I have been testing Systems Manager patching Linux servers for some days. In the beginning, I struggled with roles setup and autoscaling group with launch templates. Finally, I figure out the importance of the policies that cannot be added to roles in launch templates and also the tag of the roles. Now, I can find a working configuration.
Afterwards, I notice that AWS has just launched Default Host Management Configuration. It seems to waive the need to struggle with the IAM roles and policies. It becomes easy to use Systems Manager to connect to the instances using session manager. However, when I tried to work out how to use Patch Manager together, it seems that the role added by Quick Setup cannot enable the SSM agent to download the baseline override. The EC2 do not have a role originally. The following was logged:
/usr/bin/python2.7
/usr/bin/python2
/usr/bin/python
/usr/bin/yum
Using Yum version: 3.4.3
Using python binary: 'python2.7'
Using Python Version: Python 2.7.18
03/21/2023 04:05:07 root [INFO]: Downloading payload from https://s3.dualstack.us-west-2.amazonaws.com/aws-ssm-us-west-2/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.105.tar.gz
03/21/2023 04:05:07 root [INFO]: Attempting to import entrance file os_selector
03/21/2023 04:05:08 root [INFO]: Running with snapshot id = and operation = Install
03/21/2023 04:05:08 root [INFO]: Downloading Baseline Override from s3://aws-quicksetup-patchpolicy-438724983186-snhqg/baseline_overrides.json
03/21/2023 04:05:08 botocore.credentials [INFO]: Found credentials in shared credentials file: /var/lib/amazon/ssm/credentials
03/21/2023 04:05:08 root [ERROR]: Unable to download file from S3: s3://aws-quicksetup-patchpolicy-xxxxxxxxxxx-snhqg/baseline_overrides.json.
03/21/2023 04:05:08 root [ERROR]: Error loading entrance module.
Traceback (most recent call last):
File "common_startup_entrance.py", line 203, in execute
exit( entrance_module.execute(*argv))
File "/var/log/amazon/ssm/patch-baseline-operations/os_selector.py", line 55, in execute
snapshot_id, override_list=override_list, baseline_override=baseline_override)
File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 279, in fetch_snapshot
baseline_override_dict = load_baseline_override(instance_id, baseline_override, document_step, region)
File "patch_common/baseline_override.py", line 29, in load_baseline_override
baseline_overrides = _download_baseline_override_content(instance_id, baseline_override_path, region)
File "patch_common/baseline_override.py", line 97, in _download_baseline_override_content
if download_file(instance_id, baseline_override_path, file_name, region):
File "patch_common/downloader.py", line 56, in download_file
downloaded = download_from_s3(instance_id, remote_path, local_file_path, region)
File "patch_common/downloader.py", line 35, in download_from_s3
s3_client.download_file(result.group(1), result.group(2), file_path)
File "/var/log/amazon/ssm/patch-baseline-operations/boto3/s3/inject.py", line 172, in download_file
extra_args=ExtraArgs, callback=Callback)
File "/var/log/amazon/ssm/patch-baseline-operations/boto3/s3/transfer.py", line 307, in download_file
future.result()
File "/var/log/amazon/ssm/patch-baseline-operations/s3transfer/futures.py", line 106, in result
return self._coordinator.result()
File "/var/log/amazon/ssm/patch-baseline-operations/s3transfer/futures.py", line 265, in result
raise self._exception
ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden
03/21/2023 04:05:08 root [ERROR]: An error occurred (403) when calling the HeadObject operation: Forbidden
Traceback (most recent call last):
File "common_startup_entrance.py", line 203, in execute
exit( entrance_module.execute(*argv))
File "/var/log/amazon/ssm/patch-baseline-operations/os_selector.py", line 55, in execute
snapshot_id, override_list=override_list, baseline_override=baseline_override)
File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 279, in fetch_snapshot
baseline_override_dict = load_baseline_override(instance_id, baseline_override, document_step, region)
File "patch_common/baseline_override.py", line 29, in load_baseline_override
baseline_overrides = _download_baseline_override_content(instance_id, baseline_override_path, region)
File "patch_common/baseline_override.py", line 97, in _download_baseline_override_content
if download_file(instance_id, baseline_override_path, file_name, region):
File "patch_common/downloader.py", line 56, in download_file
downloaded = download_from_s3(instance_id, remote_path, local_file_path, region)
File "patch_common/downloader.py", line 35, in download_from_s3
s3_client.download_file(result.group(1), result.group(2), file_path)
File "/var/log/amazon/ssm/patch-baseline-operations/boto3/s3/inject.py", line 172, in download_file
extra_args=ExtraArgs, callback=Callback)
File "/var/log/amazon/ssm/patch-baseline-operations/boto3/s3/transfer.py", line 307, in download_file
future.result()
File "/var/log/amazon/ssm/patch-baseline-operations/s3transfer/futures.py", line 106, in result
return self._coordinator.result()
File "/var/log/amazon/ssm/patch-baseline-operations/s3transfer/futures.py", line 265, in result
raise self._exception
ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden
I met similar issues before when I manually created a role for the EC2 without the appropriate tagging. It seems that the SSM Agent is using the role from DHMC (ie service-role/AWSSystemsManagerDefaultEC2InstanceManagementRole) instead of the role added by Quick Setup (AmazonSSMRoleForInstancesQuickSetup)
I guess if I want to use both DHMC and Patch Policy Quick Setup, I need to make some changes to the role from DHMC. Anyone have similar experience?
PS. It take a bit time for the EC2 to make use of the newly attached role by quick setup. After that, it can download the baseline override from S3 and complete the patching task.
AWS OFFICIALUpdated 10 months ago
