Questions tagged with AWS Systems Manager
Content language: English
Sort by most recent
While we patch the EC2 instances through patch manager; in case of deployments managed by a pipeline on these instances, won't the System Manger workflow cause the version set to be out of sync (which is getting the updates during live from merge too) ?
How do we manage the update versions since the instances are getting updates from 2 sources (Patch Manager as well as pipeline deployment) ?
SSM Agent is not updated while running the "AWS-UpdateSSMAgent". The execution error was showing as:
failed to download file reliably, https://s3.ca-central-1.amazonaws.com/amazon-ssm-ca-central-1/amazon-ssm-agent-updater/3.2.582.0/amazon-ssm-agent-updater-windows-amd64.zip, Get "https://s3.ca-central-1.amazonaws.com/amazon-ssm-ca-central-1/amazon-ssm-agent-updater/3.2.582.0/amazon-ssm-agent-updater-windows-amd64.zip": dial tcp 52.95.145.249:443: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
I see the blog posts about being able to patch across an AWS Organization; I'm just wondering if you need to do that from the Management account or can you do it from a different account? So far it seems like you need to do it from the Management account and it looks like you need to enable a few other services ( like Config ) which I can do; but I already have a delagated account for Config so I would need to move that back to the Management account if I have to patch from there.
Hi,
I'm trying to run this command in powershell in my Microsoft EC2 instance:
aws ssm put-parameter --name "WindowsAgentConfig" --type "String" --value file://C:\ProgramData\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent.json --overwrite --tier Intelligent-Tiering
However I'm getting the following error:
An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::480607316411:assumed-role/CloudWatchAgentAdminRole/i-071eb9d7a32d10801 is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:480607316411:parameter/WindowsAgentConfig because no identity-based policy allows the ssm:PutParameter action
I checked my AIM Role for permissions and I see this:
For that same role I also use the folowing policies:
- CloudWatchAgentServerPolicy
- AmazonSSMManagedInstanceCore
Is there something obvious I'm doing wrong here? Any help will be very appreciated.
Adrian.
We are trying to deploy AWS Systems Manager Agent using Greengrass, which should then connect via a proxy.
The deployment works successfully, however, the logs show that the http_proxy / https_proxy environment variables are not being read from the Greengrass configuration. This is because the Systems Manager Agent gets installed via Snap then runs as a systemd service and therefore has no access to the Greengrass environment variables.
We can terminal in to the device and set the proxy up manually (using `systemctl edit snap.amazon-ssm-agent.amazon-ssm-agent`), but we do not want to have to do this manually for each device.
Is there any way to configure the proxy from Greengrass?
I got a SSM automation document, which does have 5 steps/codes.
right now it works perfect. once i ran it, i can click on each executed step-ID , check its output.
but i want to know is there any way to accumulate all 5*steps output and send everything as an email once ssm finished running ???
or
anyway to collect outputs from all 5*step-id's and put it in a 6th step and send it as email as part of the ssm document itself. ?
Hello together,
I have a somewhat strange phenomenon with SSM Automation and Maintenance Windows.
The Automation Document run under SSM -> Automation -> Execute Automation
or direct from the Document it self perfectly.
But if the document is scheduled in the SSM "Maintenace Windows" and the targets are defined
for example as a ResourceGroup. Than the function aws:executeAwsApi CreateTags fails with the message:
**"Step fails when it is Execute/Cancelling action. An error occurred (InvalidParameterValue) when calling the CreateTags operation: Value ( null ) for parameter resourceId is invalid. Null/empty value for resourceId is invalid. "**
I am guessing that there is a bug in the SSM Windows Maintenace function, and the parameter passing or mapping for aws:executeAwsApi is working incorrect.
