Questions tagged with AWS Systems Manager

SSM is working but after a few minute, SSM is not working. and When I stop and start the instance, SSM is working. but after a few minute, SSM is not working. SSM Log is as follows. mdsinteractor stopped temporarily due to internal failure. no EC2 instance role found. Instance Low Spec Problem(CPU Usage 60~70%, Disk is 20%)? or SSM Agent Problem?lg...

When I restart instance, SSM is connected. but after a few minute, SSM is connected.(Target Not Connected) How can I debug and solve this problem?lg...

I have a system running greengrass with various components installed - including SystemManager. The upgrade is upgrading a complete system image using A/B upgrade scheme - however we preserve the greengrass install location between upgrades - so this remains untouched and available after the OTA upgrade, although the complete Kernel and root filesystem have been upgraded. I have noticed that SystemsManager does not always start cleanly after the upgrade, although when removed from the unit deployment, and then re-added it starts successfully. Basically my question is * are there/can there be dependencies on greeengrass components on the base system image, for example, packagages which may be installed as part of a component deployment for example ? * After initially being installed - how would components handle some dependencies disapearing - would they automatically re-install/deploy ? * How would this scenario be handled in a GG environmnet - where the system can be upgraded/replaced whilst preserving the GG deployment state ?lg...

Hi. I am trying to add tags when an SSM Automation script creates an AMI of an EC2 instance. How am I supposed to use the TagSpecifications input?lg...

I want to start SSM Automation Document, This document copies s3 bucket objects to another s3 bucket but it takes 1 hour. After 15 minutes I received this message: "Step fails when it is Poll action status for completion. Script execution times out. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.". I use "timeoutSeconds: 30000" but it doesn't help. Also I use "timeoutSeconds: 300000" with isCritical: false and maxAttempts: 3 etc. (with different parameters)lg...

Hello, i want to create a policy, which will give full permissions, to every resource except ssm, because for the ssm, i want to give a condition. I can think of 2 variants, of how to do it - 1) Create a policy which will look like ``` "iam:Add*", "iam:Create*", "iam:Deactivate*", "iam:Delete*", "iam:Detach*", "iam:Enable*", "iam:PassRole", "iam:Put*", "iam:Remove*", "iam:Resync*", "iam:Set*", "iam:Simulate*", "iam:Update*", "iam:Put*" ... ``` but for every resource there is. Then, i need help with finding all of those resource names. 2) while giving full permissions using ``` { "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" } ``` Deny access to the ssm, *ONLY* if the ssh document is not used, so i suppose it should look something like ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Deny", "Action": "ssm:StartSession", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "BoolIfExists": { "arn:aws:ssm:*:*:document/AWS-StartSSHSession": "false" } } } ] } ``` But this dosnt seem to be working. Any help is appreciated.lg...

The state association will fail with this error: "The staging directory is not currently owned by the root account. Exiting." This is caused by the shell script not expecting a single space in between user and group. For example, Elastic Beanstalk runs as user webapp and group webapp. This causes entries created in /tmp to look like this in ls (notice the space between webapp and webapp: ``` drwxr-xr-x 2 webapp webapp 6 Sep 18 01:00 uploads ``` The script itself is looking for entries looking like: ``` drwx------ 2 root root 6 Sep 19 17:13 tmp.ZU79vTNUjs ``` Notice the multiple spaces between root and root. Not using /tmp from webapp is the only fix I have found so far. Having spent many hours on this, I hope this may help someone else.lg...

I have some EC2 linux instances with Amazon Linux 2 and SSM agent (ie amazon-ssm-agent-3.1.1575.0-1 ) running on them. I've modified the Roles for the instances and added the AmazonSSMManagedInstanceCore policy. In the past the inspector has worked in the past and I have some scan data, but now the instances are showing up as "Unmanaged EC2 instance". So per the suggestion I ran AWSSupport-TroubleshootManagedInstance, and everything passes with flying colors if I leave out the Role to assume. If I try to set the Role to be the same as the Role used by the instance then things fails. However, it's unclear what the Role should be as most of the permissions it's failing on seem to be the caller of SSM agent would need and not the agent itself. I'm stuck as to why this suddenly not working. So why's it not working? ssm logs: ``` 2022-09-11 03:23:14 ERROR [UpdateAssociationStatus @ service.go.367] [ssm-agent-worker] [MessageService] [Association] unable to update association status, RequestError: send request failed caused by: Post "https://ssm.us-east-1.amazonaws.com/": dial tcp 172.x.x.x:443: i/o timeout 2022-09-11 03:23:14 ERROR [HandleAwsError @ awserr.go.49] [ssm-agent-worker] [MessageService] [Association] error when calling AWS APIs. error details - RequestError: send request failed caused by: Post "https://ssm.us-east-1.amazonaws.com/": dial tcp 172.x.x.x:443: i/o timeout 2022-09-11 03:23:41 ERROR [HandleAwsError @ awserr.go.49] [ssm-agent-worker] [MessageService] [Association] error when calling AWS APIs. error details - RequestError: send request failed caused by: Post "https://ssm.us-east-1.amazonaws.com/": dial tcp 172.x.x.x:443: i/o timeout 2022-09-11 03:24:30 ERROR [replaceLogger @ ssmlog.go.153] New logger creation failed 2022-09-11 03:24:30 ERROR [replaceLogger @ ssmlog.go.154] xml has no content ```lg...

Error while installing AWS Agent on EC2- error is cannot execute binary filelg...

I am trying to create an SSM command document from the console and in the Parameter section, I am asking the user to pass "username" and "password". The parameter type is "String" but the requirement is that the "password" should not show the input given by the user. I have tried "NoEcho": "true" and "type": "SecureString", both are not accepted by the SSM. I have attached a sample JSON file with the  Enter image description here](/media/postImages/original/IM9AxqJsrMQY6XM4Bq2QHz0g) error.lg...

Hello friends. Please could anyone help? I'm trying to apply default ubuntu Patch baseline on my Ubuntu 20.04 instance using Systems Manager but I get the error: /var/log/amazon/ssm/patch-baseline-operations/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="? if x is 0 or x is 1: /var/log/amazon/ssm/patch-baseline-operations/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="? if x is 0 or x is 1: /var/log/amazon/ssm/patch-baseline-operations/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="? elif y is 0 or y is 1: /var/log/amazon/ssm/patch-baseline-operations/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="? elif y is 0 or y is 1: /var/log/amazon/ssm/patch-baseline-operations/jmespath/visitor.py:260: SyntaxWarning: "is" with a literal. Did you mean "=="? if original_result is 0: The SSM agent is ok: $ sudo snap services amazon-ssm-agent Service Startup Current Notes amazon-ssm-agent.amazon-ssm-agent enabled active - $ Tks, Yamazakilg...

Is it possible to use the System Manager Run command across Multi-Account/Multi-Region, or Is System Manager Automation is only way https://aws.amazon.com/blogs/mt/managing-aws-resources-across-multiple-accounts-and-regions-using-aws-systems-manager-automation/ at this moment?lg...