EC2 Image Builder error: Error while calling ssm:SendCommand: InvalidInstanceId

This error occurs when EC2 Image Builder is unable to connect to the build instance using AWS Systems Manager (SSM). The "InvalidInstanceId" error specifically indicates that the Systems Manager Agent can't communicate with the SSM service.

There are several potential causes for this issue:

1. Missing IAM permissions: Your build instance may not have the required IAM permissions. Make sure the IAM role specified in your Image Builder infrastructure configuration includes the AmazonSSMManagedInstanceCore managed policy. Also, verify that the AWSServiceRoleForImageBuilder role has access to any AWS KMS keys specified in your image recipe.

2. Network connectivity issues: If your build instance is in a private subnet without internet access, the SSM Agent can't reach the required endpoints. You have several options to resolve this:

• Configure the subnet to automatically assign public IPv4 addresses
• Set up a NAT gateway in a public subnet
• Configure AWS PrivateLink endpoints for Systems Manager

3. SSM Agent status: The SSM Agent might not be running properly on the instance.

When Image Builder runs a workflow to build an image, it generates a workflow metadata resource that tracks runtime details. You can use the workflow execution ID from the error message to investigate further by calling the GetWorkflowExecution and ListWorkflowStepExecutions API actions to review runtime logs.
Sources
Troubleshoot build pipeline timeout errors in EC2 Image Builder | AWS re:Post
Troubleshoot Image Builder issues - EC2 Image Builder
Cant connect to private ec2 instance using ssm and bastion? | AWS re:Post