'community.aws.aws_ssm' connection will not change/become user

Funnionz · May 29, 2024, 8:30am

Hi,

Despite efforts, I cannot get the ‘community.aws.aws_ssm’ connection to ‘become’ any other user when connecting to an EC2 via SSM.

I can connect to the host fine, but any attempt to become root fails. Example tests:

- name: Run 'whoami' command
  become: true
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output


- name: Run 'whoami' command again
  become: true
  become_user: root
  vars:
    - ansible_aws_ssm_access_key_id: "{{ ansible_access_key }}"
    - ansible_aws_ssm_secret_access_key: "{{ ansible_secret_key }}"
    - ansible_aws_ssm_session_token: "{{ ansible_session_token }}"
  ansible.builtin.command: whoami
  register: whoami_output

The results of these and other tests all come back the same: user being ‘ssm_user’. The ‘ssm_user’ definitely does have the permission to elevate to root and can do so manually on the instance fine.

Is anyone else experiencing the same?

motorbass · May 29, 2024, 9:50am

Hi
Did you try to add become_method: su or sudo in your task to check if results is the same or different ?

I assume when you switch from ssm_user to root manually you run something like su or su - right?

Funnionz · May 31, 2024, 2:52am

Thanks for the response.

I have tried ‘become_method’ of ‘sudo’ and ‘su’, both have no impact.

I have also tried using ‘shell’ instead of ‘command’ as well as other tasks, again the user remains as ‘ssm-user’.

motorbass · May 31, 2024, 7:38am

Weird… I assume your root account is configured with a password too ?

Are you able to test it by providing the root password into ansible_become_password in your vars ?

Then try again with your current tasks, then with become_method and see if results is the same for those scenarios.

Funnionz · June 4, 2024, 3:21am

Root account isnt configured with a password in my case. Connecting via SSM as ssm-user then elevating has always been the way.

This seems to be an issue with the plugin itself, as when I just use the ‘shell’ module and run the same commands with sudo in front it works fine. But any use of ‘become’ after connecting via the SSM plugin does not work at all.

Funnionz · June 12, 2024, 7:28am

Sorry, does anyone have any answer on this at all?