How To Add An EC2 Instance To AWS System Manager (SSM)
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed how to install AWS System Manager (SSM).
https://cloudaffaire.com/how-to-install-aws-system-manager-ssm-agent/
In this blog post, we will discuss how to add an AWS EC2 instance to AWS System Manager (SSM). In order to manage an AWS EC2 instance to SSM, you first have to add the instance to SSM by installing the SSM agent on the EC2 instance and adding the instance profile with proper policy for SSM to the EC2 instance. Once the EC2 instance is added to SSM, all the SSM capabilities like SSM session manager, patching, script execution, etc. will be available for your EC2 instance.
Note: You can also manage your on-premises server using AWS SSM hybrid setup where there are some additional steps that you have to perform that are not covered in this blog post.
How To Add An EC2 Instance To AWS System Manager (SSM):
Requirements:
- One IAM instance profile roles for Systems Manager.
- One EC2 instance with SSM Agent Installed and Instance profile for SSM attached.
- IAM service liked role for SSM (Optional, for additional features like inventory)
Step 1: Create A SSM Service Linked Role.
|
1 2 3 4 5 6 7 8 |
###################################################### ## How To Add An EC2 Instance To AWS System Manager ## ###################################################### ## Create a service linked role for SSM aws iam create-service-linked-role \ --aws-service-name ssm.amazonaws.com \ --description "Provides access to AWS Resources managed or used by Amazon SSM" |
Step 2: Create An Instance Profile For SSM.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
## Create an Instance profile for SSM aws iam create-instance-profile \ --instance-profile-name "AmazonSSMInstanceProfileForInstances" ## Create a trust relation json file cat trust_policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ## Create an IAM role for SSM aws iam create-role \ --role-name "AmazonSSMRoleForInstances" \ --assume-role-policy-document file://trust_policy.json ## Attach the required policy for SSM aws iam attach-role-policy \ --role-name "AmazonSSMRoleForInstances" \ --policy-arn "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ## Add the role to the instance profile aws iam add-role-to-instance-profile \ --instance-profile-name "AmazonSSMInstanceProfileForInstances" \ --role-name "AmazonSSMRoleForInstances" |
Step 3: Create An AWS EC2 Instance.
You can follow the below blog post to create the EC2 instance.
https://cloudaffaire.com/how-to-create-an-aws-ec2-instance-using-aws-cli/
Step 4: Install SSM Agent On The EC2 Instance.
You can follow the below blog post to install AWS SSM agent.
https://cloudaffaire.com/how-to-install-aws-system-manager-ssm-agent/
Note: If you are using AWS provided standard AMI, SSM comes pre-installed.
Step 5: Attach The Instance Profile Created In Step 2 To The EC2 Instance Created In Step 3.
|
1 2 3 4 5 6 |
## Attach the Instance Profile to the EC2 instance aws ec2 associate-iam-instance-profile \ --instance-id " --iam-instance-profile "Name=AmazonSSMInstanceProfileForInstances" ## It will take some time for the EC2 instance to get registered into the SSM |
Step 6: Get SSM Managed Instance Details.
|
1 2 |
## Get the managed instance details aws ssm describe-instance-information |
Our EC2 instance has been successfully added to the SSM managed instance list. You can also confirm the same from the AWS SSM console.
Hope you have enjoyed this blog post, to get more details on AWS SSM, please refer below AWS documentation
https://docs.aws.amazon.com/systems-manager/index.html
aws iam add-role-to-instance-profile gives me a error
bash: aws iam add-role-to-instance-profile: command not found
the other commands is working.
I get this error:
# aws iam add-role-to-instance-profile –instance-profile-name “AmazonSSMInstanceProfileForInstances” –role-name “AmazonSSMRoleForInstances”
Traceback (most recent call last):
File “/bin/aws”, line 27, in
sys.exit(main())
File “/bin/aws”, line 23, in main
return awscli.clidriver.main()
File “/usr/lib/python2.7/site-packages/awscli/clidriver.py”, line 69, in main
rc = driver.main()
File “/usr/lib/python2.7/site-packages/awscli/clidriver.py”, line 206, in main
parsed_args, remaining = parser.parse_known_args(args)
File “/usr/lib/python2.7/site-packages/awscli/argparser.py”, line 101, in parse_known_args
parsed, remaining = super(CLIArgParser, self).parse_known_args(args, namespace)
File “/usr/lib64/python2.7/argparse.py”, line 1737, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
File “/usr/lib64/python2.7/argparse.py”, line 1778, in _parse_known_args
option_tuple = self._parse_optional(arg_string)
File “/usr/lib64/python2.7/argparse.py”, line 2086, in _parse_optional
option_tuples = self._get_option_tuples(arg_string)
File “/usr/lib64/python2.7/argparse.py”, line 2129, in _get_option_tuples
if option_string.startswith(option_prefix):
UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xc2 in position 23: ordinal not in range(128)