I am using a Hybrid SSM Activation https://docs.aws.amazon.com/systems-manager/latest/userguide/activations.html
to manage a physical device.
I would like to allow this device to use some AWS services, but that requires deploying long lived credentials to the device.
SSM Agent is deploying AWS credentials (and rotating them) to /root/.aws/credentials, and these credentials are for the instance role that I assigned to the SSM Agent when deploying it.
I would like to make these credentials available the non-root user without having to prefix all aws-cli
commands with sudo, so that I can assign additional permissions (like s3:Get) to the instance role and allow the user account to assume these credentials
pi@pi-001:~$ aws sts get-caller-identity
Unable to locate credentials. You can configure credentials by running "aws configure".
pi@pi-001:~$ sudo aws sts get-caller-identity
{
"UserId": "[censored]:mi-[censored]",
"Account": "[censored]",
"Arn": "arn:aws:sts::[censored]:assumed-role/DevelopmentSSMHybridPolicy/mi-[censored]"
}
pi@pi-001:~$ sudo ls /root/.aws
credentials
Is there a supported method to allow the non-root account of an SSM managed Hybrid Instance to assume the instance credentials?
Failing that, are there any other methods to accomplish this?