By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSM Agent Won't Start

0

Hello, all! First post, but long time reader. We're trying to enable SSH tunneling using Session Manager. The bastion host is a STIGed Windows 2019 box. We're following these instructions: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html

When we try and start the SSM agent on the bastion host, we get the following error:

ERROR Agent failed to assume any identity
ERROR failed to find identity, retrying: failed to find agent identity
ERROR Failed to start agent. failed to get identity: failed to find agent identity

My assumption is that this is a role/policy issue. I've revisited the instructions (https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-instance-profile.html), recreated the role, and reattached the policy to the EC2 instance.

Am I misreading the error and this isn't role policy?
Is it a role/policy related to something other than the EC2?

Any suggestions gratefully accepted!

Topics
Management & Governance
Tags
AWS Systems Manager
Language
English
BanksAT
asked 3 years ago9970 views
7 Answers
2

Hi,

I have now had this resolved. My issue here was that the SSM agent needed to hit the magic IP address which allows metadata to be queried, as per one of the above responses the Invoke-RestMethod -uri http://169.254.169.254/latest/metadata is intended to test this. Another way to test this would be Test-NetConnection -ComputerName 169.254.169.254 -Port 80.

In my context, the AMI was not syspreped and so the EC2 instance was trying to use the GW from the AMIs subnet in it's route table. To fix this, the EC2 instances route table needed to be fixed. The following two commands did the trick:

  1. Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"
  2. Add-Routes

The first command enables the second, and the second corrects the routing table.

Regards

Edited by: ntendo64 on Nov 24, 2021 8:30 AM

ntendo64
answered 2 years ago
0

Thanks for reaching out to us! We are looking into your request.

AWS
AWS-User-7632598
answered 3 years ago
0

Hi BanksAT, Could you verify that the EC2 metadata service is accessible inside the bastion host? You can verify that by running the following command:

Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/

If it is unavailable and you are using a custom AMI, these links should help you get the metadata service working again:

https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch.html#ec2launch-config
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Creating_EBSbacked_WinAMI.html#update-metadata-KMS

AWS
AWS-User-5291894
answered 3 years ago
0

Thank you for the assistance, thor-aws! I will check on this and get back to you.

Regards

BanksAT
answered 3 years ago
0

Did you figure out the issue and fixed?
I am running into the same issue

Dn88
answered 3 years ago
0

Hi BanksAT. Just following up on this -- were you able to try the steps suggested by thor-aws?

Edited by: DanR@AWS on Aug 13, 2021 2:59 PM

AWS-User-7930164
answered 3 years ago
0

Hi,

I'm experiencing the exact same problem and wondered if this can be relooked at.... Let me know what information to provide

Thanks in advanced for the assistance

ntendo64
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content