search

awslabs / aws-lambda-powershell-runtime

This new PowerShell custom runtime for AWS Lambda makes it even easier to run Lambda functions written in PowerShell to process events.
Apache License 2.0
57 stars 17 forks source link

[Question] Do you have an example for Powershell remoting through lambda function? #3

Closed liacha1986 closed 1 year ago

liacha1986 commented 1 year ago

I have followed all the MS guides on setting up Powershell remoting on the server and can confirm from my test environment that I am able to SSH into my test box. I added the public key to my lambda function and referenced it with the command below:

$session = New-PSSession -HostName "mydc01.xyz.com" -UserName "Administrator" -KeyFilePath "$env:LAMBDA_TASK_ROOT/examplemodule/id_ed25519.pub"

I just get a generic message saying that "An error has occurred which Powershell cannot handle. A remote session might have ended".

The use case here is, I am trying to run some Get/Set-ADUser commands on my test domain users from the lambda function (tor reset AD passwords). Did a bunch of research and it seems powershell core doesn't have native support for the ActiveDirectory modules so I was trying to start a session and use the Invoke-Command cmdlet to run the command(s) I wanted.

avanvucht commented 1 year ago

Hey, you will have to make sure that your Lambda function has permission to access this. If you're using AWS SAM, your Parameters block would have something like:

  DCSecurityGroupIds:
    Type: CommaDelimitedList
    Description: Comma-delimited security group IDs to allow LDAP communication with domain controller and HTTP/HTTPS communication with the Exchange Server
    Default: sg-6db2****

  DCSubnetIds:
    Type: CommaDelimitedList
    Description: Comma-delimited subnet IDs of the domain controller
    Default: subnet-0ab83************,subnet-0931************

And you'd refer to these parameters in your AWS::Serverless::Function block, in a VpcConfig:

      VpcConfig:
        SecurityGroupIds: !Ref DCSecurityGroupIds
        SubnetIds: !Ref DCSubnetIds

I suggest getting this working first from Powershell on a machine on the same network as the Domain Controllers. The Cloud9 IDE, for instance, is a simple way to test Powershell lambda functions:

sam build --parallel && sam local invoke "AccessProvisionerFunction" --event samples/dev/event-provision-access.json

Just make sure your Cloud9 IDE can talk with your Domain Controller by being on the same VPC subnets and security groups.

austoonz commented 1 year ago

Given this runtime runs in Linux (custom runtime running on Amazon Linux 2), the New-PSSession cmdlet would use ssh under the covers, and ssh does not exist in the custom runtime environment.

So I agree with @avanvucht that you'd likely need to execute the Lambda Function from within the same VPC as your target system, you'd also need to include a Lambda layer or similar that includes the ssh binary (and anything else to required to make ssh work).

liacha1986 commented 1 year ago

Thanks guys. I'm pretty new to this so any specific resources you can share will be appreciated. I'll try to google my way through and report back with any problems.

julianwood commented 1 year ago

If you're asking about the ssh component. Try packaging the ssh binary with your function code, ensure its executable and reference it in /var/task, that may be the simplest way to get started.

briantist commented 4 months ago

https://github.com/awslabs/aws-lambda-powershell-runtime/issues/22#issuecomment-1967776323

briantist commented 4 months ago