Skip to content

jitconfig USERNAME on Windows #4712

New issue
New issue
Open
Open
jitconfig USERNAME on Windows#4712
@sdarwin

Description

@sdarwin
sdarwin
opened on Aug 15, 2025

Hi,
Upgrading the terraform code, I switched from enable_jit_config: false to enable_jit_config: true

Ephemeral multi-runners on Windows.

The user before was runner_run_as: Administrator

Testing with JIT, the whoami command shows "SYSTEM". The environment variable USERNAME is "EC2AMAZ-759AC2P$". Perhaps it's running as the user "SYSTEM". In any case, this is incorrect for our tests...

How can the runner user be set to "Administrator" with jit config, similar to runner_run_as: Administrator.

Returning back to enable_jit_config: false it's still broken and uses "SYSTEM". Why... Notice in this file https://github.com/github-aws-runners/terraform-aws-github-runner/blob/main/modules/runners/templates/start-runner.ps1

        Write-Host "Starting without jit config"
        Invoke-Expression ".\run.cmd"

No user is specified in that invocation.

It runs as the Task Scheduler user which is "SYSTEM".

How did it work before? Answer: two years ago it would do this: Register-ScheduledTask -TaskName "runnertask" -Action $action -Trigger $trigger -User $username -Password $password -RunLevel Highest -Force registering a task, and then launching the task, with a particular user, so you could control the user with the variable runner_run_as: Administrator.

What is the solution?

Possibly to move all ".\run.cmd" invocations back inside ScheduledTasks.

That used to work. And it allows control of the Username.

For the moment, our tests are broken, because they can not run as the user "System", and runner_run_as: Administrator is ignored.

Edit:

The whole thing could be reverted to the previous version of start-runner.ps1 from years ago. The earlier strategy. Almost. At least, the same idea.

Except... you have added these new features:

  • Write-Host "Stopping CloudWatch Agent"

and

  • Write-Host "Terminating instance"

I don't know the details about those. Before, the instances would terminate eventually, and when they terminate the cloudwatch agent would stop. Does that mean those commands are "optional" rather than "required"? It would make it easier to revert the code back. Let me know. Perhaps I could submit a PR.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions