- Newest
- Most votes
- Most comments
Peter_G's answer is how most customer's solve this and is likely the best practice in this situation. I wanted to address your question about what user the SSM Run Command executes as. On a Windows instance it runs as SYSTEM. You can verify this yourself by supplying the AWS-RunPowerShellScript document the command WhoAmI
. The local account ssm-user is only used when you connect to the instance using SSM Session Manager. If the instance where the Run Command is being executed is domain joined, then it will have a computer object in Active Directory. Any permissions you grant that computer object will be available to the local SYSTEM account. Meaning that if you grant the computer object permission to create user objects then you could successfully execute dsadd user
without having to grab alternate credentials from Secrets Manager.
it definitely is possible but you will have to supply credentials for a user authorised for that activity within your domain. I suggest adding these credentials to AWS Secrets Manager (username and password as key value pairs), modify your instance(s) iam profile to allow GetSecretValue to that secret and then within your powershell script retrieve the secret and construct a System.Management.Automation.PSCredential object.
Something like this
$secret = (Get-SECSecretValue -SecretId “<SecretArn>”).SecretString | ConvertFrom-Json
$username = $secret.username
$password = ConvertTo-SecureString $secret.password -AsPlainText -Force
$domainCredential = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)
You'll probably need to use a native powershell cmdlet (as I don't believe dsadd will support) like new-aduser then supply the credential object you created for the -credential arguement
Relevant content
- asked 8 days ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
I need to run a Powershell command to create a MFA user on an Windows EC2 (adfs) server. I tried using the solution provided above to supply credential but I keep getting the error "Start-Process : This command cannot be run due to the error: Access is denied." Any suggestions on how to get this working? Essentially I need to run Powershell on a SSM managed node (AD box) with a particular domain user credential. This user has administrative privileges on the AD box
What I tried - $secret = (Get-SECSecretValue -SecretId “<secret ARN”).SecretString | ConvertFrom-Json $username = $secret.username $password = ConvertTo-SecureString $secret.password -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password) $commands = 'whoami; Add-MFAUsers -Identity <email> -Email <email> -Method Code -EmailForNewKey' Start-Process -FilePath PowerShell -NoNewWindow -Credential $credential -ArgumentList $commands
Error - Start-Process : This command cannot be run due to the error: Access is denied.