By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS SSM Hybrid Activation for windows instances in Azure

0

Hi,

I have enabled AWS SSM hybrid activation for my azure windows instances.

The hybrid activation has IAM role attached with some permission like s3, etc.

the registration is successful and the azure instance is also reflected in AWS SSM fleet manager.

But from the windows instances, if I try to do

aws s3 ls

it gives

aws sts get-caller-identity aws : At line:1 char:1

  • aws sts get-caller-identity
  • CategoryInfo : NotSpecified: (:String) [], RemoteException
    • FullyQualifiedErrorId : NativeCommandError

<botocore.awsrequest.AWSRequest object at 0x0000020382F109D0>

but the azure linux instances is able to use the temporary creds generated by the IAM role attached to hybrid activation. Any idea, what I might be missing?

Topics
Management & GovernanceCompute
Tags
AWS Systems ManagerWindows
Language
English
Sayan Moitra
asked 7 months ago382 views
2 Answers
0

Which user do you use in Windows instance? If you completed your activation process with Administrator (e.g., PowerShell in elevated mode), then the credential for the IAM role should only be available for the Administrator.

profile picture
HS
answered 7 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 7 months ago
  • Sayan Moitra
    7 months ago

    I did the activation using the administrator mode, but then also if I try

    aws s3 ls

    from powershell in administrator mode, it gives

    <botocore.awsrequest.AWSRequest object at 0x000001CD8BAF8AD0>

  • HS
    7 months ago

    aws s3 ls command without a --profile option will use default profile as a default. Can you check the credential and config files (e.g., C:\Users\Administrator\.aws\credentials, C:\Users\Administrator\.aws\config) and see which profile was installed by your activation script? If the profile was not default, you should use the command with the --profile option instead (e.g., aws s3 ls --profile profile_name).

0

got it working, for some strange reason the .aws folder gets created in

C:\Windows\System32\config\systemprofile\.aws\credentials

so I have to pass

$env:AWS_SHARED_CREDENTIALS_FILE = "C:\Windows\System32\config\systemprofile\.aws\credentials"

then run

aws s3 ls --profile default --region <AWS_REGION>

Sayan Moitra
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content