Session Manager to connect ec2 instance cannot be enabled
I met a weird problem, I use a same AMI to launch a ec2 linux instance.
If I launch the instance from aws console, and use the default vpc and subnet. this instance can be access through "Session Manager Connect". The Session Manager "Connect" button is enabled.
If I launch a instance through a cloudformation, and the instance is in a created vpc and subnet. This instance's role already have AmazonSSMManagedInstanceCore policy. But this instance cannot be accessed through "Session Manager Connect". The Session Manager "Connect" button is disabled.
The security group is as below:
I ssh to above two instances, check the ssm-agent status. Both instances ssm-agent status is Active: active (running) since xxxxxxxxxxxx
I don't know what's the reason? Could you help me? What should I check or configure?
- Newest
- Most votes
- Most comments
I suspect that the new instance is being launched in a private subnet and therefore the SSM agent on the instance can not reach the SSM service endpoint. You can solve this by using a VPC Endpoint. See: Creating VPC endpoints for Systems Manager.
If the instance is being deployed into a public subnet (the route table attached to the subnet has a route to an internet gateway), check that the instance has a public IP address. Also, if you are using NACLs, make sure the inbound/outbound rules allow this traffic.
Got the reason, I set the PermissionsBoundary which did not contain ssmmessages and ec2messages permission. This make session manager not working.
Add following:
- Effect: Allow
Action:
- 'ssm:*'
Resource: '*'
- Effect: Allow
Action:
- 'ssmmessages:*'
Resource: '*'
- Effect: Allow
Action:
- 'ec2messages:*'
Resource: '*'
Relevant content
- Accepted Answerasked 8 months ago
- Accepted Answerasked 5 years ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 6 months ago