By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

About the user who executes SSM

1

I would like to run powershell commands on a specified EC2 instance using AWS-RunPowerShellScript in Systems Manager's Run Command. In doing so, I would like to use the dsadd-user command to add a user in the Active directory. However, when I actually execute this, I get an "Access is denied" error because I don't have access rights. My thinking is that this is because when I run this command with ssm it is running as a local user named ssm-user.

I would like to run the command as a user belonging to the active directory. Is that possible? Thank you very much.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Directory ServiceAWS Systems Manager
Language
English
AWS-User-0207697
asked 2 years ago3331 views
2 Answers
4

Peter_G's answer is how most customer's solve this and is likely the best practice in this situation. I wanted to address your question about what user the SSM Run Command executes as. On a Windows instance it runs as SYSTEM. You can verify this yourself by supplying the AWS-RunPowerShellScript document the command WhoAmI. The local account ssm-user is only used when you connect to the instance using SSM Session Manager. If the instance where the Run Command is being executed is domain joined, then it will have a computer object in Active Directory. Any permissions you grant that computer object will be available to the local SYSTEM account. Meaning that if you grant the computer object permission to create user objects then you could successfully execute dsadd user without having to grab alternate credentials from Secrets Manager.

profile pictureAWS
JoeD_AWS
answered 2 years ago
2
Accepted Answer

it definitely is possible but you will have to supply credentials for a user authorised for that activity within your domain. I suggest adding these credentials to AWS Secrets Manager (username and password as key value pairs), modify your instance(s) iam profile to allow GetSecretValue to that secret and then within your powershell script retrieve the secret and construct a System.Management.Automation.PSCredential object.

Something like this

$secret = (Get-SECSecretValue -SecretId “<SecretArn>”).SecretString | ConvertFrom-Json
$username = $secret.username
$password = ConvertTo-SecureString $secret.password -AsPlainText -Force
$domainCredential = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)

You'll probably need to use a native powershell cmdlet (as I don't believe dsadd will support) like new-aduser then supply the credential object you created for the -credential arguement

AWS
EXPERT
Peter_G
answered 2 years ago
  • mj123
    8 months ago

    I need to run a Powershell command to create a MFA user on an Windows EC2 (adfs) server. I tried using the solution provided above to supply credential but I keep getting the error "Start-Process : This command cannot be run due to the error: Access is denied." Any suggestions on how to get this working? Essentially I need to run Powershell on a SSM managed node (AD box) with a particular domain user credential. This user has administrative privileges on the AD box

    What I tried - $secret = (Get-SECSecretValue -SecretId “<secret ARN”).SecretString | ConvertFrom-Json $username = $secret.username $password = ConvertTo-SecureString $secret.password -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password) $commands = 'whoami; Add-MFAUsers -Identity <email> -Email <email> -Method Code -EmailForNewKey' Start-Process -FilePath PowerShell -NoNewWindow -Credential $credential -ArgumentList $commands

    Error - Start-Process : This command cannot be run due to the error: Access is denied.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content