AWS SSM connection user is always root

[andyshinn]

Summary

When using the aws_ssm connection plugin the user always seems to be root. When running commands that create files (such as community.general.bundler) they become owned as root. The executed commands appear to be run using sudo as opposed to a regular connection.

Issue Type

Bug Report

Component Name

aws_ssm

Ansible Version

$ ansible --version
ansible [core 2.11.7] 
  config file = /Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.9 (main, Dec 21 2021, 10:03:34) [GCC 10.2.1 20210110]
  jinja version = 3.0.3
  libyaml = True

Collection Versions

$ ansible-galaxy collection list
# /root/.ansible/collections/ansible_collections
Collection    Version
------------- -------
amazon.aws    3.0.0  
community.aws 2.1.0  

# /usr/local/lib/python3.9/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    1.5.1  
ansible.netcommon             2.4.0  
ansible.posix                 1.3.0  
ansible.utils                 2.4.2  
ansible.windows               1.8.0  
arista.eos                    2.2.0  
awx.awx                       19.4.0 
azure.azcollection            1.10.0 
check_point.mgmt              2.1.1  
chocolatey.chocolatey         1.1.0  
cisco.aci                     2.1.0  
cisco.asa                     2.1.0  
cisco.intersight              1.0.17 
cisco.ios                     2.5.0  
cisco.iosxr                   2.5.0  
cisco.meraki                  2.5.0  
cisco.mso                     1.2.0  
cisco.nso                     1.0.3  
cisco.nxos                    2.7.1  
cisco.ucs                     1.6.0  
cloudscale_ch.cloud           2.2.0  
community.aws                 1.5.0  
community.azure               1.1.0  
community.crypto              1.9.7  
community.digitalocean        1.12.0 
community.docker              1.10.1 
community.fortios             1.0.0  
community.general             3.8.2  
community.google              1.0.0  
community.grafana             1.2.3  
community.hashi_vault         1.5.0  
community.hrobot              1.2.1  
community.kubernetes          1.2.1  
community.kubevirt            1.0.0  
community.libvirt             1.0.2  
community.mongodb             1.3.2  
community.mysql               2.3.1  
community.network             3.0.0  
community.okd                 1.1.2  
community.postgresql          1.6.0  
community.proxysql            1.3.0  
community.rabbitmq            1.1.0  
community.routeros            1.2.0  
community.skydive             1.0.0  
community.sops                1.2.0  
community.vmware              1.16.0 
community.windows             1.8.0  
community.zabbix              1.5.0  
containers.podman             1.8.2  
cyberark.conjur               1.1.0  
cyberark.pas                  1.0.13 
dellemc.enterprise_sonic      1.1.0  
dellemc.openmanage            3.6.0  
dellemc.os10                  1.1.1  
dellemc.os6                   1.0.7  
dellemc.os9                   1.0.4  
f5networks.f5_modules         1.12.0 
fortinet.fortimanager         2.1.4  
fortinet.fortios              2.1.3  
frr.frr                       1.0.3  
gluster.gluster               1.0.2  
google.cloud                  1.0.2  
hetzner.hcloud                1.6.0  
hpe.nimble                    1.1.3  
ibm.qradar                    1.0.3  
infinidat.infinibox           1.3.0  
inspur.sm                     1.3.0  
junipernetworks.junos         2.6.0  
kubernetes.core               1.2.1  
mellanox.onyx                 1.0.0  
netapp.aws                    21.7.0 
netapp.azure                  21.10.0
netapp.cloudmanager           21.12.1
netapp.elementsw              21.7.0 
netapp.ontap                  21.13.1
netapp.um_info                21.8.0 
netapp_eseries.santricity     1.2.13 
netbox.netbox                 3.3.0  
ngine_io.cloudstack           2.2.2  
ngine_io.exoscale             1.0.0  
ngine_io.vultr                1.1.0  
openstack.cloud               1.5.3  
openvswitch.openvswitch       2.0.2  
ovirt.ovirt                   1.6.5  
purestorage.flasharray        1.11.0 
purestorage.flashblade        1.8.1  
sensu.sensu_go                1.12.0 
servicenow.servicenow         1.0.6  
splunk.es                     1.0.2  
t_systems_mms.icinga_director 1.25.0 
theforeman.foreman            2.2.0  
vyos.vyos                     2.6.0  
wti.remote                    1.0.3  

AWS SDK versions

$ pip show boto boto3 botocore
Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: [email protected]
License: MIT
Location: /usr/local/lib/python3.9/site-packages
Requires: 
Required-by: 
---
Name: boto3
Version: 1.20.26
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /usr/local/lib/python3.9/site-packages
Requires: s3transfer, botocore, jmespath
Required-by: 
---
Name: botocore
Version: 1.23.26
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /usr/local/lib/python3.9/site-packages
Requires: urllib3, jmespath, python-dateutil
Required-by: s3transfer, boto3, awscli

Configuration

$ ansible-config dump --only-changed
ANSIBLE_PIPELINING(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = True
CACHE_PLUGIN(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = ./ansible_fact_cache
CACHE_PLUGIN_TIMEOUT(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = 300
CALLBACKS_ENABLED(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = ['profile_roles']
DEFAULT_FILTER_PLUGIN_PATH(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = ['/Users/ashinn/Documents/GitHub/myapp/ansible/plugins/filter_plugins']
DEFAULT_FORKS(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = 10
DEFAULT_GATHERING(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = smart
DEFAULT_HOST_LIST(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = ['/Users/ashinn/Documents/GitHub/myapp/ansible/inventory/localhost.yml']
DEFAULT_ROLES_PATH(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = ['/Users/ashinn/Documents/GitHub/myapp/ansible/roles_external', '/Users/ashinn/Documents/GitHub/myapp/ansible/roles']
HOST_KEY_CHECKING(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = auto_silent
INVENTORY_ENABLED(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = ['yaml', 'aws_ec2']
INVENTORY_UNPARSED_IS_FAILED(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = True
RETRY_FILES_ENABLED(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = False
TRANSFORM_INVALID_GROUP_CHARS(/Users/ashinn/Documents/GitHub/myapp/ansible/ansible.cfg) = ignore

OS / Environment

Controller: Ubuntu 20.04
Host: Ubuntu 20.04

Steps to Reproduce

ansible -i inventory/inventory_public_aws_ec2.yml -u myuser -m shell -a "env" -vvv i-050cea982611bb1e3

Expected Results

Environment should have the user I connect with as USER:

MAIL=/var/mail/myuser
USER=myuser
SSH_CLIENT=8.2.187.68 54273 22
SHLVL=1
HOME=/home/myuser
LOGNAME=myuser
_=/bin/sh
XDG_SESSION_ID=369
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
XDG_RUNTIME_DIR=/run/user/1001
LANG=C.UTF-8
SSH_AUTH_SOCK=/tmp/ssh-01of20VQ7J/agent.27308
SHELL=/bin/bash
PWD=/home/myuser
SSH_CONNECTION=8.2.187.68 54273 10.76.2.231 22

Actual Results

User is root with sudo to myuser.

SUDO_GID=1002
MAIL=/var/mail/root
USER=root
HOME=/home/myuser
SUDO_UID=1001
LOGNAME=root
TERM=xterm-256color
USERNAME=root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
LANG=C.UTF-8
SUDO_COMMAND=/usr/bin/python /home/myuser/.ansible/tmp/ansible-tmp-1641589796.0479577-9-238618888204116/AnsiballZ_command.py
SHELL=/bin/bash
SUDO_USER=myuser
PWD=/home/myuser

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[phene]

I've run into this as well -- it appears that ssm is invoking python with sudo every single time, which is not ideal. I've tried:

become: false

and

become: true
become_user: someone_else

and they appear to have no affect. Of course if I remove ssm-user's ability to sudo, the command fails (and waits forever for output that never arrives).

