Was trying to start a session[terminal] via ssm on an instance in another account. using command "aws ssm start-session --target i-yyyaf4692d801d1xx --region ap-south-1" but it was failing with response as Target is not connected. - we get this response when the instance is usually not found in the inventory of Systems Manager. which i can't add, as the instance is in another account Also - my user has appropriate permissions have verified it through IAM Simulator - it seems instance IDs are unique and associated to one account only. - the instance is accessible by local users in that account. END Goal: I wish to use users created in Account A to be able to start sessions on instances on Account B. both part of same organization.

cross account ssm start session

Was trying to start a session[terminal] via ssm on an instance in another account. using command "aws ssm start-session --target i-yyyaf4692d801d1xx --region ap-south-1" but it was failing with response as Target is not connected.

we get this response when the instance is usually not found in the inventory of Systems Manager. which i can't add, as the instance is in another account

Also

my user has appropriate permissions have verified it through IAM Simulator
it seems instance IDs are unique and associated to one account only.
the instance is accessible by local users in that account.

END Goal: I wish to use users created in Account A to be able to start sessions on instances on Account B. both part of same organization.

Topics

Management & Governance Security, Identity, & Compliance

Tags

AWS Systems Manager AWS IAM Identity Center AWS Account Management

Language

English

Surya Adapa

asked a year ago1174 views

2 Answers

Newest
Most votes
Most comments

Session Manager does not support cross-account access. You're correct that instances are associated with just one account (generally for EC2 instances the account they're running in). You will need to assume a Role in account B (for example, from your user/role in account A) before starting the session.

EXPERT

James_S

answered a year ago

Surya Adapa
a year ago
Thanks James. This addresses my concern.

However, is there any other way how we can define the Assume Role option. As far as i know, through CLI we need to fetch the sts credentials to temporarily assume the new role.

if we can make it seamless by just defining the same in say Account B's role's trusted identity section or something. I mean just wanted to know if there is some way where the user trying to establish the session just needs to mention the instance ID and they are done
James_S EXPERT
a year ago
There's a feature in AWS CLI (which also works for the SDKs) where you can specify in a profile that it should be automatically assumed from another profile. For example, you could create an "account-b" profile, which will automatically use "account-a" to assume it. Then you can just specify --profile account-b for your command. The configuration option is source_profile; see the docs here for more: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
James_S EXPERT
a year ago
Adding (having re-read your comment) that beyond the role assumption part, you would need some logic to find the right account for an instance ID, which could be possible with something like AWS Config Aggregator as you could query it (including via the CLI) for the account ID for a given instance, and then have a script select the correct profile based on that. Docs for Config Aggregator are here: https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html

The best way is using profiles on your CLI credentials file. Use --profile in aws command.

pinguinouy

answered a year ago

Relevant content

AWS CLI - SSM Start Session - Execute Commands on EC2 instance after starting Session Manager using PowerShell Script
Kamal
asked 2 months ago
Amazon SSM agent service not starting
auxjimk
asked 7 years ago
SSM Agent Won't Start
BanksAT
asked 3 years ago
Configure AWS Cross-account using SSM Command
Sam
asked a year ago
How do I use SSM Agent logs to troubleshoot issues with SSM Agent in my managed instance?
AWS OFFICIALUpdated a year ago
How do I install AWS Systems Manager Agent (SSM Agent) on an Amazon EC2 Windows instance at launch?
AWS OFFICIALUpdated a year ago
How do I install SSM Agent on an Amazon EC2 Linux instance at launch?
AWS OFFICIALUpdated a year ago
Why can't I start SSM Agent on my Amazon EC2 Windows instance?
AWS OFFICIALUpdated 6 months ago
A step-by-step guide to cross-account and cross-region events with EventBridge
EXPERT
Antonio_Lagrotteria
published a year ago
Access a private Amazon Redshift from a local machine via a private EC2 instance
EXPERT
Ziad
published 6 months ago