I am using boto3 to control my EC2 instances on AWS from a python environment, using ec2 and ssm services. I have created an IAM account, that has access to AmazonSSMFullAccess and AmazonEC2FullAccess policies.
ec2 = boto3.client(
'ec2',
region_name='eu-west-1',
aws_access_key_id='…',
aws_secret_access_key='…/…+…'
)
ssm = boto3.client(
'ssm',
region_name='eu-west-1',
aws_access_key_id='…',
aws_secret_access_key='…/…+…'
)
I ran:
ec2.describe_instances()['Reservations']
Witch returned a list of all my instances.
But when I run:
ssm.describe_instance_information()
I get an empty list, though I have at least one instance running on AWS Linux AMI (ami-ca0135b3), and six others on recent Ubuntu AMIs. They are all in eu-west-1 (Ireland).
They should have SSM Agent preinstalled : (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html)
I sshed into the AWS Linux instance, and tried to get the logs for ssm using:
sudo tail -f /var/log/amazon/ssm/amazon-ssm-agent.log
But nothing happens there when I run my python code. A sequence of messages gets displayed from time to time :
HealthCheck reporting agent health.
error when calling AWS APIs. error details - NoCredentialProviders: no valid providers in chain. Deprecated.
I also tried running a command through the web interface, selected ' AWS-RunRemoteScript' but no instance is shown below.
My goal is to run:
ssm.send_command(
DocumentName="AWS-RunShellScript",
Parameters={'commands': [command]},
InstanceIds=[instance_id],
)
But it gives me the following error, probably due to the previous problem.
botocore.errorfactory.InvalidInstanceId: An error occurred (InvalidInstanceId) when calling the SendCommand operation
The agent is pre-installed, but the instance (not just your IAM user) still needs the proper role to communicate with the systems manager. Particularly this step of Configuring Access to Systems Manager.
By default, Systems Manager doesn't have permission to perform actions
on your instances. You must grant access by using an IAM instance
profile. An instance profile is a container that passes IAM role
information to an Amazon EC2 instance at launch.
You should review the whole configuration guide and make sure you have configured all required roles appropriately.
Related
My Python application is deployed in a docker container on an EC2 instance. Passwords are stored in secrets manager. During runtime, application will make an API call to secrets manager to fetch the password and connect. Since we recreated the instance, it started giving out below error -
botocore.exceptions.NoCredentialsError: Unable to locate credentials
My application code is -
session = boto3.session.Session()
client = session.client(service_name = 'secretmanager', region_name = 'us-east-1')
get_secret_value_response = client.get_secret_value(secretId = secret_name)
If I run -
aws secretmanager get-secret-value --secret-id abc
It works without any issues since IAM policy is appropriately attached to the EC2 instance.
I spent the last 2 days trying to troubleshoot this but am still stuck with no clarity on why this is breaking. Any tips or guidance would help.
The problem was with the HTTPToken variable in the instance metadata options which was defaulted to required with the fresh update. Reverted it back to optional and boto3 is now able to make an API call for instance meta data and inherit its roles.
I followed the documentation on AWS how to add system manager.
So i did EC2-> Instances and select my running EKS instance to add the policies to the existing IAM Role eksctl-eks-gxxxxx-nodegroup-NodeInstanceRole-S0UHXXXXHJJD3T .
As you can see on the screenshot we can see AmazonSSMManagedInstanceCore on the IAM Role
eksctl-eks-gxxxxx-nodegroup-NodeInstanceRole-S0UHXXXXHJJD3T .
However when i go to system Manager -> Session manager i dont see my instance :(
i get this error
There are no instances which are associated with the required IAM
role.
i also watched a movie on youtube I do everything the same I don't see where is the problem
Have you installed SSM Agent on the EC2 instance?
You need the SSM Agent running on the system to perform any actions by SSM. More details on how to install and configure the agent could be found here: https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html
I am working on AWS system manager.I am using this to push my software to the instances using distributor which is under system manager.
The distributor creates one package.The package will have my installation script,uninstallation script and the .exe file which I am gonna push.This whole package will save as a SSM document which is maintained by system manager.
My problem if suppose I have two AWS accounts:
A account - The account where I created a package(us-east-1)
B account - The Instance which is running.(ap-southeast-2
I want to push the package in 'A' to account 'B' Instance.
I have to do this with my python code.So I used boto3.
def runcommand(self,instanceid):
try:
response = self.ssmclient.send_command(
InstanceIds=[instanceid,],
DocumentName='AWS-ConfigureAWSPackage',
TimeoutSeconds=600,
Parameters={
'action': ['Install'],
'installationType':['Uninstall and reinstall'],
'name':['arn:aws:ssm:us-east-1:accnumber:document/SSMDistributorPackage']
},
OutputS3Region='ap-southeast-2',
OutputS3BucketName='output',
OutputS3KeyPrefix='abcd',
)
print("Successfully pushed the agent....")
except Exception as e:
print("The error while running command:::::",str(e))
print("response(send_command)::::",response)
But it throws error like Invalid Document:cross region arn is not supporting.
How can I solve this?
Is there anyway to make this package supported by all aws accounts?
SSM Documents can be shared across accounts.
However, this error is not a cross account error. Its that you are referencing an SSM Document from one region to another region.
As the client and instance is in ap-southeast-2 but the document is in us-east-1 you will need to create the document in the ap-southeast-2 region.
I'm fairly new to AWS. I'm setting up an EC2 instance (an Ubuntu 18.04 LAMP server).
I've installed the aws CLI on the instance, so I can automate EBS snapshots for backup.
I've also created an IAM role with the needed permissions to run aws ec2 create-snapshot, and I've assigned this role to my EC2 instance.
My question: is there any need to run aws configure on the EC2 instance, in order to set the AWS Access Key ID and AWS Secret Access Key? I'm still wrapping my head around AWS IAM roles – but (since the EC2 instance has a role), it sounds like the instance will acquire the needed keys from IAM automagically. Therefore, I assume that there's never any need to run aws configure. (In fact, it seems like this would be counterproductive, since the keys set via aws configure would override the keys acquired automatically via the role.)
Is all of that accurate?
No, the AWS CLI will progress through a list of credential providers. The instance metadata service will eventually be reached, even if you have not configured the AWS cli:
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#config-settings-and-precedence
And yes, if you add keys to the AWSCLI config file, they will be used with higher priority than those obtained from the instance metadata service.
I have EC2 instance.
I'm trying to call aws s3 from it but getting an error
Unable to locate credentials
I tried aws configure which does show everything as empty.
I see IAM role for S3 full permissions assigned to this instance.
Do I need any additional configuration?
If you run aws on an Amazon EC2 instance that has an assigned role, then it should find the credentials automatically.
You can also use this to view the credentials from the instance:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
The role name should be listed. Then append it to the command:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME/
You should then be presented with AccessKeyId, SecretAccessKey, etc.
If that information does not appear, it suggests that your role is not correctly attached to the instance. Try unassigning the role and then assign it to the instance again.
First read and follow John Rotenstein's advice.
The SDK (from which the CLI is built from) searches for credentials in the following order:
Environment variables (AWS_ACCESS_KEY_ID ....)
Default Profile (credentials file)
ECS Container Credentials (if running on ECS)
Instance Profile
After verifying that your EC2 instance has credentials in the metadata, double check 1 & 2 to make sure that there are no other credentials present even if empty.
Note: This link argues with my last point (empty credentials file). I never create (store) credentials on an EC2 instance and I only use IAM Roles.
Instance Metadata