aws ssm start-session incorrectly returns permissions error when session-manager-plugin is not installed

[dkelley-asu]

Describe the bug

When attempting to use the aws ssm start-session command without having the session manager plugin is installed and without ssm:TerminateSession action permission, an AccessDeniedException is thrown. Only after the permission is granted is the correct exception is raised (notifying that the plugin needs to be installed).

This is a bug because aws ssm start-session command does not require this permission, and can be run without it.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

When attempting to run aws ssm start-session without ssm:TerminateSession permissions and without the session manager plugin installed, the correct error should print to the console (i.e., "SessionManagerPlugin is not found.")

Current Behavior

When attempting tun run aws ssm start-session without ssm:TerminateSession permissions and without the session manager plugin installed, an AccessDeniedException is raised and printed to the console.

Reproduction Steps

Using aws-cli tool without plugin manager installed and without ssm:TerminateSession permissions for your current IAM user/role, attempt to use aws ssm start-session to start a session. More about using this command in the documentation.

Possible Solution

No response

Additional Information/Context

While it may seem obvious that any command prefixed with aws ssm would require the session manager plugin, it is far less obvious if this command is buried in a script or run using other tools. It falsely reports that permission scope needs to be expanded to perform an action when it does not. Many tools use ssm as a backend method and it may not be clearly obvious why these scripts or tools are failing.

CLI version used

aws-cli/2.31.31

Environment details (OS name and version, etc.)

macOS Sequoia 15.7.2

[adev-code]

Hello @dkelley-asu, I tried aws ssm start-session --target i-[ec2_instance)id] --debug without a SessionManagerPlugin and I got the following error: SessionManagerPlugin is not found. Please refer to SessionManager Documentation here: http://docs.aws.amazon.com/console/systems-manager/session-manager-plugin-not-found. That said, could you please provide full --debug logs and please redact any sensitive and security information.

[dkelley-asu]

This particular bug requires using a limited permission scope.

Reproduction Steps

Step 1: Create/Allow Instance accessible by SSM.

I created a new ec2 t4g.micro instance using default settings (Amazon Linux AMI -- though I am sure this should be able to be replicated on any ec2 instance; it doesn't actually matter). I also used Amazon's automatic tools to allow it to be connected with Session Manager.

Step 2: Create a User With Limited Access

Using this template, create a user with only this policy. I used the ARN of the ec2 instance I created in step 1.

{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "EnableSSMSession",
      "Effect": "Allow",
      "Action": [
        "ssm:StartSession"
      ],
      "Resource": [
        "arn:aws:ec2:us-east-1:111122223333:instance/instance-id",
        "arn:aws:ssm:us-east-1:111122223333:document/SSM-SessionManagerRunShell"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssmmessages:OpenDataChannel"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

I also created an Access Key for use with the AWS CLI.

Step 3: Attempt to connect to Session Manager using the CLI

After configuring AWS CLI to use the limited scoped user's access credentials, use them to attempt to connect to the running ec2 instance from step 1 without having the session manager plugin installed. Observe the error that occurs.

aws ssm start-session --target i-02573cafcfEXAMPLE

Step 4: Repeat with the plugin installed

Install the Session Manager Plugin and retry step 3, observe that the connection to the ec2 instance is successful.

---

debug logs