如何配置 IAM 角色为新的 EC2 实例启用 SSM?
How to configure IAM role to enable SSM for a new EC2 instance?
我运行宁以下:
KEY=test
QUERY=ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210430
aws ec2 create-key-pair --key-name $KEY --query 'KeyMaterial' --output text > $KEY.pem
chmod 600 $KEY.pem
aws ec2 create-security-group --group-name "$KEY" --description "$KEY" --output text > $KEY.sg.txt
SGID=$(cat $KEY.sg.txt)
aws ec2 authorize-security-group-ingress --group-id $SGID --protocol tcp --port 22 --cidr 0.0.0.0/0 > $KEY.sg.json
AMIID=$(aws ec2 describe-images --filters "Name=name,Values=$QUERY" --query "reverse(sort_by(Images, &CreationDate))[0].[ImageId]" --output text)
INSTANCEID=$(aws ec2 run-instances --count 1 --instance-type t2.micro --key-name "$KEY" --security-group-ids "$KEY" --image-id $AMIID --query 'Instances[*].InstanceId' --output text)
# after a wait, instance appears running
aws ssm describe-instance-information --output text
# prints nothing
aws ssm send-command --instance-ids "$INSTANCEID" --document-name "AWS-RunShellScript" --comment "IP config" --parameters commands=ifconfig --output text
# fails with invalid InstanceId
我试过 ssh'ing,ssm 代理似乎是 运行ning,从 https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ec2-instance-not-appear/ 看来 IAM 角色配置错误。
如何正确配置 IAM 角色/IAM 实例配置文件以使用 SSM 代理和 运行 命令?或者考虑到日志可能是其他问题?
谢谢!
ssh 有效:
$ sudo cat /var/log/amazon/ssm/amazon-ssm-agent.log
ubuntu@ip-172-31-28-150:~$ sudo cat /var/log/amazon/ssm/amazon-ssm-agent.log
2021-10-21 14:43:21 WARN Error adding the directory '/etc/amazon/ssm' to watcher: no such file or directory
2021-10-21 14:43:21 INFO [amazon-ssm-agent] amazon-ssm-agent - v3.0.529.0
2021-10-21 14:43:21 INFO [amazon-ssm-agent] OS: linux, Arch: amd64
2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker is not running, starting worker process
2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker (pid:1185) started
2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] Monitor long running worker health every 60 seconds
2021-10-21 14:43:23 WARN Error adding the directory '/etc/amazon/ssm' to watcher: no such file or directory
2021-10-21 14:43:23 INFO [ssm-agent-worker] Dial to Core Agent broadcast channel
2021-10-21 14:43:23 INFO [ssm-agent-worker] Start to listen to Core Agent termination channel
2021-10-21 14:43:23 INFO [ssm-agent-worker] Dial to Core Agent broadcast channel
2021-10-21 14:43:23 INFO [ssm-agent-worker] Start to listen to Core Agent health channel
2021-10-21 14:43:23 INFO [ssm-agent-worker] Create new startup processor
2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Executing startup processor tasks
2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: Amazon SSM Agent v3.0.529.0 is running
2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: OsProductName: Ubuntu
2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: OsVersion: 20.04
2021-10-21 14:43:23 INFO [ssm-agent-worker] Entering SSM Agent hibernate - EC2RoleRequestError: no EC2 instance role found
caused by: EC2MetadataError: failed to make EC2Metadata request
status code: 404, request id:
caused by: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
$ sudo snap services amazon-ssm-agent
Service Startup Current Notes
amazon-ssm-agent.amazon-ssm-agent enabled active -
$ sudo systemctl status snap.amazon-ssm-agent.amazon-ssm-agent.service
● snap.amazon-ssm-agent.amazon-ssm-agent.service - Service for snap application amazon-ssm-agent.amazon-ssm-agent
Loaded: loaded (/etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-10-21 14:43:20 UTC; 4min 32s ago
Main PID: 1153 (amazon-ssm-agen)
Tasks: 17 (limit: 1160)
Memory: 94.9M
CGroup: /system.slice/snap.amazon-ssm-agent.amazon-ssm-agent.service
├─1153 /snap/amazon-ssm-agent/3552/amazon-ssm-agent
└─1185 /snap/amazon-ssm-agent/3552/ssm-agent-worker
Oct 21 14:43:20 ip-172-31-28-150 systemd[1]: Started Service for snap application amazon-ssm-agent.amazon-ssm-agent.
