By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post
/AWS SSO on Amazon Linux/

AWS SSO on Amazon Linux

0

Hi,

We are planning to use AWS SSO as main method to access EC2 instances with the use of the SSO attribute: SSMSessionRunAs = ${path:userName} and the AWS SSO username identical to the username in /etc/passwd on the Amazon Linux instance. I've read documentation about AWS SSO but don't see anything about this use case. We confirm that it works but also, is this supported?

Thanks in advance,

  • Joe
Topics
Security Identity & ComplianceComputeManagement & Governance
Tags
AWS Identity and Access ManagementHigh Performance ComputeAWS Directory ServiceAWS Command Line InterfaceAWS Account Management
JoeSomontan
asked 3 months ago43 views
1 Answers
0

Hi Joe,

I have done some research into this and did come across the following blog post1 which goes through the steps to set this up. The steps may be slightly different depending on Identity Provider you are using with AWS SSO(When testing this I was using the Default SSO Directory, the blog post shows the same set up with OKTA as an Identity Provider).

The one thing I would like to point out is the solution in the blog does not add the users to the /etc/passwd file, it instead creates a user on the instance with the same username as that attribute you have mapped to SSMSessionRunAs in AWS SSO. When the user logs into the instance via instance connect, they will log in as the user that you created on the ec2 instance.

I did manage to get this working in my test environment so if you have any questions please feel free to let me know.

[1] Configure AWS SSO ABAC for EC2 instances and Systems Manager Session Manager - https://aws.amazon.com/blogs/security/configure-aws-sso-abac-for-ec2-instances-and-systems-manager-session-manager/

SUPPORT ENGINEER
Michael_H
answered 3 months ago
  • JoeSomontan 3 months ago

    Cool! Thanks Michael! We do have that working in our environment as well. So to confirm, this is ok to do right? i.e. AWS supports this kind of configuration. The use of mapping users on an EC2 instance using local files(not an external directory) with AWS SSO.

  • Michael_H SUPPORT ENGINEER3 months ago

    That is correct, this is supported and will work as long as the SAML Attribute for SSMSessionRunAs matches the username of the user you created on the Linux Instance.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant questions