AccessDeniedException when terminating session with assumed role #883
Description
Getting AccessDeniedException error on both an IAM user assuming a role and AWS SSO federated identity assuming a role (permission set) when using aws-gate session but no errors reported when using AWS CLI.
Here's the inline policy for the role that the IAM user assumes:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:region:987654321098:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/Finance": [
"WebServers"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ssm:resourceTag/aws:ssmmessages:session-id": [
"${aws:userid}"
]
}
}
}
]
}
Here's the error when terminating a session after aws-gate session
$ aws-gate session instance123
Starting session with SessionId: botocore-session-1582948225-8d8e183834f2b
$ exit
Exiting session with sessionId: botocore-session-1582948225-8d8e183834f2b.
An error occured (AccessDeniedException) when calling the TerminateSession operation: User: arn: aws:sts::987654321098:assumed-role/custom-ssm-role/botocore-session-1582948225 is not authorized to perform: ssm:TerminateSession on resource: arn:aws:ssm:us-east-1:987654321098:session/botocore-session-1582948225-8d8e183834f2b
Using the AWS CLI with no errors and able to terminate session fine with an active session running on another terminal.
$ aws ssm describe-sessions --state Active
{
"Sessions": [
{
"SessionId": "botocore-session-1582948225-7b2f818282e4e",
"Target": "i-1234567890abcdef0",
"Status": "Connected",
"StartDate": 1550676938.352,
"Owner": "arn:aws:sts::987654321098:assumed-role/custom-ssm-role/botocore-session-1582948225",
"OutputUrl": {}
}
]
}
$ aws ssm terminate-session --session-id botocore-session-1582948225-7b2f818282e4e
{
"SessionId": "botocore-session-1582948225-7b2f818282e4e"
}