I followed the documentation on AWS how to add system manager.
So i did EC2-> Instances and select my running EKS instance to add the policies to the existing IAM Role eksctl-eks-gxxxxx-nodegroup-NodeInstanceRole-S0UHXXXXHJJD3T .
As you can see on the screenshot we can see AmazonSSMManagedInstanceCore on the IAM Role
eksctl-eks-gxxxxx-nodegroup-NodeInstanceRole-S0UHXXXXHJJD3T .
However when i go to system Manager -> Session manager i dont see my instance :(
i get this error
There are no instances which are associated with the required IAM
role.
i also watched a movie on youtube I do everything the same I don't see where is the problem
Have you installed SSM Agent on the EC2 instance?
You need the SSM Agent running on the system to perform any actions by SSM. More details on how to install and configure the agent could be found here: https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html
Related
I am using boto3 to control my EC2 instances on AWS from a python environment, using ec2 and ssm services. I have created an IAM account, that has access to AmazonSSMFullAccess and AmazonEC2FullAccess policies.
ec2 = boto3.client(
'ec2',
region_name='eu-west-1',
aws_access_key_id='…',
aws_secret_access_key='…/…+…'
)
ssm = boto3.client(
'ssm',
region_name='eu-west-1',
aws_access_key_id='…',
aws_secret_access_key='…/…+…'
)
I ran:
ec2.describe_instances()['Reservations']
Witch returned a list of all my instances.
But when I run:
ssm.describe_instance_information()
I get an empty list, though I have at least one instance running on AWS Linux AMI (ami-ca0135b3), and six others on recent Ubuntu AMIs. They are all in eu-west-1 (Ireland).
They should have SSM Agent preinstalled : (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html)
I sshed into the AWS Linux instance, and tried to get the logs for ssm using:
sudo tail -f /var/log/amazon/ssm/amazon-ssm-agent.log
But nothing happens there when I run my python code. A sequence of messages gets displayed from time to time :
HealthCheck reporting agent health.
error when calling AWS APIs. error details - NoCredentialProviders: no valid providers in chain. Deprecated.
I also tried running a command through the web interface, selected ' AWS-RunRemoteScript' but no instance is shown below.
My goal is to run:
ssm.send_command(
DocumentName="AWS-RunShellScript",
Parameters={'commands': [command]},
InstanceIds=[instance_id],
)
But it gives me the following error, probably due to the previous problem.
botocore.errorfactory.InvalidInstanceId: An error occurred (InvalidInstanceId) when calling the SendCommand operation
The agent is pre-installed, but the instance (not just your IAM user) still needs the proper role to communicate with the systems manager. Particularly this step of Configuring Access to Systems Manager.
By default, Systems Manager doesn't have permission to perform actions
on your instances. You must grant access by using an IAM instance
profile. An instance profile is a container that passes IAM role
information to an Amazon EC2 instance at launch.
You should review the whole configuration guide and make sure you have configured all required roles appropriately.
When I try to launch an Elastic Beanstalk environment from the command line, I get this error during the process:
Environment health has transitioned from Pending to Warning. Access
denied while accessing Auto Scaling and Elastic Load Balancing using
role "arn:aws:iam::XXXXXXXXXX:role/aws-elasticbeanstalk-service-role".
Verify the role policy.
When I launch it from the console, I do not get this warning. I have tried to replicate the same AWS console configuration from the CLI , but I still get this error.
Any clue what's going on?
If anyone is still getting a similar error and is still unsure how to solve it
Navigate to IAM in the AWS Console.
Navigate to the aws-elasticbeanstalk-service-role (under Access Management > Roles).
Attach the following policies:
AutoScalingFullAccess
ElasticLoadBalancingFullAccess
I then rebuilt the environment, no more errors!
The following article helped me understand this better: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-service.html
You can go to your IAM console. You will see the "aws-elasticbeanstalk-service-role", Under the permission tab, you can grant the specific you want to give the policy on your behalf. Refresh and you should have "Ok". Make sure the permission you grant the role can manage this " Auto Scaling and Elastic Load Balancing using role"
Elastic Beanstalk now uses a Service Role to call other AWS services on your behalf. The IAM role is created in your account and you give permissions to launch
Service role is optional but recommended for new environments.
Especially for enhanced health monitoring (which is what your using based on the error message), service role is mandatory. A misconfigured service role can lead to this error message.
The console experience makes it very easy for you to create/use the role with the correct permissions. This is because you just need to select the correct role from the dropdown (if the role already exists) when using the create environment wizard.
When using the CLI you need to pass the service role option setting. (namespace: aws:elasticbeanstalk:environment, option_name: ServiceRole). You can find the required permissions for a role configured in this documentation.
There are some more details about service role in my previous stack overflow answer here.
If anyone can not solve the error whit the previous actions what I had to do is:
Add to aws-elasticbeanstalk-service-role the following policies AutoScalingFullAccess | ElasticLoadBalancingFullAccess
Not re-start but build the environment again
(after a while it kept launching the error)
Then I added:
AdministratorAccess-AWSElasticBeanstalk (again to aws-elasticbeanstalk-service-role)
Re-build the environment again
It is working at the moment.
I have created a few environments before so I know how the Amazon EBS works however lately I have been having the following issue while creating an environment:
The instance profile aws-elasticbeanstalk-ec2-role associated with the environment has no role. Please attach a role to the instance profile.
I follow the steps to create a new environment. When it gets to the Permissions page, I create a new role as there are no existing ones. Then I follow the rest of the steps and eventually it starts to launch. After a couple minutes, I get the error above. Any help towards this will be helpful.
To solve this issue, I created a new role from the IAM Manager console. I selected Amazon EC2 as my Service Role Type. I attached the AWSElasticBeanstalkFullAccess policy. Then when creating a new environment, I chose the new role I created.
