Running a command as a specific user on an ec2 using ssm

Background

I want to automatically configure an EC2 via a build, using the aws cli and ssm.

The (manual) setup for the container looks something like this:

• Create an EC2

• Run a shell script as root

• Run a shell script as a specific user

Question

Is it possible to run a command on an ec2 utilising a tool such as aws ssm send-command specifying the linux user which will execute the command?

Assuming the command is a shell script, would specifying the user inside the script do the same job? e.g using sudo su my_user

I didn't find anything on AWS or boto3 docs that allows for that, but I was able to execute as a different user using the runuser command. In theory, you could do the same thing with a combination of sudo and su commands, but this one is pretty simpler.

For that, you can do as follows:

runuser -l  userNameHere -c '/path/to/command arg1 arg2'

Since send-command executes as root, you don't have any issues.

Note: I thought that send-command uses in some way a session managed by the SSM Session Manager, but I was wrong. I spent a good time configuring SSM Session Manager preferences and tagging IAM resources according to this doc and this one, but send-command always execute as root as far I saw.

Sources:

• https://man7.org/linux/man-pages/man1/runuser.1.html

• https://www.cyberciti.biz/open-source/command-line-hacks/linux-run-command-as-different-user/

StackExchange DevOps Q#10402, answer score: 10