By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Error 403 when accessing EC2 instance via Session Manager after power outage

0

I encountered an issue when attempting to access my EC2 instance using Session Manager after a sudden power outage. Upon reconnecting, I received the following error message:

An error occurred (403) when calling the StartSession operation: Server authentication failed: «UnauthorizedRequest><message>Forbidden.</message></UnauthorizedRequest>

Could someone help me understand why this error occurred and how I can resolve it? Any insights or suggestions would be greatly appreciated. Thanks!

Topics
Management & GovernanceComputeSecurity, Identity, & Compliance
Tags
AWS Command Line InterfaceAmazon EC2AWS Systems ManagerAWS Account ManagementIAM Policies
Language
English
Manthan
asked 2 months ago982 views
2 Answers
1

Hey,

Following up on the valuable suggestion shared previously regarding the 403 response, it's important to note that this error typically signifies that AWS is denying the request due to invalid IAM credentials (e.g., expired ones) or insufficient permissions. Ensuring that the IAM role or user employed to initiate the StartSession call possesses the necessary permissions, specifically the ssm:StartSession action, is crucial.

Building on this foundation, when dealing with the 403 Forbidden error encountered while trying to access EC2 instances via Session Manager, several additional common troubleshooting steps are recommended:

  1. Region Confirmation: Verify that you are connected to the correct AWS region where your EC2 instance is situated. A mismatch in regions can lead to access difficulties. (CLI)
  2. Service Limits Review: Consider whether you might be reaching AWS's limit for the number of concurrent Session Manager sessions, especially during times of high demand.
  3. Session Manager Configuration: Ensure that your EC2 instances are equipped with the latest SSM Agent and are correctly registered with AWS Systems Manager.

If the problem continues, reviewing the session logs in CloudWatch for the time frame of the error can be very helpful. These logs might provide deeper insight into the reasons behind the access difficulties.<br>

Additionally, consider visiting this for more details on a similar 403 error:

profile picture
EXPERT
Osvaldo Marte
answered 2 months ago
  • Manthan
    2 months ago

    Hi,

    Thank you all for your assistance and suggestions! Just wanted to provide an update - the issue seems to have resolved itself after 3-4 days, exactly as I mentioned might happen. Interestingly, there were no configuration changes made by either myself or our AWS admin during this time. It appears to have been a transient issue. Thanks again for your help and insights!

0

Hello,

The 403 response typically means that AWS is denying the request due to invalid IAM credentials(expired) or a lack of permissions. I would suggest making sure that the IAM role or user used to make the StartSession call has the appropriate permissions. The "ssm: StartSession" action is required.

Thanks

Abhinav Chauhan
answered 2 months ago
  • Manthan
    2 months ago

    I verified that the IAM role or user utilized to initiate the StartSession request possesses the necessary permissions. However, an interesting aspect arises: the user gains access to the instance automatically after a period of 2-3 days. This situation has occurred with various users. The temporary solution entails waiting for 2-3 days and then attempting to reconnect.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content