Start a session with a document by specifying the session documents in IAM policies

If you use the start-session AWS CLI command using the default session document, you can omit the document name. The system automatically calls the SSM-SessionManagerRunShell session document.

In all other cases, you must specify a value for the document-name parameter. When a user specifies the name of a session document in a command, the systems checks their IAM policy to verify they have permission to access the document. If they don't have permission, the connection request fails. The following examples includes the document-name parameter with the AWS-StartPortForwardingSession session document.


aws ssm start-session \
    --target i-02573cafcfEXAMPLE \
    --document-name AWS-StartPortForwardingSession \
    --parameters '{"portNumber":["80"], "localPortNumber":["56789"]}'

For an example of how to specify a Session Manager session document in an IAM policy, see Quickstart end user policies for Session Manager.

Note

To start a session using SSH, you must complete configuration steps on the target managed node and the user's local machine. For information, see (Optional) Allow and control permissions for SSH connections through Session Manager.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Start a default shell session

Sample IAM policies for Session Manager