Session Manager to connect ec2 instance cannot be enabled
I met a weird problem, I use a same AMI to launch a ec2 linux instance.
If I launch the instance from aws console, and use the default vpc and subnet. this instance can be access through "Session Manager Connect". The Session Manager "Connect" button is enabled.
If I launch a instance through a cloudformation, and the instance is in a created vpc and subnet. This instance's role already have AmazonSSMManagedInstanceCore policy. But this instance cannot be accessed through "Session Manager Connect". The Session Manager "Connect" button is disabled.
The security group is as below:
I ssh to above two instances, check the ssm-agent status. Both instances ssm-agent status is Active: active (running) since xxxxxxxxxxxx
I don't know what's the reason? Could you help me? What should I check or configure?
I suspect that the new instance is being launched in a private subnet and therefore the SSM agent on the instance can not reach the SSM service endpoint. You can solve this by using a VPC Endpoint. See: Creating VPC endpoints for Systems Manager.
If the instance is being deployed into a public subnet (the route table attached to the subnet has a route to an internet gateway), check that the instance has a public IP address. Also, if you are using NACLs, make sure the inbound/outbound rules allow this traffic.
Got the reason, I set the PermissionsBoundary which did not contain ssmmessages and ec2messages permission. This make session manager not working.
Add following:
- Effect: Allow
Action:
- 'ssm:*'
Resource: '*'
- Effect: Allow
Action:
- 'ssmmessages:*'
Resource: '*'
- Effect: Allow
Action:
- 'ec2messages:*'
Resource: '*'
Relevant questions
Connect to Ec2 instance bastion via Session Manager
asked 8 months agohow can I changed to ec2-user automatically when I access aws linux ec2 via Session Manager
Accepted Answerasked 5 days agoUnable to use Session Manager on EC2 instances in a private subnet with SSM VPC endpoint
Accepted Answerasked 3 years agoError on Dashboard "An error occurred" and unable to create instance due to "Error loading AMI data".
asked 3 months agoFailing to launch test/cutover instance with public IP
asked 7 months agoUnable to connect to instance from a newly created ami: Failed to start Service for snap ap…amazon-ssm-agent.amazon-ssm-agent
asked 7 months agoWhat is the difference between EC2 Instance Connect and Session Manager SSH connections?
Accepted Answerasked 3 years agoSession Manager unable to connect to instance in public subnet
Accepted Answerasked a month agoEC2 reachability check failed (Linux) from launch instance from snapshot
asked 3 months agoSession Manager to connect ec2 instance cannot be enabled
asked a month ago