Closed ssigwart closed 5 years ago
I tried copying amazon-ssm-agent.json.template
to /etc/amazon/ssm/amazon-ssm-agent.json
and changing https://github.com/aws/amazon-ssm-agent/blob/092e94e519563ef03fe41cdf32f612520e9002ca/amazon-ssm-agent.json.template#L3-L4 to this:
"Path" : "/root/.aws/credentials",
"Name" : "default",
That allowed getAppConfigPath
to find the IAM user credentials in /root/.aws/credentials
.
https://github.com/aws/amazon-ssm-agent/blob/092e94e519563ef03fe41cdf32f612520e9002ca/agent/appconfig/appconfig.go#L90
However, MessagingDeliveryService
API calls fail. /var/log/amazon/ssm/amazon-ssm-agent.log
and /var/log/amazon/ssm/errors.log
show this:
2018-03-10 03:48:44 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-XXXXXXXXXXXXXXXX] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AuthorizationFailureException:
status code: 400, request id: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
That's an SDK error for the GetMessages operation, which isn't listed in the "Actions" list. Try adding "ssm:GetMessages" in an inline or managed policy and attaching it to the user.
If it doesn't work, I would try to assign the user a ssm:* policy and restart the agent noting the exact time of startup. If it works, then you can export your CloudTrail logs and look for all activity from that user, and compare it to the permissions it has in its assigned policies.
I tried adding ssm:GetMessages
, but IAM says it's invalid. So I tried ssm:*
, but that failed as well with the same AuthorizationFailureException
I believe it is actually ec2messages:GetMessages
.
That's what I thought too, but I've had ec2messages:GetMessages
allowed for all my tests, but it doesn't work.
Hi @ssigwart or anyone else that has come across this problem.
Super late reply, but this issue has recently come across our attention. After investigating, we have determine that we do not support any other type of credentials besides IAM role for EC2 credentials for security reasons.
Closing issue.
When using instance profiles, any Linux user will be able to assume the role and hence will have all the same permissions as are needed for SSM as defined in the
AmazonEC2RoleforSSM
policy. Can an option be added to use an IAM user with a key/secret instead of the instance profile?