Abstract: This disclosure describes techniques for defining a set of permissions, or privileges, for users who manage resources of a network-based service provisioned in a network-based service platform managed by a service provider. The techniques may include mapping cloud identities of the users to operating system (OS) user groups defined local to the resources that specify the set of permissions for user group members. Systems-manager agents that execute locally on the resources may determine to which OS user group the user belongs based on their cloud identity, and launch shells that are restricted by the set of permissions. Using these shells, a network-based service platform may allow users to remotely manage resources of the network-based service in various ways, such as through batch run commands and/or remote user sessions, while ensuring that the users are unable to execute commands on the resources that are outside the set of permissions.

Abstract: Techniques for operating a multi-homed computing instance process are described herein. First credentials associated with a first attribute of a first account may be obtained. A process executing on a computing instance may communicate with the first account over a first communication channel based at least in part on the first credentials. Instructions may be received for the process to communicate with both the first account and a second account. Second credentials associated with a second attribute of the second account may be obtained. The second credentials may be obtained based, at least in part, on the first attribute acquiring the second attribute. The process may communicate with the second account over a second communication channel based at least in part on the second credentials. Additionally, the process may communicate with multiple different representations of a particular account, such as different representations that are hosted in different respective regions.

Abstract: This disclosure describes techniques for defining a set of permissions, or privileges, for users who manage resources of a network-based service provisioned in a network-based service platform managed by a service provider. The techniques may include mapping cloud identities of the users to operating system (OS) user groups defined local to the resources that specify the set of permissions for user group members. Systems-manager agents that execute locally on the resources may determine to which OS user group the user belongs based on their cloud identity, and launch shells that are restricted by the set of permissions. Using these shells, a network-based service platform may allow users to remotely manage resources of the network-based service in various ways, such as through batch run commands and/or remote user sessions, while ensuring that the users are unable to execute commands on the resources that are outside the set of permissions.

Abstract: Software packages may be installed, uninstalled and/or updated across a group of computing instances by way of a single issuance of a user request. The request may include information such as a software package name, a software package version, an action (e.g., install or uninstall), and one or more operating constraints for the software package. For an installation request, an agent on a given computing instance may process the request by accessing a manifest that indicates various computing instance characteristics (e.g., operating system types, architecture types, etc.) and various respective available versions of the software package. The agent may then select, based on characteristics of the computing instance, a package type for the computing instance. An installation request may also allow operating constraints (e.g. regarding usage of processing, memory, I/O and other resources) to be set and enforced for the software package.

Abstract: Methods, systems, and computer-readable media for decentralized task execution that bypasses a task execution service are disclosed. A connection is established over one or more communication channels between a task execution interface and agent software of a compute instance. The agent software is executable to receive task execution documents from a task execution service and initiate local task execution based (at least in part) on the task execution documents. A task execution document is sent from the task execution interface to the agent software over the one or more channels. In sending the task execution document from the task execution interface to the compute instance, the task execution service is bypassed. Execution of one or more tasks is initiated on the compute instance by the agent software based (at least in part) on the task execution document.

Abstract: A processing device executes a first script, wherein the first script comprises one or more actions to be performed. The processing device determines that the first script comprises a reference to a second script stored in a remote data store. The processing device retrieves the second script over a network from the remote data store and executes the second script. The first script and the second script may be stand-alone scripts or scripts encapsulated within documents.

Abstract: Software packages may be installed, uninstalled and/or updated across a group of computing instances by way of a single issuance of a user request. The request may include information such as a software package name, a software package version, an action (e.g., install or uninstall), and one or more operating constraints for the software package. For an installation request, an agent on a given computing instance may process the request by accessing a manifest that indicates various computing instance characteristics (e.g., operating system types, architecture types, etc.) and various respective available versions of the software package. The agent may then select, based on characteristics of the computing instance, a package type for the computing instance. An installation request may also allow operating constraints (e.g. regarding usage of processing, memory, I/O and other resources) to be set and enforced for the software package.

Abstract: Technologies are described herein for generating uniformly random passwords by the use of regular expressions. One or more regular expressions are used to define a constraint on a string or password. The regular expressions are processed into one or more symbolic finite automata (SFA). The one or more SFAs are exposed to a combination of operations to produce a determinized, minimized SFA. Provided techniques generate probability data associated with individual state transitions of the SFA, and optionally, probability data is generated for one or more binary decision diagrams (BDD). Passwords or strings can be generated by traversing the SFA using the probability data. In some embodiments, the process for selecting characters at each state transition of the determinized, minimized SFA may utilize a binary decision diagram (BDD). Techniques disclosed herein also minimize SFAs by use of an over-approximation method.