Thank you so much for your hard work. I made a mistake while setting up limited access for my server via SSH manager and accidentally locked myself out, as I didn't realize my user was not on the access list. I had to use another route to edit the file, and your video was incredibly helpful for a quick fix.
In one of your previous videos, you set up three endpoints: ssm, ssmmessages, and ec2messages. However, you didn't created the ec2messages endpoint here. Any particular reason for that?
Hi, good to hear back from you. When a session is started for the first time SSM agent creates a local user account ssm-user and adds it to the Administrators group (Windows). You can change the permissions of ssm-user but cannot use another user with Session Manager. I will aim to target this in my next video.
@@unmaskITnow thanks for the reply, i am trying to setup access to my vendors (read only) and my engineers to access fleet manager or session manager to access my infra, your video happen to be at the right time :), is there a way to integrate AD for user authentication for session manager or fleet manager?
Yes, you can grant access to Session Manager through SAML federation for AD users through an identity provider. aws.amazon.com/blogs/mt/configure-session-manager-access-for-federated-users-using-saml-session-tags/ This link above uses Okta as an identity provider but any SAML based provider should work. Note that, the federated user has the permissions to start a session but user for powershell session is still ssm-user
Thank you so much for your hard work. I made a mistake while setting up limited access for my server via SSH manager and accidentally locked myself out, as I didn't realize my user was not on the access list. I had to use another route to edit the file, and your video was incredibly helpful for a quick fix.
Thank you, you are the only one out there who mentioned the creation of endpoints and basically solved my issue
Excellent.. explained neatly.. thanks.
Very well explained! Thanks
This was really helpfull, thank you!
In one of your previous videos, you set up three endpoints: ssm, ssmmessages, and ec2messages. However, you didn't created the ec2messages endpoint here. Any particular reason for that?
I presume the default user is admin while logging in via session manager, can i user another user with a read only privilege?
Hi, good to hear back from you. When a session is started for the first time SSM agent creates a local user account ssm-user and adds it to the Administrators group (Windows). You can change the permissions of ssm-user but cannot use another user with Session Manager.
I will aim to target this in my next video.
@@unmaskITnow thanks for the reply, i am trying to setup access to my vendors (read only) and my engineers to access fleet manager or session manager to access my infra, your video happen to be at the right time :), is there a way to integrate AD for user authentication for session manager or fleet manager?
Yes, you can grant access to Session Manager through SAML federation for AD users through an identity provider.
aws.amazon.com/blogs/mt/configure-session-manager-access-for-federated-users-using-saml-session-tags/
This link above uses Okta as an identity provider but any SAML based provider should work. Note that, the federated user has the permissions to start a session but user for powershell session is still ssm-user