ssm-user not created on Debian Bullseye

[dariosusman]

After installing from https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb for the first time, the daemon starts as root, but no ssm-user is created. Therefore an SSM session (aws ssm start-session) cannot be established.

amazon-ssm-agent 3.2.582.0-1

# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

2023-04-13 13:43:23 ERROR [execute @ shell.go.266] [ssm-session-worker] [dsusman-02d5c05a016ff8d9a] [DataBackend] [pluginName=Standard_Stream] Unable to start command: failed to start pty since RunAs user ssm-user does not exist

[dariosusman]

Furthermore, it doesn't add the sudoers.d/ssm-agent-users file, either.

I've also confirmed that earlier versions taken from eu-west-1 does not do either of these too. However, version 3.1.338.0-1 appears to have worked.

[yuting-fan]

Hi @dariosusman ,

When you do not have RunAs functionality enabled, and you start session on an instance for the first time, the SSM Agent will create ssm-user, which is a sudo user on behalf of you. If you have RunAs functionality enabled, SSM Agent will run the session process using that user directly, instead of creating that user for you.

The error you are seeing RunAs user ssm-user does not exist indicates you've enabled RunAs functionality to run sessions as ssm-user from the first time an instance is launched. If you disable RunAs from your session preferences, and start a session, this user will be created for you.

However, I'd need to call out that you do not need to configure the RunAs user as ssm-user. By default, all sessions are started with ssm-user. The use case of RunAs functionality is if you would like to start a session with other OS user of your own.

Hope this helps.

Regards, Yuting