SSM Agent for hybrid Windows credential file restricted to local admins and SYSTEM user

[ezwillaws]

Using the temporary credentials of the SSM agent are an accepted use case - https://aws.amazon.com/premiumsupport/knowledge-center/cloudwatch-on-premises-temp-credentials/

However, in Windows, the credential file writen by the SSM agent service that are stored at C:\Windows\System32\config\systemprofile\.aws\credentials are consistently created with read permissions only for the SYSTEM account and members of the local administrators group. There appears to be no way, with a default installation, for a service not run as system to inherit these credentials. The permissions on the credentials file can be changed, but if the file is ever recreated, it does not respect (modified) inheritance permissions and is recreated with the default restricted credentials. This means that the only way to reliably consume the SSM credentials is with a service run as SYSTEM (or local admin)

This appears to be an oversight in how the credentials file is written. I can't determine any way around it. Is this behavior intended (and if so, why)?

[sluggard76]

@ezwillaws This is by design. On 3.2 agent, SSM agent will write the credentials it receives in the credential file with only Administrator permission. If you have a use case to use this particular credential for non Administrator user, you will need to provide credentials in another way or allow non Administrator use to access the file (if you prefer)