- 최신
- 최다 투표
- 가장 많은 댓글
Hello,
When you run aws ssm start-session
without specifying a document name, SSM will use a default document called SSM-SessionManagerRunShell
that is owned by you.
If you check the session document schema in AWS doc Session document schema You will see two properties that can help you change the user you connect as : runAsEnabled
and runAsDefaultUser
.
If you go back to the definition of the default session document SSM-SessionManagerRunShell
you will see that it is defined as follows:
{
"schemaVersion": "1.0",
"description": "Document to hold regional settings for Session Manager",
"sessionType": "Standard_Stream",
"inputs": {
"s3BucketName": "",
"s3KeyPrefix": "",
"s3EncryptionEnabled": true,
"cloudWatchLogGroupName": "",
"cloudWatchEncryptionEnabled": true,
"idleSessionTimeout": "20",
"maxSessionDuration": "",
"cloudWatchStreamingEnabled": true,
"kmsKeyId": "",
"runAsEnabled": false,
"runAsDefaultUser": "",
"shellProfile": {
"windows": "",
"linux": ""
}
}
}
What you can do to connect as a different user is to use one of the following:
- Create a new document to connect with:
Create a new document called for example SSM-SessionManagerRunShellAsEc2User
and in its definition you set runAsEnabled
to true
and you put the user name in the field runAsDefaultUser
{
"schemaVersion": "1.0",
"description": "Document to hold regional settings for Session Manager",
"sessionType": "Standard_Stream",
"inputs": {
"s3BucketName": "",
"s3KeyPrefix": "",
"s3EncryptionEnabled": true,
"cloudWatchLogGroupName": "",
"cloudWatchEncryptionEnabled": true,
"cloudWatchStreamingEnabled": true,
"idleSessionTimeout": "20",
"maxSessionDuration": "",
"kmsKeyId": "",
"runAsEnabled": true,
"runAsDefaultUser": "ec2-user",
"shellProfile": {
"windows": "",
"linux": ""
}
}
}
then you can connect to your instance using this document SSM-SessionManagerRunShellAsEc2User
instead of the default one SSM-SessionManagerRunShell
by specifying the document name in the command:
aws ssm start-session --document-name SSM-SessionManagerRunShellAsEc2USer --target INSTANCE_ID
However you need to make sure that the user exists in the target.
- Change the run as user in Session Manager preferences
In the Session Manager preferences you can override the default user like showed in the image bellow:
- Use Session Manager preferences and SSMSessionRunAs tag
You can also use "Enable Run As support for Linux instances." in session manager preferences and use the tag SSMSessionRunAs
to specify the user in IAM for users and roles as described here Turn on run as support for Linux and macOS managed nodes
References
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-schema.html
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-run-as.html
관련 콘텐츠
- AWS 공식업데이트됨 일 년 전
- AWS 공식업데이트됨 일 년 전