[mtraynham]

(edit) By default, the user always does seem to be root, regardless of ansible_user. I discovered the below works given a caveat.

become: true
become_user: someone_else

If ansible_user is set, the Become plugin will not work if ansible_user == become_user, https://github.com/ansible/ansible/blob/v2.13.2/lib/ansible/plugins/action/__init__.py#L1287.

buser != ruser

For ansible-core < 2.13, ansible_user was being inferred and interpreted as the locally running user, e.g. mtraynham, which works for me, because mtraynham != ubuntu. For ansible-core >= 2.13, this was fixed and started accepting the defined inventory ansible_user, which I had previously set ansible_user = 'ubuntu' and therefore, ansible_user == become_user and it was ignoring the become.

Thus, with AWS SSM, avoid using ansible_user because it's ignored and always uses root. become_user works with the sudo become plugin.

Documentation below is my prior findings.

---

However, using community.aws==4.0.0, the following works with ansible-core==2.12.7, but not with ansible-core>=2.13.0.

become: true
become_user: someone_else

I'm not sure where the change is in the upstream ansible project, but I suspect it must have to do with either the sudo Become plugin or the ConnectionBase plugin. It seems as if the sudo become plugin is entirely disabled or just not annotating the request.

Using the following:

ansible amd64 --become --become-user=ubuntu -a "whoami" -vvvvv

On 2.12.7, I see:

<amd64> EXEC stdout line: yGRnJaHsrnCiXmXASnyqakmwVH
<amd64> EXEC stdout line:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
<amd64> EXEC stdout line:                                  Dload  Upload   Total   Spent    Left  Speed
100  128k  100  128k    0     0  1397k      0 --:--:-- --:--:-- --:--:-- 1397k
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: qrzrHWzbluDBJfSlfWNkFbjpbN
<amd64> POST_PROCESS:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  128k  100  128k    0     0  1397k      0 --:--:-- --:--:-- --:--:-- 1397k

0
<amd64> (0, '  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\r\r\n                                 Dload  Upload   Total   Spent    Left  Speed\r\r\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r100  128k  100  128k    0     0  1397k      0 --:--:-- --:--:-- --:--:-- 1397k\r\r', '')
<amd64> (0, '  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\r\r\n                                 Dload  Upload   Total   Spent    Left  Speed\r\r\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r100  128k  100  128k    0     0  1397k      0 --:--:-- --:--:-- --:--:-- 1397k\r\r', '')
<amd64> EXEC setfacl -m u:ubuntu:r-x /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/ /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/AnsiballZ_command.py
<amd64> _wrap_command: 'echo lrVPiGTEJVHVyHQnqssjWExZWB
setfacl -m u:ubuntu:r-x /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/ /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/AnsiballZ_command.py
echo $'\n'$?
echo KeQxBOMAEzlwIoBrTBPsuwhaiQ
'
<amd64> EXEC stdout line: lrVPiGTEJVHVyHQnqssjWExZWB
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: KeQxBOMAEzlwIoBrTBPsuwhaiQ
<amd64> POST_PROCESS:
0
<amd64> (0, '\r', '')
<amd64> EXEC sudo -H -S -n  -u ubuntu /bin/sh -c 'echo BECOME-SUCCESS-filhtipqgimnwqijkutggcaqsbkedsje ; /usr/bin/python3 /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/AnsiballZ_command.py'
<amd64> _wrap_command: 'echo RTuXRTjmLqlSOcYlinIPXltvzK
sudo sudo -H -S -n  -u ubuntu /bin/sh -c 'echo BECOME-SUCCESS-filhtipqgimnwqijkutggcaqsbkedsje ; /usr/bin/python3 /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/AnsiballZ_command.py'
echo $'\n'$?
echo cgxtpYBvgeezTlZKIwIbzIZotk
'
<amd64> EXEC stdout line: RTuXRTjmLqlSOcYlinIPXltvzK
<amd64> EXEC stdout line: BECOME-SUCCESS-filhtipqgimnwqijkutggcaqsbkedsje
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: {"changed": true, "stdout": "ubuntu", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:36:24.039039", "end": "2022-08-04 15:36:24.042784", "delta": "0:00:00.003745", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: cgxtpYBvgeezTlZKIwIbzIZotk
<amd64> POST_PROCESS: BECOME-SUCCESS-filhtipqgimnwqijkutggcaqsbkedsje

