By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How can Hybrid SSM Activation be used to provide IAM credentials to all users

0

I am using a Hybrid SSM Activation https://docs.aws.amazon.com/systems-manager/latest/userguide/activations.html to manage a physical device.

I would like to allow this device to use some AWS services, but that requires deploying long lived credentials to the device.

SSM Agent is deploying AWS credentials (and rotating them) to /root/.aws/credentials, and these credentials are for the instance role that I assigned to the SSM Agent when deploying it. I would like to make these credentials available the non-root user without having to prefix all aws-cli commands with sudo, so that I can assign additional permissions (like s3:Get) to the instance role and allow the user account to assume these credentials

pi@pi-001:~$ aws sts get-caller-identity
Unable to locate credentials. You can configure credentials by running "aws configure".
pi@pi-001:~$ sudo aws sts get-caller-identity
{
    "UserId": "[censored]:mi-[censored]",
    "Account": "[censored]",
    "Arn": "arn:aws:sts::[censored]:assumed-role/DevelopmentSSMHybridPolicy/mi-[censored]"
}
pi@pi-001:~$ sudo ls /root/.aws
credentials

Is there a supported method to allow the non-root account of an SSM managed Hybrid Instance to assume the instance credentials? Failing that, are there any other methods to accomplish this?

1 Answer
1

Hello.

How about setting AWS credentials for each Linux user?
Since the AWS credentials set for the root user are for using SSM, I think it is generally better not to share them between Linux users.
Therefore, I think it is a good idea to create the minimum required IAM policy and IAM user for Linux users and set AWS authentication information.
Also, if you need temporary AWS credentials, you may want to set up IAM Identity Center and use temporary credentials instead of using an IAM user.
https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

profile picture
EXPERT
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions