Search code examples
amazon-iamaws-organizationsaws-ssm

cross account ssm start session

Was trying to start a session[terminal] via ssm on an instance in another account. using command

aws ssm start-session --target i-yyyaf4692d801d1xx --region ap-south-1

but it was failing with response as "Target is not connected".

  • we get this response when the instance is usually not found in the inventory of Systems Manager. - which i can't add, as the instance is in another account

END Goal: I wish to use users created in Account A to be able to start sessions on instances on Account B. both part of the same organisation.

Also,

  • my user has appropriate permissions have verified it through IAM Simulator
  • it seems instance IDs are unique and associated to one account only.
  • the instance is accessible by local users in that account.

[update 9th Jan 2023] Thanks for the responses, its clear that IAM Role[with assume role sts] suffices the request conditions. But i was looking for some seamless method, where we dont need to generate temporary credentials and use them for access each time.

May be a script to do this task or something would do. As IAM Principal: Users need to generate temp creds manually which is not the case with IAM Roles

Solution

  • You need to delegate access between the accounts. You can do this by creating a role in the target account which is allowed to assumed by users in the other account.

    Setup the access:

    1. Create an IAM role with necessary IAM permissions to access the instances in the target account (account B)
    2. Create a trust relationship on the role in the target account to trust the appropriate principals (users or roles) in the source account (account A).
    3. Grant the appropriate principals (users or roles) in the the source account (account A) permission to call the sts assume-role API for the role in the target account (account B)

    Use the access:

    1. From your user profile or role in account A, call the sts assume-role API to obtain credentials for the role you created in account B.
    2. Use the credentials returned by the sts assume-role call in order to call the API using the identity assumed in account B to access the resources.

    See: cross-account IAM access for more details.