as.html)

References

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-schema.html

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-run-as.html

https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-sessiondocumentaccesscheck.html

how can I changed to ec2-user automatically when I access aws linux ec2 via Session Manager

関連するコンテンツ