AWS SSO on Amazon Linux
Hi,
We are planning to use AWS SSO as main method to access EC2 instances with the use of the SSO attribute: SSMSessionRunAs = ${path:userName} and the AWS SSO username identical to the username in /etc/passwd on the Amazon Linux instance. I've read documentation about AWS SSO but don't see anything about this use case. We confirm that it works but also, is this supported?
Thanks in advance,
- Joe
Hi Joe,
I have done some research into this and did come across the following blog post1 which goes through the steps to set this up. The steps may be slightly different depending on Identity Provider you are using with AWS SSO(When testing this I was using the Default SSO Directory, the blog post shows the same set up with OKTA as an Identity Provider).
The one thing I would like to point out is the solution in the blog does not add the users to the /etc/passwd
file, it instead creates a user on the instance with the same username as that attribute you have mapped to SSMSessionRunAs in AWS SSO. When the user logs into the instance via instance connect, they will log in as the user that you created on the ec2 instance.
I did manage to get this working in my test environment so if you have any questions please feel free to let me know.
[1] Configure AWS SSO ABAC for EC2 instances and Systems Manager Session Manager - https://aws.amazon.com/blogs/security/configure-aws-sso-abac-for-ec2-instances-and-systems-manager-session-manager/
That is correct, this is supported and will work as long as the SAML Attribute for SSMSessionRunAs matches the username of the user you created on the Linux Instance.
Relevant questions
AWS SSO Access for Linux?
asked 3 months agoboto3 "logging" into the AWS SSO
Accepted Answerasked 3 months agoAWS SSO ForbiddenException
asked 23 days agoAWS SSO EC2 RDP
asked 24 days agoAWS SSO on Amazon Linux
asked 3 months agoAWS SSO - what OU/account to use?
asked 13 days agosend AWS SSO username as a attribute in SAML assertion
asked 2 years agoAWS Service Catalog. Grant SSO Users to the Portfolio
asked a month agoAWS SSO with Amazon Managed Grafana not working (redirection to NULL)
asked 5 months agoHow to use EKS with AWS SSO
asked 9 months ago
Cool! Thanks Michael! We do have that working in our environment as well. So to confirm, this is ok to do right? i.e. AWS supports this kind of configuration. The use of mapping users on an EC2 instance using local files(not an external directory) with AWS SSO.