vkacharaya
commented
1 year ago Hi @rmsilva1973, Thanks for reaching us. SSM Agent do not call STS directly from Agent. Could u pls elaborate more on your request?
Closed rmsilva1973 closed 1 year ago
vkacharaya
commented
1 year ago Hi @rmsilva1973, Thanks for reaching us. SSM Agent do not call STS directly from Agent. Could u pls elaborate more on your request?
rmsilva1973
commented
1 year ago Hi @vkacharaya Thanks a lot for coming back on this. The diagnostic command (ssm-cli get-dianostics) checks "AWS Credentials" and if I don't enable proxy if fails with "STS call timed out". I assumed it somehow was trying to reach the sts endpoint.
I have a VPC Endpoint for STS on my AWS account. AWS support instructed me to add this line to /etc/hosts so I could use our direct connect connection and avoid going through our corporate proxy:
10.XXX.YYY.ZZZ sts.sa-east-1.amazonaws.com
where 10.XXX.YYY.ZZZ is the IP address for the STS VPC Endpoint. After doing that, the AWS Credentials test succeeds.
sluggard76
commented
1 year ago We have created a feature request. Please note that we have a backlog of feature requests. We'll prioritize and work on those requests as they come in.
For onpremises installations, the agent is able to use VPC Endpoint for SSM, MDS, MSGS, KMS and S3 but it requires proxy only to be able to connect to the STS Service. This way, corporate clients with Direct Connect (ou VPN) connection to AWS still have to go through their own outbound internet connection (and proxy)
The agent could be extended to support a VPC Endpoint for STS services configuration on the amazon-ssm-agent.json file. Going through the code I could find that common/identity/credentialproviders/onpremprovider/role_provider.go is responsible for generating the credential. However I couldn't figure out how it connects to the STS service to generate new credentials.