search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.05k stars 323 forks source link

Misleading Error Message in case Session Manager Plugin is not installed. #514

Closed OK-Cactus closed 1 year ago

OK-Cactus commented 1 year ago

The Permission Set editage-developer-prod-access already has appropriate permissions for ssm:TerminateSession and other SSM actions necessary for starting SSM session, but still we get an error message like the below

An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::738893429783:assumed-role/AWSReservedSSO_editage-developer-prod-access_0199cd46a537ce07/user is not authorized to perform: ssm:TerminateSession on resource: arn:aws:ssm:ap-southeast-1:738893429783:session/user-037a2e2586edc1ad4 because no identity-based policy allows the ssm:TerminateSession action

After debugging a bit more, it seems that SSM plugin is not installed, and after installation the aws ssm start-session command works as expected.

Hence please look into correction of the above error message.

yuting-fan commented 1 year ago

Hi @OK-Cactus ,

If SSM plugin is not installed, there will not be an attempt to call either StartSession or TerminateSession. This error indicates there must be an attempt to call TerminateSession API, which may or may not be from the user who attempts to start a session. In order to troubleshoot, I'd suggest you to go to CloudTrail console, and check the TerminateSession event around that time, and see which identity called TerminateSession.

Hope this helps.

Regards, Yuting