Granted does not seem to work with the Session Manager plugin out of the box (if you just use assume), ie:
alex@Alexs-MacBook-Pro _test % aws ecs execute-command --cluster elastic-sandbox-cluster \
--task aa9054ed4f7e4d1583a0cacb9401492f \
--container mongo \
--interactive \
--command "/bin/sh"
The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
Starting session with SessionId: ecs-execute-command-0e5f2cabad4982989
SessionId: ecs-execute-command-0e5f2cabad4982989 :
----------ERROR-------
Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: Error calling KMS GenerateDataKey API: refresh cached SSO token failed, unable to refresh SSO token, InvalidGrantException:
This is expected behaviour as described in this ticket: https://github.com/common-fate/granted/issues/155
However, you might think it is a KMS issue from the weird error that Systems Manager plugin gives.
Maybe it's worthwhile to update the documentation that these are the steps to take if you want to use the session manager plugin:
alex@Alexs-MacBook-Pro _test % assume elasticscale-sandbox --export
[✔] [elasticscale-sandbox](eu-west-1) session credentials will expire in 1 hour
[!] No credential suffix found. This can cause issues with using exported credentials if conflicting profiles exist. Run `granted settings export-suffix set` to set one.
[✔] Exported credentials to ~/.aws/credentials file as elasticscale-sandbox successfully
alex@Alexs-MacBook-Pro _test % session-manager-plugin --version
1.2.536.0
alex@Alexs-MacBook-Pro _test % aws ecs execute-command --cluster elastic-sandbox-cluster \
--task aa9054ed4f7e4d1583a0cacb9401492f \
--container mongo \
--interactive \
--command "/bin/sh"
The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
Starting session with SessionId: ecs-execute-command-03436819b38f252d1
This session is encrypted using AWS KMS.
# whoami
root
If an update is not going to happen, maybe just close this ticket so other people can find it when Googling the problem.
Hi,
Granted does not seem to work with the Session Manager plugin out of the box (if you just use assume), ie:
This is expected behaviour as described in this ticket: https://github.com/common-fate/granted/issues/155 However, you might think it is a KMS issue from the weird error that Systems Manager plugin gives.
Maybe it's worthwhile to update the documentation that these are the steps to take if you want to use the session manager plugin:
If an update is not going to happen, maybe just close this ticket so other people can find it when Googling the problem.
Granted is great btw!