Failed to start SSM Agent after changing the instance type of server

Question

I have installed SSM agent on server and it was working fine but after changing the instance type of the server SSM agent couldn't start and gave the below error :

2022-12-23 04:19:59 ERROR Agent failed to assume any identity
2022-12-23 04:19:59 ERROR failed to find identity, retrying: failed to find agent identity
2022-12-23 04:20:00 ERROR Agent failed to assume any identity

On Google I found the solution to solve this problem by running these two commands:
1) Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"
2) Add-Routes

But I couldn't find what actually this command does and its my Production Server so will this command affect my application running on it and what all changes will occur after running these commands.

Answer

Hello Sayali,

the first thing to check is the reachability of EC2 metadata. You can verify that by running the following command:

`Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/`

If it is unavailable and you are using a custom AMI, these links should help you get the metadata service working again:

https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch.html#ec2launch-config
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Creating_EBSbacked_WinAMI.html#update-metadata-KMS

Second guess, maybe there is a corrupt EC2Launch installation and missing routes for it to communicate with the AWS backbone (which brings us to the commands you suggested).

First you need to update EC2Launch:

```
mkdir $env:USERPROFILE\Desktop\EC2Launch
$Url = "https://s3.amazonaws.com/ec2-downloads-windows/EC2Launch/latest/EC2-Windows-Launch.zip"
$DownloadZipFile = "$env:USERPROFILE\Desktop\EC2Launch\" + $(Split-Path -Path $Url -Leaf)
Invoke-WebRequest -Uri $Url -OutFile $DownloadZipFile
$Url = "https://s3.amazonaws.com/ec2-downloads-windows/EC2Launch/latest/install.ps1"
$DownloadZipFile = "$env:USERPROFILE\Desktop\EC2Launch\" + $(Split-Path -Path $Url -Leaf)
Invoke-WebRequest -Uri $Url -OutFile $DownloadZipFile
& $env:USERPROFILE\Desktop\EC2Launch\install.ps1
```

Then, once EC2Launch has been updated, you need to add the default routes required.

```
Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"
Add-Routes
```

Now go back to `services.msc` and perform a stop and start of the SSM Agent.

Hope it helps.

Answer

Hello,

Since this is production server. I would advise just uninstalling the SSM agent and reinstalling it.(I advise you store the CloudWatch config file in SSM Parameter store as central repository.

If you dont want to do that run a CMD.exe of 'route print' and verify there are persistent routes for 169.254.169.254 (meta-data service) with a default gateway that matches the default gateway of your EC2 subnet and it should match the Gateway column which is listed in the top table under Active Routes. IF its not there you'll have to manually add it with cmd.exe route commands.

How old is the IAM Instance Profile that was created/attached to this EC2 instance? I ran into same issue before where in the old days you had to actually create an IAM instance profile instead of just creating the IAM role that is assumable by SSM. In other words, run the below AWS CLI command to actually verify that the IAM instance profile attached to the instance exists in the account:
AWSCLI: aws iam list-instance-profiles
AWS Tools for PowerShell: get-IAMInstanceProfileList

If its not listed you need to recreate the IAM role and attach to instance.

Failed to start SSM Agent after changing the instance type of server

관련 콘텐츠