By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

FleetManager SSO login unavailable

0

We are trying to utilize the FleetManager SSO functionality to enable SSM to be used as a proxy for a bastion host. The ideal flow would be dev port-forwards with SSM to RDP into the bastion host. I would like the bastion host to utilize IAM Identity Center for authentication. This flow works but only within the same region as IAM Identity center was created. Is there any known work arounds to enable FleetManager to work across regions? I could not find where in the documentation it says that this cannot work and Amazon Q says that it should as well.

Article for reference: https://aws.amazon.com/blogs/security/how-to-enable-secure-seamless-single-sign-on-to-amazon-ec2-windows-instances-with-aws-sso/

Topics
Security, Identity, & ComplianceCompute
Tags
AWS IAM Identity CenterEC2 FleetSession Management
Language
English
TMorse
asked 4 months ago139 views
1 Answer
1
Accepted Answer

FleetManager SSO doesn't play nice across regions for bastion access.

Here's the deal:

  1. It's region-locked, meaning IAM Identity Center and your bastion host gotta be neighbors.
  2. Docs don't say it explicitly, but clues are everywhere.

Workarounds:

  1. Move the bastion host and IAM Identity Center together.
  2. Try another SSO solution like AWS SSO that can cross regions.
  3. Build your own authentication system with AWS services, but be prepared for some coding.
profile picture
EXPERT
Sedat Salman
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content