By using AWS re:Post, you agree to the Terms of Use

how can I changed to ec2-user automatically when I access aws linux ec2 via Session Manager

0

Hello All,

I have a solution to allow customers to access ec2 linux instance via Session manager, but after login, the user is ssm-user, Is there any way to changed to ec2-user automatically. That means customers do not need to change to ec2-user manaually?

Thanks, Mingtong

asked 3 days ago23 views
1 Answers
3
Accepted Answer

Hello,

When you run aws ssm start-session without specifying a document name, SSM will use a default document called SSM-SessionManagerRunShellthat is owned by you.

If you check the session document schema in AWS doc Session document schema You will see two properties that can help you change the user you connect as : runAsEnabled and runAsDefaultUser.

If you go back to the definition of the default session document SSM-SessionManagerRunShell you will see that it is defined as follows:

{
  "schemaVersion": "1.0",
  "description": "Document to hold regional settings for Session Manager",
  "sessionType": "Standard_Stream",
  "inputs": {
    "s3BucketName": "",
    "s3KeyPrefix": "",
    "s3EncryptionEnabled": true,
    "cloudWatchLogGroupName": "",
    "cloudWatchEncryptionEnabled": true,
    "idleSessionTimeout": "20",
    "maxSessionDuration": "",
    "cloudWatchStreamingEnabled": true,
    "kmsKeyId": "",
    "runAsEnabled": false,
    "runAsDefaultUser": "",
    "shellProfile": {
      "windows": "",
      "linux": ""
    }
  }
}

What you can do to connect as a different user is to use one of the following:

  • Create a new document to connect with:

Create a new document called for example SSM-SessionManagerRunShellAsEc2User and in its definition you set runAsEnabled to true and you put the user name in the field runAsDefaultUser

{
  "schemaVersion": "1.0",
  "description": "Document to hold regional settings for Session Manager",
  "sessionType": "Standard_Stream",
  "inputs": {
    "s3BucketName": "",
    "s3KeyPrefix": "",
    "s3EncryptionEnabled": true,
    "cloudWatchLogGroupName": "",
    "cloudWatchEncryptionEnabled": true,
    "cloudWatchStreamingEnabled": true,
    "idleSessionTimeout": "20",
    "maxSessionDuration": "",
    "kmsKeyId": "",
    "runAsEnabled": true,
    "runAsDefaultUser": "ec2-user",
    "shellProfile": {
      "windows": "",
      "linux": ""
    }
  }
}

then you can connect to your instance using this document SSM-SessionManagerRunShellAsEc2User instead of the default one SSM-SessionManagerRunShell by specifying the document name in the command:

aws ssm start-session --document-name SSM-SessionManagerRunShellAsEc2USer --target INSTANCE_ID 

However you need to make sure that the user exists in the target.

  • Change the run as user in Session Manager preferences

In the Session Manager preferences you can override the default user like showed in the image bellow:

Enter image description here

  • Use Session Manager preferences and SSMSessionRunAs tag

You can also use "Enable Run As support for Linux instances." in session manager preferences and use the tag SSMSessionRunAs to specify the user in IAM for users and roles as described here Turn on run as support for Linux and macOS managed nodes

References

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-schema.html

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-run-as.html

https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-sessiondocumentaccesscheck.html

answered 3 days ago
profile picture
EXPERT
reviewed 3 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions