Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

How can we run Signed Powershell SSM Documents when ExecutionPolicy is set to AllSigned

0

Hi

I've currently experiencing a bit of a road block with using SSM Documents using powershell.

  • We Define the policy though a GPO on the user/computer level
  • We have a CA which we use for Code Signing, we sign our Powershell scripts before they are allowed to run.
  • The Publisher code signing cert has been trusted.

When I've tried to create a Powershell document using AWS SSM Document Manager - I have included the signature block in JSON which will end up as a file in C:\ProgramData\Amazon\SSM\InstanceData\i-xyzxyzxyzxyz\document\orchestration{run-command-id}\StepName_script.ps1

I then get a message that the Run-Command has failed with the message _script.ps1 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies

I've manually confirmed this file is identical to the script I initially wrote (before it became JSON and then a PS1 script) And I have diffed the two files. Diff claims the files are identical (!) But I still can't run it without getting that message.

I've also tried running from an S3 bucket, but a _script file is still generated -- which in that case would not be signed.

It seems the only way I'm able to run Signed powershell scripts at the moment is by running them on the system in a remote desktop session and using a locally saved version.

Has anyone ever tried to accomplish this? Any success? I can't run any existing AWS Documents without signing them either ~

Tópicos
Gestão e governança
Tags
Gerenciador de sistemas da AWSAWS Tools for Windows PowerShell
Idioma
English
rePost-User-2553455
feita há 2 anos760 visualizações
1 Resposta
0
Resposta aceita

Found a solution (Well, CIO did, good on him) The diff tools I was using sucked.

We tried WinMerge and made a JSON file from scratch, but instead of using

[ " write-host STUFF", " write-host "MORESTUFF", " ### SIGNATURE BLOCK STUFF ### ", "" ]

I used \r\n for CRLF's and "",s in place of ""

`
"runCommand": [
          "",
          "Write-Host Test\r\nWrite-Host Line2\r\nWrite-Host Line3\r\n",
          "\r\n# SIG # Begin signature block\r\n# ABCDEFGHJIKLMNOPQRSTUVWXYZ\r\n# etc etc

`

Don't forget to place your Certificate in TrustedPublishers as well, otherwise you'll get a **AuthorizationManager check failed.

  • CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
  • FullyQualifiedErrorId : UnauthorizedAccess failed to run commands: exit status 1**
rePost-User-2553455
respondido há 2 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante