CODEWITHSUNDEEP
bashamazon-web-servicescloud
Phil
Phil

Reputation: 1927

How to run script on AWS Cloud Formation startup as a different user?

I am having a lot of trouble launching an AWS Ubuntu instance (from a Cloud Formation template) and successfully running a script on startup. This script does run, but I do not want it running as root. I want the script to either be invoked as a different user or when the script runs for the script to change user.

Since we are attempting to use Cloud Formation, I need to put the script or a reference to the script in my Template file. The relevant part of my template file is below. The script 'myScript.sh' does run, but always as root. 

"MyImage" : {
        "Type" : "AWS::EC2::Instance",
        "Properties" : {
           "ImageId" : "xxxxxx",
           "KeyName" : "xxxxxx",
           "SecurityGroups" : [ "xxxxxx" ],
           "UserData" : {"Fn::Base64" : {"Fn::Join" : ["", [
            "#include\n",
            "https://s3-eu-west-1.amazonaws.com/aFolder/myScript.sh \n"
            ] ] } }
        }
      }
    },

From the URL: http://alestic.com/2009/06/ec2-user-data-scripts it states that these scripts always run as root. So instead I decided to modify the script to change the user. Below is an example script that does not do what I want. I've commented it inline to explain what each stage does:

#!/bin/bash

whoami > /home/ubuntu/who1.txt    # Always returns 'root'
su ubuntu                         # Appears to have no effect. Ubuntu user does exist
whoami > /home/ubuntu/who2.txt    # Always returns 'root'

su ubuntu echo fish > /home/ubuntu/aFile.txt  # File is not created

sudo -u ubuntu bash               # Appears to have no effect
whoami > /home/ubuntu/who3.txt    # Always returns 'root'

I'm guessing that there's something fundamentally wrong with my script, but I just can't see it! has anyone got any experience with AWS and Cloud Formation and have you succeeded in running a script not as root? I really don't want the script running as root since the activities that are going to be started should not be owned at the root level.

Thanks, Phil

Upvotes: 6

Views: 15514

Answers (2)

Nielson Fernandes
Nielson Fernandes

Reputation: 1

This is a good alternative.

#!/bin/bash
su ubuntu << 'EOF'
    whoami >> /home/ubuntu/user_data_output2
EOF
su user2 << 'EOF'
    whoami >> /home/user2/user_data_output2
EOF

Why ? This keep the directory and environments variable between commands in each 'EOF' block.

eg:

#!/bin/bash
su ubuntu << 'EOF'
    cd /home/ubuntu/myfolder
    pwd # The result will be /home/ubuntu/myfolder #
EOF

Upvotes: 0

Ben Butler-Cole
Ben Butler-Cole

Reputation: 2051

su doesn't change the user for the remainder of the script, it starts a new interactive shell for the user you specify. In a non-interactive context like your script here, that shell exits immediately because there is nothing for it to do.

See this question for some suggestions on how to change user for a series of commands. Alternatively for individual commands you can do sudo -u ubuntu [...].

Upvotes: 9

Related Questions