1 Resposta
- Mais recentes
- Mais votos
- Mais comentários
0
When you launch the EC2 instance are you choosing to join the domain? If you are using the new EC2 launch wizard you will find this option at the bottom of the screen under "Advanced details" - you get to pick which domain it will join.
Opening security groups is not the right path to making this work. You MUST make sure that the EC2 has an IAM instance role that has at least the following permission:
arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess
For example here is an IAM instance role definition in CloudFormation that grants Domain join permission and also SSM managed instance permission:
EC2SsmIamRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ec2.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
- arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess
respondido há 2 anos
Conteúdo relevante
- AWS OFICIALAtualizada há 7 meses
- AWS OFICIALAtualizada há 10 meses
- AWS OFICIALAtualizada há 2 anos