Error User cannot Terminate their own SSM Session when trying to use SCP.


We use AWS SSO to provide permissions for Session Manager access to systems. When trying to use Session Manager in conjunction with SCP one of our users is getting the following error:

$ scp -r -i ~/.ssh/example-key-singapore system1/ legerity@i-06a0c25qb665a08eb.ap-southeast-1:

An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::001292317441:a
ssumed-role/AWSReservedSSO_Example_739d002d2774bna6/ is not authorized t
o perform: ssm:TerminateSession on resource: arn:aws:ssm:ap-southeast-1:001292317441:session/ because no identity-based policy allows the ssm:TerminateSession action
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
lost connection

The session that it says can't be terminated is actually one that is already terminated so I can't figure out how it is erroring or why. I cannot replicate this error when giving myself the same permissions. This same user can access the same system via SSM (SSH equivalent) fine. The permissions assigned to this user are:
"Effect": "Allow",
"Action": [
"Resource": [
"Effect": "Allow",
"Action": [
"Resource": [

This same command using the same permissions works fine for me. The command should work according the config in .ssh which is:
host i-. mi-.
ProxyCommand bash -c "aws ssm start-session --target $(echo %h|cut -d'.' -f1) --region $(echo %h|/usr/bin/cut -d'.' -f2) --document-name AWS-StartSSHSession --parameters 'portNumber=%p'" --profile $(echo %h|cut -d '.' -f3)

Does anyone have any idea what might be happening?

Edited by: jonzen on Oct 29, 2021 3:38 AM

Edited by: jonzen on Oct 29, 2021 3:39 AM

asked a year ago2257 views
3 Answers

I have seen aws start-session (which is what scp is using under the hood) throw an AccessDeniedException with the reason "no identity-based policy allows the ssm:TerminateSession action" when the Session Manager Plugin has not been installed in the AWS CLI. I'm not sure that's your problem because you said the other user can already login with SSM, but I thought this might help others searching for this error message.

Here's how to install it:

Edit: Noted that this probably doesn't solve the OP's problem.

answered a year ago

Hi jonzen@,

With SSO, the credentials are federated as introduced here {aws:username} method does not work for federated identities; instead, {aws:userid} should be used. Please see the details here, under Example 3:

Please let you customer try again after updating the policies.


answered a year ago

For me, it wasn't a security issue. I didn't have the session-manager plugin yet. Once I followed the steps outlined here, the authentication error went away. Leaving the IAM policy with {aws:username} worked for me.

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions