Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Question] Do you have an example for Powershell remoting through lambda function? #3

Closed
liacha1986 opened this issue Oct 5, 2022 · 6 comments · May be fixed by #32
Closed

[Question] Do you have an example for Powershell remoting through lambda function? #3

liacha1986 opened this issue Oct 5, 2022 · 6 comments · May be fixed by #32

Comments

@liacha1986
Copy link

I have followed all the MS guides on setting up Powershell remoting on the server and can confirm from my test environment that I am able to SSH into my test box. I added the public key to my lambda function and referenced it with the command below:

$session = New-PSSession -HostName "mydc01.xyz.com" -UserName "Administrator" -KeyFilePath "$env:LAMBDA_TASK_ROOT/examplemodule/id_ed25519.pub"

I just get a generic message saying that "An error has occurred which Powershell cannot handle. A remote session might have ended".

The use case here is, I am trying to run some Get/Set-ADUser commands on my test domain users from the lambda function (tor reset AD passwords). Did a bunch of research and it seems powershell core doesn't have native support for the ActiveDirectory modules so I was trying to start a session and use the Invoke-Command cmdlet to run the command(s) I wanted.

@avanvucht
Copy link

Hey, you will have to make sure that your Lambda function has permission to access this. If you're using AWS SAM, your Parameters block would have something like:

  DCSecurityGroupIds:
    Type: CommaDelimitedList
    Description: Comma-delimited security group IDs to allow LDAP communication with domain controller and HTTP/HTTPS communication with the Exchange Server
    Default: sg-6db2****
      
  DCSubnetIds:
    Type: CommaDelimitedList
    Description: Comma-delimited subnet IDs of the domain controller
    Default: subnet-0ab83************,subnet-0931************

And you'd refer to these parameters in your AWS::Serverless::Function block, in a VpcConfig:

      VpcConfig:
        SecurityGroupIds: !Ref DCSecurityGroupIds
        SubnetIds: !Ref DCSubnetIds

I suggest getting this working first from Powershell on a machine on the same network as the Domain Controllers. The Cloud9 IDE, for instance, is a simple way to test Powershell lambda functions:

sam build --parallel && sam local invoke "AccessProvisionerFunction" --event samples/dev/event-provision-access.json

Just make sure your Cloud9 IDE can talk with your Domain Controller by being on the same VPC subnets and security groups.

@austoonz
Copy link
Contributor

Given this runtime runs in Linux (custom runtime running on Amazon Linux 2), the New-PSSession cmdlet would use ssh under the covers, and ssh does not exist in the custom runtime environment.

So I agree with @avanvucht that you'd likely need to execute the Lambda Function from within the same VPC as your target system, you'd also need to include a Lambda layer or similar that includes the ssh binary (and anything else to required to make ssh work).

@liacha1986
Copy link
Author

Thanks guys. I'm pretty new to this so any specific resources you can share will be appreciated. I'll try to google my way through and report back with any problems.

@julianwood
Copy link
Contributor

If you're asking about the ssh component. Try packaging the ssh binary with your function code, ensure its executable and reference it in /var/task, that may be the simplest way to get started.

@briantist
Copy link

#22 (comment)

@briantist
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
5 participants