Failed to start SSM Agent after changing the instance type of server

1

I have installed SSM agent on server and it was working fine but after changing the instance type of the server SSM agent couldn't start and gave the below error :

2022-12-23 04:19:59 ERROR Agent failed to assume any identity 2022-12-23 04:19:59 ERROR failed to find identity, retrying: failed to find agent identity 2022-12-23 04:20:00 ERROR Agent failed to assume any identity

On Google I found the solution to solve this problem by running these two commands:

  1. Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"
  2. Add-Routes

But I couldn't find what actually this command does and its my Production Server so will this command affect my application running on it and what all changes will occur after running these commands.

asked a year ago1219 views
2 Answers
0

Hello Sayali,

the first thing to check is the reachability of EC2 metadata. You can verify that by running the following command:

Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/

If it is unavailable and you are using a custom AMI, these links should help you get the metadata service working again:

https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch.html#ec2launch-config https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Creating_EBSbacked_WinAMI.html#update-metadata-KMS

Second guess, maybe there is a corrupt EC2Launch installation and missing routes for it to communicate with the AWS backbone (which brings us to the commands you suggested).

First you need to update EC2Launch:

mkdir $env:USERPROFILE\Desktop\EC2Launch
$Url = "https://s3.amazonaws.com/ec2-downloads-windows/EC2Launch/latest/EC2-Windows-Launch.zip"
$DownloadZipFile = "$env:USERPROFILE\Desktop\EC2Launch\" + $(Split-Path -Path $Url -Leaf)
Invoke-WebRequest -Uri $Url -OutFile $DownloadZipFile
$Url = "https://s3.amazonaws.com/ec2-downloads-windows/EC2Launch/latest/install.ps1"
$DownloadZipFile = "$env:USERPROFILE\Desktop\EC2Launch\" + $(Split-Path -Path $Url -Leaf)
Invoke-WebRequest -Uri $Url -OutFile $DownloadZipFile
& $env:USERPROFILE\Desktop\EC2Launch\install.ps1

Then, once EC2Launch has been updated, you need to add the default routes required.

Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"
Add-Routes

Now go back to services.msc and perform a stop and start of the SSM Agent.

Hope it helps.

profile picture
answered a year ago
0

Hello,

Since this is production server. I would advise just uninstalling the SSM agent and reinstalling it.(I advise you store the CloudWatch config file in SSM Parameter store as central repository.

If you dont want to do that run a CMD.exe of 'route print' and verify there are persistent routes for 169.254.169.254 (meta-data service) with a default gateway that matches the default gateway of your EC2 subnet and it should match the Gateway column which is listed in the top table under Active Routes. IF its not there you'll have to manually add it with cmd.exe route commands.

How old is the IAM Instance Profile that was created/attached to this EC2 instance? I ran into same issue before where in the old days you had to actually create an IAM instance profile instead of just creating the IAM role that is assumable by SSM. In other words, run the below AWS CLI command to actually verify that the IAM instance profile attached to the instance exists in the account: AWSCLI: aws iam list-instance-profiles AWS Tools for PowerShell: get-IAMInstanceProfileList

If its not listed you need to recreate the IAM role and attach to instance.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions