- 최신
- 최다 투표
- 가장 많은 댓글
Hi Joe,
I have done some research into this and did come across the following blog post[1] which goes through the steps to set this up. The steps may be slightly different depending on Identity Provider you are using with AWS SSO(When testing this I was using the Default SSO Directory, the blog post shows the same set up with OKTA as an Identity Provider).
The one thing I would like to point out is the solution in the blog does not add the users to the /etc/passwd file, it instead creates a user on the instance with the same username as that attribute you have mapped to SSMSessionRunAs in AWS SSO. When the user logs into the instance via instance connect, they will log in as the user that you created on the ec2 instance.
I did manage to get this working in my test environment so if you have any questions please feel free to let me know.
[1] Configure AWS SSO ABAC for EC2 instances and Systems Manager Session Manager - https://aws.amazon.com/blogs/security/configure-aws-sso-abac-for-ec2-instances-and-systems-manager-session-manager/
관련 콘텐츠
- 질문됨 8달 전
AWS 공식업데이트됨 일 년 전
Cool! Thanks Michael! We do have that working in our environment as well. So to confirm, this is ok to do right? i.e. AWS supports this kind of configuration. The use of mapping users on an EC2 instance using local files(not an external directory) with AWS SSO.
That is correct, this is supported and will work as long as the SAML Attribute for SSMSessionRunAs matches the username of the user you created on the Linux Instance.