Hi Joe,
I have done some research into this and did come across the following blog post[1] which goes through the steps to set this up. The steps may be slightly different depending on Identity Provider you are using with AWS SSO(When testing this I was using the Default SSO Directory, the blog post shows the same set up with OKTA as an Identity Provider).
The one thing I would like to point out is the solution in the blog does not add the users to the /etc/passwd file, it instead creates a user on the instance with the same username as that attribute you have mapped to SSMSessionRunAs in AWS SSO. When the user logs into the instance via instance connect, they will log in as the user that you created on the ec2 instance.
I did manage to get this working in my test environment so if you have any questions please feel free to let me know.
[1] Configure AWS SSO ABAC for EC2 instances and Systems Manager Session Manager - https://aws.amazon.com/blogs/security/configure-aws-sso-abac-for-ec2-instances-and-systems-manager-session-manager/
Relevant questions
AWS SSO Access for Linux?
asked 8 months agoUsing Terraform with AWS SSO accounts
asked 2 months agoboto3 "logging" into the AWS SSO
Accepted Answerasked 8 months agoAWS SSO IDp For OpenSearch
asked 2 months agoAWS SSO EC2 RDP
asked 5 months agoAWS SSO ForbiddenException
asked 5 months agoAWS SSO on Amazon Linux
asked 8 months agoAWS SSO - what OU/account to use?
asked 5 months agosend AWS SSO username as a attribute in SAML assertion
asked 2 years agoAWS SSO with Amazon Managed Grafana not working (redirection to NULL)
asked 9 months ago
Cool! Thanks Michael! We do have that working in our environment as well. So to confirm, this is ok to do right? i.e. AWS supports this kind of configuration. The use of mapping users on an EC2 instance using local files(not an external directory) with AWS SSO.
That is correct, this is supported and will work as long as the SAML Attribute for SSMSessionRunAs matches the username of the user you created on the Linux Instance.