By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can we run Signed Powershell SSM Documents when ExecutionPolicy is set to AllSigned

0

Hi

I've currently experiencing a bit of a road block with using SSM Documents using powershell.

  • We Define the policy though a GPO on the user/computer level
  • We have a CA which we use for Code Signing, we sign our Powershell scripts before they are allowed to run.
  • The Publisher code signing cert has been trusted.

When I've tried to create a Powershell document using AWS SSM Document Manager - I have included the signature block in JSON which will end up as a file in C:\ProgramData\Amazon\SSM\InstanceData\i-xyzxyzxyzxyz\document\orchestration{run-command-id}\StepName_script.ps1

I then get a message that the Run-Command has failed with the message _script.ps1 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies

I've manually confirmed this file is identical to the script I initially wrote (before it became JSON and then a PS1 script) And I have diffed the two files. Diff claims the files are identical (!) But I still can't run it without getting that message.

I've also tried running from an S3 bucket, but a _script file is still generated -- which in that case would not be signed.

It seems the only way I'm able to run Signed powershell scripts at the moment is by running them on the system in a remote desktop session and using a locally saved version.

Has anyone ever tried to accomplish this? Any success? I can't run any existing AWS Documents without signing them either ~

Topics
Management & Governance
Tags
AWS Systems ManagerAWS Tools for Windows PowerShell
Language
English
rePost-User-2553455
asked 2 years ago740 views
1 Answer
0
Accepted Answer

Found a solution (Well, CIO did, good on him) The diff tools I was using sucked.

We tried WinMerge and made a JSON file from scratch, but instead of using

[ " write-host STUFF", " write-host "MORESTUFF", " ### SIGNATURE BLOCK STUFF ### ", "" ]

I used \r\n for CRLF's and "",s in place of ""

`
"runCommand": [
          "",
          "Write-Host Test\r\nWrite-Host Line2\r\nWrite-Host Line3\r\n",
          "\r\n# SIG # Begin signature block\r\n# ABCDEFGHJIKLMNOPQRSTUVWXYZ\r\n# etc etc

`

Don't forget to place your Certificate in TrustedPublishers as well, otherwise you'll get a **AuthorizationManager check failed.

  • CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
  • FullyQualifiedErrorId : UnauthorizedAccess failed to run commands: exit status 1**
rePost-User-2553455
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content