Questions tagged with AWS Systems Manager

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Send-SSMCommand 'AWS-ConfigureAWSPackage' -parameters @HashTableOfPackageNameActionInstallType errors that document does not support parameters

I am attempting to use PowerShell Tools (aws.tools) module version 4.1.42 and PowerShell core 7.2.5 to send a RunCommand to EC2 instance to install the AmazonCloudWatchAgent to an EC2 instance. The error is that 'Send-SSMCommand: document AWS-ConfigureAWSPackage does not support parameters'. It MUST support parameters or else how would the document know what package name/action/installType to install? Does this commandlet need to be updated? The document DOES accept parameters because this works in the awscli via aws ssm send-command --document-name 'AWS-ConfigureAWSPackage' --parameters '{action/packagename/installtype/etc} So the document does accept parameters or else the awscli v PowerShell Tools passes the -parameters flag differently to the AWS cli. The actual code I am running is below. (the parameter string is stolen directly from the SSM run command UI at the bottom of the runcommand page when you select your options so you can run it via aws cli, I just stole the parameter argument) $params = '{"action":["uninstall"],"installatinType":[Uninstall and reinstall"],"version":[""],"additionalArguments":[""],"name":["AmazonCloudWatchAgent"]}' | convertfrom-json -ashashtable Send-SSMCommand -DocumentName 'AWS-ConfigureAWSPackage' -InstanceID $ID -Parameter $params -region us-west-2 The error is not that the variable is improperly formed , rather that 'Send-SSMCommand: document AWS-ConfigureAWSPackage does not support parameters. ' I think it is a bug with the cmdlet? Can you try running it? I am guessing that the cmdlet needs updated and is not passsing the flags correctly to the aws api for the document., the awscli must be correctly passing them.
2
answers
0
votes
128
views
asked 5 months ago

Session Manager unable to connect to instance in public subnet

I can't seem to get an instance in a public subnet to connect via session manager. The subnet that the instance ends up deploying to has `0.0.0.0/0` set to an internet gateway. The security group has no inbound rules and an outbound rule of `Allow` `0.0.0.0/0`. The instance profile has the `AmazonSSMManagedInstanceCore` managed policy, the instance is on a public subnet with an internet gateway and a security group that allows all outbound requests, and it’s running AmazonLinux 2, so the SSM agent should be installed. I even added a userData command to install the latest again, but that didn’t change anything. From the console, I see the following error message: > **We weren't able to connect to your instance. Common reasons for this include:** > * SSM Agent isn't installed on the instance. You can install the agent on both [Windows instances](https://docs.aws.amazon.com/en_us/console/systems-manager/agent-windows) and [Linux instances](https://docs.aws.amazon.com/en_us/console/systems-manager/agent-linux). > * The required [IAM instance profile](https://docs.aws.amazon.com/en_us/console/systems-manager/qs-instance-profile) isn't attached to the instance. You can attach a profile using [AWS Systems Manager Quick Setup](https://docs.aws.amazon.com/en_us/console/systems-manager/qs-quick-setup). > * Session Manager setup is incomplete. For more information, see [Session Manager Prerequisites.](https://docs.aws.amazon.com/en_us/console/systems-manager/session-manager-prerequisites) Here's a sample of CDK code that replicates the problem: ```typescript const region = 'us-east-2' const myInstanceRole = new Role(this, 'MyRole', { assumedBy: new ServicePrincipal('ec2.amazonaws.com'), }) myInstanceRole.addManagedPolicy( ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore') ) const myUserData = UserData.forLinux() myUserData.addCommands( `sudo yum install -y https://s3.${region}.amazonaws.com/amazon-ssm-${region}/latest/linux_amd64/amazon-ssm-agent.rpm`, 'sudo systemctl restart amazon-ssm-agent', ) const myInstance = new Instance(this, 'MyInstance', { instanceType: InstanceType.of(InstanceClass.C6I, InstanceSize.LARGE), machineImage: MachineImage.latestAmazonLinux({ generation: AmazonLinuxGeneration.AMAZON_LINUX_2, cpuType: AmazonLinuxCpuType.X86_64, }), vpc: Vpc.fromLookup(this, 'ControlTowerVPC', { vpcName: 'aws-controltower-VPC', }), vpcSubnets: { subnetType: SubnetType.PUBLIC, }, blockDevices: [ { deviceName: '/dev/xvda', volume: BlockDeviceVolume.ebs(30, { volumeType: EbsDeviceVolumeType.GP2, encrypted: true, }), }, ], userData: myUserData, role: myInstanceRole, detailedMonitoring: true, }) ```
1
answers
0
votes
254
views
bilal
asked 5 months ago

How can we run Signed Powershell SSM Documents when ExecutionPolicy is set to AllSigned

Hi I've currently experiencing a bit of a road block with using SSM Documents using powershell. - We Define the policy though a GPO on the user/computer level - We have a CA which we use for Code Signing, we sign our Powershell scripts before they are allowed to run. - The Publisher code signing cert has been trusted. When I've tried to create a Powershell document using AWS SSM Document Manager - I have included the signature block in JSON which will end up as a file in **C:\ProgramData\Amazon\SSM\InstanceData\i-xyzxyzxyzxyz\document\orchestration\{run-command-id}\StepName\_script.ps1** I then get a message that the Run-Command has failed with the message **_script.ps1 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies** I've manually confirmed this file is identical to the script I initially wrote (before it became JSON and then a PS1 script) And I have diffed the two files. **Diff claims the files are identical (!)** But I still can't run it without getting that message. I've also tried running from an S3 bucket, but a _script file is still generated -- which in that case would not be signed. It seems the only way I'm able to run Signed powershell scripts at the moment is by running them on the system in a remote desktop session and using a locally saved version. Has anyone ever tried to accomplish this? Any success? I can't run any existing AWS Documents without signing them either ~
1
answers
0
votes
63
views
asked 5 months ago