Allow AWS Key/Secret Instead of Instance Profile

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).

https://aws.amazon.com/systems-manager/

Apache License 2.0

1.05k stars 324 forks source link

Allow AWS Key/Secret Instead of Instance Profile #91

Closed ssigwart closed 5 years ago

ssigwart commented 6 years ago

When using instance profiles, any Linux user will be able to assume the role and hence will have all the same permissions as are needed for SSM as defined in the AmazonEC2RoleforSSM policy. Can an option be added to use an IAM user with a key/secret instead of the instance profile?

ssigwart commented 6 years ago

I tried copying amazon-ssm-agent.json.template to /etc/amazon/ssm/amazon-ssm-agent.json and changing https://github.com/aws/amazon-ssm-agent/blob/092e94e519563ef03fe41cdf32f612520e9002ca/amazon-ssm-agent.json.template#L3-L4 to this:

"Path" : "/root/.aws/credentials",
"Name" : "default",

That allowed getAppConfigPath to find the IAM user credentials in /root/.aws/credentials. https://github.com/aws/amazon-ssm-agent/blob/092e94e519563ef03fe41cdf32f612520e9002ca/agent/appconfig/appconfig.go#L90

However, MessagingDeliveryService API calls fail. /var/log/amazon/ssm/amazon-ssm-agent.log and /var/log/amazon/ssm/errors.log show this:

2018-03-10 03:48:44 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-XXXXXXXXXXXXXXXX] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AuthorizationFailureException:
    status code: 400, request id: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

thedevopsmachine commented 6 years ago

That's an SDK error for the GetMessages operation, which isn't listed in the "Actions" list. Try adding "ssm:GetMessages" in an inline or managed policy and attaching it to the user.

If it doesn't work, I would try to assign the user a ssm:* policy and restart the agent noting the exact time of startup. If it works, then you can export your CloudTrail logs and look for all activity from that user, and compare it to the permissions it has in its assigned policies.

ssigwart commented 6 years ago

I tried adding ssm:GetMessages, but IAM says it's invalid. So I tried ssm:*, but that failed as well with the same AuthorizationFailureException

lorengordon commented 6 years ago

I believe it is actually ec2messages:GetMessages.

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up.html#systems-manager-setting-up-messageAPIs

ssigwart commented 6 years ago

That's what I thought too, but I've had ec2messages:GetMessages allowed for all my tests, but it doesn't work.

hiimtu commented 5 years ago

Hi @ssigwart or anyone else that has come across this problem.

Super late reply, but this issue has recently come across our attention. After investigating, we have determine that we do not support any other type of credentials besides IAM role for EC2 credentials for security reasons.

Closing issue.