- Newest
- Most votes
- Most comments
I have seen aws start-session (which is what scp is using under the hood) throw an AccessDeniedException with the reason "no identity-based policy allows the ssm:TerminateSession action" when the Session Manager Plugin has not been installed in the AWS CLI. I'm not sure that's your problem because you said the other user can already login with SSM, but I thought this might help others searching for this error message.
Here's how to install it: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
Edit: Noted that this probably doesn't solve the OP's problem.
Hi jonzen@,
With SSO, the credentials are federated as introduced here https://aws.amazon.com/identity/federation/. {aws:username}
method does not work for federated identities; instead, {aws:userid}
should be used. Please see the details here, under Example 3: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html
Please let you customer try again after updating the policies.
Cheers,
Yuting
For me, it wasn't a security issue. I didn't have the session-manager plugin yet. Once I followed the steps outlined here, the authentication error went away. Leaving the IAM policy with {aws:username} worked for me.
Relevant content
- asked 6 years ago
- asked 9 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
dude, after two days of struggle you saved my day. like I have not found such information on the whole internet. I gave access to all users to all roles :D once installed, works like a charm.THANK YOU !
btw I had a problem accessing gamelift fleet