2

Problem

I'm executing commands on a Centos 7 EC2 instance via SSM in a Lambda (Python 3.6). Unfortunately, SSM is executing the commands as the root user. I need the commands to be executed with the default centos user. Is there any way to change the user used by SSM.send_command so I don't have to do this:

/sbin/runuser -l centos -c <my_command>

My workaround

I don't like this, but it works. It also screws up permissions on directories and files created, which forces me to have to modify them as well. (ignore the 777 permission change as I was just testing to be sure it worked)

...
/sbin/runuser -l centos -c 'sudo mkdir /home/centos/mydir'
/sbin/runuser -l centos -c 'sudo chmod 777 -R /home/centos/mydir'
/sbin/runuser -l centos -c 'aws s3 cp s3://<my_s3_file_to_transfer /home/centos/mydir'
...
Mark B
  • 183,023
  • 24
  • 297
  • 295
AnxGotta
  • 1,006
  • 7
  • 28
  • why can't you just su ? –  Jun 01 '18 at 18:02
  • 1
    That required a password entry. I'm not really trying to clean up this code as it's currently working. I suppose I'm curious as to whether or not the user can be defined in SSM so I don't have to do any of this. – AnxGotta Jun 01 '18 at 19:08
  • Check this: Restrict Access to Root-Level Commands Through SSM Agent https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-restrict-root-level-commands.html – Ketanbhut May 30 '19 at 20:55

0 Answers0