FleetManager SSO login unavailable

Question

We are trying to utilize the FleetManager SSO functionality to enable SSM to be used as a proxy for a bastion host. The ideal flow would be dev port-forwards with SSM to RDP into the bastion host. I would like the bastion host to utilize IAM Identity Center for authentication. This flow works but only within the same region as IAM Identity center was created. Is there any known work arounds to enable FleetManager to work across regions? I could not find where in the documentation it says that this cannot work and Amazon Q says that it should as well.

Article for reference: https://aws.amazon.com/blogs/security/how-to-enable-secure-seamless-single-sign-on-to-amazon-ec2-windows-instances-with-aws-sso/

Article for reference:
https://aws.amazon.com/blogs/security/how-to-enable-secure-seamless-single-sign-on-to-amazon-ec2-windows-instances-with-aws-sso/

Accepted Answer

FleetManager SSO doesn't play nice across regions for bastion access.

Here's the deal:
1. It's region-locked, meaning IAM Identity Center and your bastion host gotta be neighbors.
2. Docs don't say it explicitly, but clues are everywhere.

Workarounds:
1. Move the bastion host and IAM Identity Center together.
2. Try another SSO solution like AWS SSO that can cross regions.
3. Build your own authentication system with AWS services, but be prepared for some coding.

FleetManager SSO login unavailable

関連するコンテンツ