So here the Code in YAML :
```
description: Start einer EC2 Instanz and set Tag.
schemaVersion: '0.3'
assumeRole: '{{ AutomationAssumeRole }}'
parameters:
TagKey:
type: String
description: Set Tag Name
default: SY-AutoPatch
TagValue:
type: String
description: Value for the Tag
default: '1'
InstanceId:
type: StringList
AutomationAssumeRole:
type: String
description: 'Optional ARN Rolle '
default: ""
mainSteps:
- name: CreateTags
action: 'aws:executeAwsApi'
inputs:
Service: EC2
Api: CreateTags
DryRun: false
Resources:
- '{{ InstanceId }}'
Tags:
- Key: '{{ TagKey }}'
Value: '{{ TagValue }}'
- name: startInstances
action: 'aws:changeInstanceState'
inputs:
InstanceIds: '{{ InstanceId }}'
DesiredState: running
```
asked a month ago
I would like to create a CloudWatch Alarm if a SSM Automation Failed or Executed with success.
Has anyone gone through this?
asked a month ago
We noticed that sometimes teams perform re-registrations when they have servers that are in connection lost state. This registers the server with a new instance ID again in the SSM console instead of using the previous registration. The previous instance ID will stay in the console in the connection lost state until it is manually cleaned up/deregistered.
When connectivity is restored shouldn't the agent restablish the link to the original registration? Is there a setting to enable this capability? This would help us to reduce the time we spend on remediating connection lost servers and duplicates as explained above.
asked a month ago
I know app runner can access secrets manager, explain in this article -> https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/
I already implemented it, and it works just in run phase. In build phase, I cannot access secrets manager.
I'm using App Runner configuration file (https://docs.aws.amazon.com/apprunner/latest/dg/config-file-examples.html)
any insight related this?
Thank you.
The SSM Automation triggered by the pipeline throws this error during the Step "VerifySSMAgentLinux" and Action "aws:runCommand":
```
Automation Step Execution fails when it is sending a command the target instance(s). Get Exception from SendCommand API of ssm Service. Exception Message from SendCommand API: [User: arn:aws:sts::xxxxxxxxx:assumed-role/AWSServiceRoleForImageBuilder/imagebuilderaed82722-3688-4722-b8ba-e4c6b293b94b is not authorized to perform: ssm:SendCommand on resource: arn:aws:ec2:eu-central-1:xxxxxxxxxxxx:instance/i-05f1445b9a1903058 because no identity-based policy allows the ssm:SendCommand action (Service: AWSSimpleSystemsManagement; Status Code: 400; Error Code: AccessDeniedException; Request ID: e40f5938-5387-4e0e-9e9b-7b7a3b346c61; Proxy: null)]. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.
```
I looked into the the ServiceRole mentioned in this Error (AWSServiceRoleForImageBuilder). In this role i looked up the ssm:SendCommand part and found this:
```
{
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ssm:resourceTag/CreatedBy": [
"EC2 Image Builder"
]
}
}
}
```
As far as i understand it this action is limited to Instances that have the Tag "CreatedBy: EC2 Image Builder"
So i looked up the instance created by the pipeline and found that the instances are tagged like this:
```
CreatedBy: imagebuilderaed82722-3688-4722-b8ba-e4c6b293b94b
```
So the instances that are created by this automation aren't tagged correctly. But since this is a service-managed role, i can't add any policies to that role nor can i edit the existing policy.
Furthermore i can't add the CreatedBy tag during the creation process since this tag name is blocked,
So over all this seems to be a problem with IAM Role that the Service is using.
But at the same time i can't find anyone with the exact same problem as mine wich is unrealistic given that everybody using this service should or is using this exact role.
Any Help would be appreciated
a.p.
Hi, my team currently testing session manager feature to adopt our environment and client's environment.
basic session manager feature seems to working very well, we dont have any troulbe to connect ec2 via session manager.
but after we enable the session manager logging feature on AWS UI ->AWS Systems Manager->
Session Manager-> prefereance
conencting to ec2 instance via session manager took almost 3 minutes (if we turn the logging feature disable, connecting to ec2 happen instantly) and logging seems to not working on our specified target (currently we set the target to cloudwatch log-groups)
is there some more process we should done to work this out?
fyi
so far we done
- DNS features enabled on VPC
- create 3 endpoints (ssm, ssmmessages and ec2messages) and put the security group allow https
- use Amazon supplied basic AMI (Amazon linux AMI)
- made role with two policies attaced and put this on ec2 instances
1) AmazonSSMManagedInstanceCore
2) custom policy to work with cloudwatch with following statesments
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}