Error User cannot Terminate their own SSM Session when trying to use SCP.

0

We use AWS SSO to provide permissions for Session Manager access to systems. When trying to use Session Manager in conjunction with SCP one of our users is getting the following error:

$ scp -r -i ~/.ssh/example-key-singapore system1/startsystem.sh legerity@i-06a0c25qb665a08eb.ap-southeast-1:

An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::001292317441:a
ssumed-role/AWSReservedSSO_Example_739d002d2774bna6/john.doe@companyname.com is not authorized t
o perform: ssm:TerminateSession on resource: arn:aws:ssm:ap-southeast-1:001292317441:session/john.doe@companyname.com-08fce585f53bab614 because no identity-based policy allows the ssm:TerminateSession action
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
lost connection

The session that it says can't be terminated is actually one that is already terminated so I can't figure out how it is erroring or why. I cannot replicate this error when giving myself the same permissions. This same user can access the same system via SSM (SSH equivalent) fine. The permissions assigned to this user are:
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2::001292317441:instance/**",
"arn:aws:ec2:
:053586226857:instance/*",
"arn:aws:ssm:::document/AWS-StartSSHSession"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws:ssm:*
:*:session/${aws:username}-"
]
}

This same command using the same permissions works fine for me. The command should work according the config in .ssh which is:
host i-. mi-.
ProxyCommand bash -c "aws ssm start-session --target $(echo %h|cut -d'.' -f1) --region $(echo %h|/usr/bin/cut -d'.' -f2) --document-name AWS-StartSSHSession --parameters 'portNumber=%p'" --profile $(echo %h|cut -d '.' -f3)

Does anyone have any idea what might be happening?

Edited by: jonzen on Oct 29, 2021 3:38 AM

Edited by: jonzen on Oct 29, 2021 3:39 AM

jonzen
已提问 2 年前5981 查看次数
3 回答
1

I have seen aws start-session (which is what scp is using under the hood) throw an AccessDeniedException with the reason "no identity-based policy allows the ssm:TerminateSession action" when the Session Manager Plugin has not been installed in the AWS CLI. I'm not sure that's your problem because you said the other user can already login with SSM, but I thought this might help others searching for this error message.

Here's how to install it: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

Edit: Noted that this probably doesn't solve the OP's problem.

已回答 2 年前
  • dude, after two days of struggle you saved my day. like I have not found such information on the whole internet. I gave access to all users to all roles :D once installed, works like a charm.THANK YOU !

    btw I had a problem accessing gamelift fleet

0

Hi jonzen@,

With SSO, the credentials are federated as introduced here https://aws.amazon.com/identity/federation/. {aws:username} method does not work for federated identities; instead, {aws:userid} should be used. Please see the details here, under Example 3: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html

Please let you customer try again after updating the policies.

Cheers,
Yuting

AWS
已回答 2 年前
0

For me, it wasn't a security issue. I didn't have the session-manager plugin yet. Once I followed the steps outlined here, the authentication error went away. Leaving the IAM policy with {aws:username} worked for me.

已回答 2 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则