ssm-agent: fix bad user declaration #99520

endgame · 2020-10-04T00:31:07Z

Make ssm-agent service evaluate properly, and make Session Manager actually useful.

Built and run on an EC2 nixos image, and connected to the system through AWS Systems Manager > Session Manager.

endgame · 2020-10-04T00:31:40Z

infinisil · 2020-10-07T00:50:03Z

nixos/modules/services/misc/ssm-agent.nix

+    users.groups.ssm-user = {};
+    users.users.ssm-user = {
+      isNormalUser = true;
+      group = "ssm-user";


Is there a point to using a separate user if that user has the same privileges as root? Why not just run as root directly?

Good question. The user is not used to run the service, it's used when you use Session Manager to connect directly to a running instance.

(This does not appear to be a configurable thing, and is how it happens on standard AWS images too.)

endgame · 2020-10-08T00:13:11Z

@infinisil Thanks for your comments. Anything else you need from me to keep this moving?

endgame requested a review from manveru October 4, 2020 00:33

ofborg bot added 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0 labels Oct 4, 2020

endgame force-pushed the ssm-agent-user-fix branch from 4d499e5 to 4fa4118 Compare October 6, 2020 23:20

ssm-agent: fix bad user declaration

0d41792

endgame force-pushed the ssm-agent-user-fix branch from 4fa4118 to 0d41792 Compare October 6, 2020 23:36

infinisil reviewed Oct 7, 2020

View reviewed changes

infinisil merged commit 6ee8491 into NixOS:master Oct 8, 2020

endgame deleted the ssm-agent-user-fix branch October 9, 2020 00:35

mkurkov mentioned this pull request Jul 20, 2021

nixos/ssm-agent: fix service configuration #99404

Closed

9 tasks

Provide feedback