DEV Community

Cover image for Understand Amazon SSM Agent In 2 Minutes

Understand Amazon SSM Agent In 2 Minutes

πŸš€ Vu Dao πŸš€ on January 08, 2021

πŸš€ Install SSM Agent on Ubuntu Server instances To install SSM Agent on Ubuntu Server 20.10 STR & 20.04, 18.04, and 16.04 LTS 64-bit ...
Collapse
 
shokuninkishitsu profile image
Oleksiy Holubyev

Hmm, I have exactly this problem, but I don't understand where I should attach the instance profile. My EC2 instance already has AmazonSSMRoleForInstanceQuickSetup role attached, which has the AmazonSSMManagedInstanceCore policy, which should have all of the listed permissions. But I still get the error mentioned above.

Collapse
 
vumdao profile image
πŸš€ Vu Dao πŸš€

Attache instance profile which provide ssm:* permisson to the EC2 instance which you got the ssm-agent error

Collapse
 
shokuninkishitsu profile image
Oleksiy Holubyev

I have that. But I still get the error.

Thread Thread
 
vumdao profile image
πŸš€ Vu Dao πŸš€

Can you show you policy and the log

Thread Thread
 
shokuninkishitsu profile image
Oleksiy Holubyev

Sure. The role in the instance profile is AmazonSSMRoleForInstancesQuickSetup, the associated policy is arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "
"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}

and the error is:

Entering SSM Agent hibernate - AccessDeniedException: User: arn:aws:sts::111111111111:assumed-role/AmazonSSMRoleForInstancesQuickSetup/i-instance-id
is not authorized to perform: ssm:UpdateInstanceInformation on resource: arn:aws:ec2:eu-central-1:111111111111:instance/i-instance-id
status code: 400, request id:

Thread Thread
 
vumdao profile image
πŸš€ Vu Dao πŸš€

Why the resource is "" for ssm action?

Thread Thread
 
shokuninkishitsu profile image
Oleksiy Holubyev

It's just the text box interpreted the asterisk as italic formatting. The asterisk is there in the policy itself.

Collapse
 
routinggames profile image
Duy Nguy3n

It solved my problem with SSM agent :)

Collapse
 
vumdao profile image
πŸš€ Vu Dao πŸš€

Glad to hear that

Collapse
 
routinggames profile image
Duy Nguy3n

Thanks for sharing