Though I am bit late in answering this issue, posting here if someone faces this error now.
In case your user has all the required permission to create role and BS has already created the "The instance profile aws-elasticbeanstalk-ec2-role".
The reason of this error is due to roles only and when we try to launch EC2 from aws BS, it creates a role naming "aws-elasticbeanstalk-ec2-role" with required permissions.
But, if there is already a role with Trusted entities "AWS service: ec2" so BS will check permission in that already existing older role.
So go to Roles > Search ec2 related roles and select the role which is active.
And just add AWSElasticBeanstalkFullAccess permission to that ec2 role, and this issue will be resolved.
I want to "associate an instance profile" with my environment (to speed up upload performance for my website) but can't find useful instructions on how anywhere in the AWS documentation (or here on SO).
How do I "associate an instance profile" with an environment on AWS?
Not clear what you are trying to accomplish, but if you are look to just 'associate an instance profile', here you go:
http://docs.aws.amazon.com/IAM/latest/UserGuide/instance-profiles.html
An instance profile is a container for an IAM role. Instance profiles
are used to pass role information to an Amazon EC2 instance when the
instance starts. When you use the Amazon EC2 console to launch an
instance with an IAM role, you can select a role to associate with the
instance. In the console, the list that's displayed is actually a list
of instance profile names.
If you use the AWS Management Console to create a role, the console
creates an instance profile automatically and gives it the same name
as the role it corresponds to. However, if you use the CLI, API, the
AWS SDK, or a third-party tool to create roles and instance profiles,
you create the roles and instance profiles as separate actions, and
you might give them different names. In that case, you need to know
the names of your instance profiles as well as the names of roles they
contain so that you can choose the correct instance profile when you
launch an Amazon EC2 instance.
If you are seeing this error when trying to set up a Elastic Beanstalk environment, it could be that the IAM user does not have sufficient permissions. You should add the IAM Policy named IAMFullAccess for that user.
You can check one option that works here for AWS Beanstalk. This is using AWS Console.
Create IAM Role for "EC2" as AWS Service and attach
"AWSElasticBeanstalkFullAccess" policy to it.
Create an AWS Beanstalk environment with tier/platform/application of choice. (I did with Web Tier choosing Docker platform using python:3-onbuild).
Hit "Configure More Options" > "Modify" Security.
Choose "IAM instance profile" which was created in Step 1. (Keep Service role
"aws-elasticbeanstalk-service-role" as this is needed! It has some key policies!)
"Save" and "Create Environment".
Similarly, it should work for AWS CLI and AWS SDK as well. Key here is the instance profile role you choose for EC2 (or say instance IAM role/instance profile) during Beanstalk Environment creation.
You can create customer managed policy extending or reusing AWSElasticBeanstalkFullAccess policy based on need. Refer AWSElasticBeanstalkFullAccess to understand it better. Also, check out some more AWS Managed policies starting with AWSElasticBeanStalk*.
Somehow default aws-elasticbeanstalk-ec2-role policy is not working/taking effect as desired for me.
For what it's worth, the AWS console now displays an alert (see image) that has a link to help you associate the instance profile with your environment. Therefore, if you see this message in the CLI, you probably need to log into the Management Console, navigate to Elastic Beanstalk, and choose your environment. You will then see the message and be able to use the link to resolve the issue.
Note 1: You may need to redeploy your app after associating the profile. I did.
Note 2: It really does make deployments faster.
Orome,
As E.J Brennan pointed out in his post, you must have a role created first, and attach the necessary IAM policies to that role, then you create the instance profile:
aws iam create-instance-profile --instance-profile-name YOUR_INSTANCE_PROFILE_NAME
Then add the role you created in the beginning to the instance profile:
aws iam add-role-to-instance-profile --instance-profile-name YOUR_INSTANCE_PROFILE_NAME --role-name YOUR_ROLE
Then attach the instance profile to your instance:
aws ec2 associate-iam-instance-profile --instance-id YOUR_INSTANCE_ID --iam-instance-profile Name="YOUR_INSTANCE_PROFILE_NAME"
Is this what you are looking for?
As E.J Brennan also pointed out, the AWS management console does the instance profile for you behind the scenes.
In order to run AWS monitoring scripts (http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/mon-scripts-perl.html) on one of my ec2 existing instance, I need a IAM role associated to the instance.
I found a lot of documentation to launch an instance with a role... But nothing to link a role to an existing instance.
Is it possible?
If not, what can I do? Launch a new instance with a role and transfert the volumes to it?
If not, what can I do? Launch a new instance with a role and transfert
the volumes to it?
This is one option but it might take you a long time if you have a lot instances.
The other option is to simply use IAM by creating a new user then add the Amazon CloudWatch PutMetricData operation permission to that user. Then, create AWS credentials for that user and finally use them as per the docs that you specified:
Optional: If you aren't using an IAM role, update the
awscreds.template file that you downloaded earlier. The content of
this file should use the following format:
AWSAccessKeyId=YourAccessKeyID
AWSSecretKey=YourSecretAccessKey
Also set the environment variable AWS_CREDENTIAL_FILE to point that awscreds.template in the environment of the user that is running the mon-scripts-perl
There is a new method available associate-iam-instance-profile to Associates an IAM instance profile with a running or stopped instance.
Example:
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile
Doco
AWS doesn't allow you to modify the instance role after launching the instance.
You can either:
1) Launch a new instance with the role needed by taking the AMI of the already running instance and reassigning the EIP.
or
2) Create a headless user, generate access key and secret key for the user with specific permssion, and use those keys.
Earlier there was no solution. You had to create and AMI and launch the server again with the appropriate role.
On Feb 9, AWS launched these new CLI options which can help you solve your problem.
See this link: https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/