I have two AWS accounts and one role in each account: Account-A have RoleA and Account-B have RoleB.
RoleA will assume the RoleB to be able to connect in an EC2 instance in Account-B through ssm start-session.
Using the RoleA, I'm able to assume the RoleB and describe the instances in Account-B using aws cli, but I can't start a ssm session due the following error:
An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::222222222222:assumed-role/RoleB/RoleB-SSM-test is not authorized to perform: ssm:TerminateSession on resource: arn:aws:ssm:us-east-1:222222222222:assumed-role/RoleB/RoleB-SSM-test-000000000000 because no identity-based policy allows the ssm:TerminateSession action
RoleA policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::222222222222:role/RoleB"
]
}
]
}
RoleB policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceProperties",
"ec2:DescribeInstances",
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:us-east-1:222222222222:instance/i-123456abc789102de",
"arn:aws:ssm:us-east-1:222222222222:document/SSM-SessionManagerRunShell",
"arn:aws:ssm:us-east-1:222222222222:document/AWS-StartSSHSession"
]
},
{
"Sid":"",
"Effect":"Allow",
"Action": [
"ssm:TerminateSession"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ssm:resourceTag/aws:ssmmessages:session-id": [
"AROAXXXXXXXXXXXXX"
]
}
}
}
]
}
Originally, the ssm:TerminateSession in RoleB policy didn't have a condition and was alongside the other actions, I did this change to try solve this error, but no success, same error message.
What I'm doing wrong?