{"changed": true, "stdout": "ubuntu", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:36:24.039039", "end": "2022-08-04 15:36:24.042784", "delta": "0:00:00.003745", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}

0
<amd64> (0, 'BECOME-SUCCESS-filhtipqgimnwqijkutggcaqsbkedsje\r\r\n\r\r\n{"changed": true, "stdout": "ubuntu", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:36:24.039039", "end": "2022-08-04 15:36:24.042784", "delta": "0:00:00.003745", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}\r\r', '')
<amd64> EXEC rm -f -r /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/ > /dev/null 2>&1
<amd64> _wrap_command: 'echo tlJKzYxkcNbutfjSmaztdWxQOn
rm -f -r /tmp/ansible-tmp-1659627381.462407-31860-131736441176707/ > /dev/null 2>&1
echo $'\n'$?
echo QBdNfHbHZvFADEaQDwEyUKEHRe
'
<amd64> EXEC stdout line: tlJKzYxkcNbutfjSmaztdWxQOn
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: QBdNfHbHZvFADEaQDwEyUKEHRe
<amd64> POST_PROCESS:
0
<amd64> (0, '\r', '')
<amd64> CLOSING SSM CONNECTION TO: i-foooobarrrrrrr
<amd64> TERMINATE SSM SESSION: 1659627378415358908-0be982b51e3d599b3
amd64 | CHANGED | rc=0 >>
ubuntu

But with 2.13.0, I see:

<amd64> EXEC stdout line: xzMuUzMNqHwHpSbJfaBWyxHlXk
<amd64> EXEC stdout line:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
<amd64> EXEC stdout line:                                  Dload  Upload   Total   Spent    Left  Speed
100  129k  100  129k    0     0  1820k      0 --:--:-- --:--:-- --:--:-- 1846k
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: fRriafsHDbKxlsNXflrsRfNkFp
<amd64> POST_PROCESS:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  129k  100  129k    0     0  1820k      0 --:--:-- --:--:-- --:--:-- 1846k

0
<amd64> (0, '  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\r\r\n                                 Dload  Upload   Total   Spent    Left  Speed\r\r\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r100  129k  100  129k    0     0  1820k      0 --:--:-- --:--:-- --:--:-- 1846k\r\r', '')
<amd64> (0, '  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\r\r\n                                 Dload  Upload   Total   Spent    Left  Speed\r\r\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r100  129k  100  129k    0     0  1820k      0 --:--:-- --:--:-- --:--:-- 1846k\r\r', '')
<amd64> EXEC chmod u+x /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/ /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/AnsiballZ_command.py
<amd64> _wrap_command: 'echo NLOFBJSpPZrOmppYMYMEjZeEAi
chmod u+x /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/ /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/AnsiballZ_command.py
echo $'\n'$?
echo YtkFHtXrXFvLomjOuiLlKeYBfi
'
<amd64> EXEC stdout line: NLOFBJSpPZrOmppYMYMEjZeEAi
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: YtkFHtXrXFvLomjOuiLlKeYBfi
<amd64> POST_PROCESS:
0
<amd64> (0, '\r', '')
<amd64> EXEC /usr/bin/python3 /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/AnsiballZ_command.py
<amd64> _wrap_command: 'echo HyqCfmJjriNxjfNbLldzMTjrLi
sudo /usr/bin/python3 /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/AnsiballZ_command.py
echo $'\n'$?
echo ERFJmIxGphNBUQcMVFdKOIerLX
'
<amd64> EXEC stdout line: HyqCfmJjriNxjfNbLldzMTjrLi
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: {"changed": true, "stdout": "root", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:39:23.566282", "end": "2022-08-04 15:39:23.570094", "delta": "0:00:00.003812", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: ERFJmIxGphNBUQcMVFdKOIerLX
<amd64> POST_PROCESS:
{"changed": true, "stdout": "root", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:39:23.566282", "end": "2022-08-04 15:39:23.570094", "delta": "0:00:00.003812", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}

