Description
Hi Team,
I found an issue when we try to checkout code with SSH key in Github actions and AWS Windows EC2 as Runner ( the Actions Agent is started from SSM).
The checkout process responded us :
C:\Windows\system32\icacls.exe C:\actions-runner\_work\_temp\bce01f23-14da-4a3f-bd52-5e95cc5f0517 /grant:r WORKGROUP\EC2AMAZ-XXXXX$:F
WORKGROUP\EC2AMAZ-XXXXX$: No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files
Removing auth
Error: The process 'C:\Windows\system32\icacls.exe' failed with exit code 1332
it is very strange, because in Linux EC2 and normal windows runner without SSM (user normal windows GUI login), no such issues.
check the github Action process, found in Windows checkout, it has a special activity to grant permission:
It will use "USERNAME" and "USERDOMAIN" to locate current user and grant permission.
Check normal windows login shell (from Gui) and , the env list is :
USERDOMAIN EC2AMAZ-XXXXXX
USERNAME Administrator
They are correct.
But if you try to get such list from SSM shell :
it would be :
USERDOMAIN WORKGROUP
USERNAME EC2AMAZ-XXXXXX$
So in SSM Session manager mode, to make ssh key checkout work, we need overwrite USERDOMAIN and USERNAME to the correct one with job-> env, and then , the checkout process would work.
special tips in using SSM run-command:
in SSM run-command mode (we create runner automatically by AWS SSM run command, with ephemeral way) , the USERNAME should be "system" , but even I overwrite the USERNAME with system, it would still failed. because looks the system is a special username, it can be only work-around by overwriting the USERDOMAIN to blank, and overwrite the username to system.
I think it was caused by AWS issue in SSM agent, and I have filed case to AWS EC2 team.
but since AWS windows EC2 is widely used and more and more users are building autoscaled runner with automatic way like SSM, also suggest to use more stable way to obtain current USERNAME instead of just environment var.
Thanks.