0
<amd64> (0, '\r\r\n{"changed": true, "stdout": "root", "stderr": "", "rc": 0, "cmd": ["whoami"], "start": "2022-08-04 15:39:23.566282", "end": "2022-08-04 15:39:23.570094", "delta": "0:00:00.003812", "msg": "", "invocation": {"module_args": {"_raw_params": "whoami", "_uses_shell": false, "warn": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}\r\r', '')
<amd64> EXEC rm -f -r /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/ > /dev/null 2>&1
<amd64> _wrap_command: 'echo QhiCwGzddFOrmxNtUXzsEFkFat
rm -f -r /tmp/ansible-tmp-1659627561.073012-1119-109925057725645/ > /dev/null 2>&1
echo $'\n'$?
echo scPRPnJYpRRVhMaDEKUeubXVaz
'
<amd64> EXEC stdout line: QhiCwGzddFOrmxNtUXzsEFkFat
<amd64> EXEC stdout line:
<amd64> EXEC stdout line: 0
<amd64> EXEC stdout line: scPRPnJYpRRVhMaDEKUeubXVaz
<amd64> POST_PROCESS:
0
<amd64> (0, '\r', '')
<amd64> CLOSING SSM CONNECTION TO: i-foooobarrrrrrr
<amd64> TERMINATE SSM SESSION: 1659627557575920425-091a376c8a7e21c36
amd64 | CHANGED | rc=0 >>
root

[adsanz-atalanta]

I came across this issue today as well. I'm pretty sure is the same case since I'm running ansible as "runner" user and the target host I'm trying to access also has a become_user statement as the "runner" user. Running latest ansible core and latest community.aws

[tremble]

https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html

With SSM the user you connect as is controlled by the SSM agent as installed on the target host. This is simply how the SSM agent works. By default this initial user will be the ssm-agent user. Since it's controlled by the target host side the plugin currently ignores the ansible_user.

Once connected, Ansible defaults to running sudo to become the root user. If you want to run commands as another user become_user would be correct way to select the user. While we could mangle things and also use sudo to switch from the SSM user to ansible_user this would be somewhat misleading as folks might think that they're connecting in directly as ansible_user rather than becoming that user.

I'm going to keep this issue open as a documentation bug. However, I don't think it's correct to change the behaviour from today's behaviour.

[andyshinn]

With SSM the user you connect as is controlled by the SSM agent as installed on the target host. This is simply how the SSM agent works. By default this initial user will be the ssm-agent user. Since it's controlled by the target host side the plugin currently ignores the ansible_user.

I use SSM on the command line daily and it uses the user I specify on command line. As previously mentioned it looks like this was also working as desired in a previous version. That doesn't sound like a documentation bug to me. But if that is the decision going forwards then I will work around it.

[tremble]

If you've got it working then feel free to supply example commands. I'll concede that the AWS documentation isn't the greatest and it's possible I've overlooked something.

The only documentation I can find that refers to managing which user you connect as talks about needing to apply the "SSMSessionRunAs" tag to IAM Users/Roles and doesn't talk about selecting the user on the fly.

Please note: that the plugin is using SSM sessions, not SSM commands.

[mlehner]

I ran across this problem when experimenting with the aws_ssm connection plugin. I am running ansible v2.9.25 and noticed that many of my playbooks that run fine over SSH were failing with errors when run with aws_ssm.

I dug into the source of aws_ssm and to me it seems aws_ssm is incorrectly prepending sudo when sudoable=True is being passed.

From my testing, sudoable=True is sent even when become is not being used. For example the facts modules will send sudoable=True even though become is not used. This causes facts to come back for "root" instead of the login user.

Removing the if statement in _wrap_command that prepends sudo has fixed the issue for me completely. My tasks that run with become still run sudo appropriately, and all my others do not.

While reading over the docs in ansible 2.9.25 for ConnectionBase it mentions that sudoable is a flag to tell the connection plugin that become is being used. I interpret that to mean become is being handled elsewhere, and should not be done in the connection plugin.

https://github.com/ansible/ansible/blob/6d9e2bc5e90a4db81f879f5e79b5470ea676f587/lib/ansible/plugins/connection/__init__.py#L133

All of that said I am running aws_ssm (5.2.0) on an old version of ansible (2.9.25) so this fix may not be appropriate for general use.