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: Error occurred fetching the seelog config file path: open /etc/amazon/ssm/seelog.xml: no such file or directory
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: Initializing new seelog logger
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: New Seelog Logger Creation Complete
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:21 WARN Error adding the directory '/etc/amazon/ssm' to watcher: no such file or directory
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:21 INFO [amazon-ssm-agent] amazon-ssm-agent - v3.0.529.0
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:21 INFO [amazon-ssm-agent] OS: linux, Arch: amd64
Oct 21 14:43:22 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker is not running, starting worker process
Oct 21 14:43:22 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker (pid:1185) started
Oct 21 14:43:22 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] Monitor long running worker health every 60 seconds
我假设您的 EC2 实例可以通过互联网网关访问互联网。否则,您必须为 SSM 设置 VPC 端点(请参阅 https://aws.amazon.com/blogs/mt/automated-configuration-of-session-manager-without-an-internet-gateway/)。
然后您需要将具有适当权限的实例配置文件附加到您的实例。为此,您可以例如使用现有的托管策略 AmazonSSMManagedInstanceCore。要附加配置文件,请使用 aws ec2 run-instances 命令中的 --iam-instance-profile。
您可以在 https://acloudguru.com/hands-on-labs/creating-an-ssm-iam-role-and-configuring-an-ec2-instance-with-aws-systems-manager-via-the-cli 找到一个动手实验室,它似乎描述了有关如何创建实例配置文件并通过 cli 将其附加到实例的所有必要步骤。请注意,此实验室不使用 AmazonSSMManagedInstanceCore 托管策略。但步骤保持不变。
我运行宁以下:
KEY=test
QUERY=ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210430
aws ec2 create-key-pair --key-name $KEY --query 'KeyMaterial' --output text > $KEY.pem
chmod 600 $KEY.pem
aws ec2 create-security-group --group-name "$KEY" --description "$KEY" --output text > $KEY.sg.txt
SGID=$(cat $KEY.sg.txt)
aws ec2 authorize-security-group-ingress --group-id $SGID --protocol tcp --port 22 --cidr 0.0.0.0/0 > $KEY.sg.json
AMIID=$(aws ec2 describe-images --filters "Name=name,Values=$QUERY" --query "reverse(sort_by(Images, &CreationDate))[0].[ImageId]" --output text)
INSTANCEID=$(aws ec2 run-instances --count 1 --instance-type t2.micro --key-name "$KEY" --security-group-ids "$KEY" --image-id $AMIID --query 'Instances[*].InstanceId' --output text)
# after a wait, instance appears running
aws ssm describe-instance-information --output text
# prints nothing
aws ssm send-command --instance-ids "$INSTANCEID" --document-name "AWS-RunShellScript" --comment "IP config" --parameters commands=ifconfig --output text
# fails with invalid InstanceId
我试过 ssh'ing,ssm 代理似乎是 运行ning,从 https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ec2-instance-not-appear/ 看来 IAM 角色配置错误。
如何正确配置 IAM 角色/IAM 实例配置文件以使用 SSM 代理和 运行 命令?或者考虑到日志可能是其他问题?
谢谢!
ssh 有效:
$ sudo cat /var/log/amazon/ssm/amazon-ssm-agent.log
ubuntu@ip-172-31-28-150:~$ sudo cat /var/log/amazon/ssm/amazon-ssm-agent.log
2021-10-21 14:43:21 WARN Error adding the directory '/etc/amazon/ssm' to watcher: no such file or directory
2021-10-21 14:43:21 INFO [amazon-ssm-agent] amazon-ssm-agent - v3.0.529.0
2021-10-21 14:43:21 INFO [amazon-ssm-agent] OS: linux, Arch: amd64
2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker is not running, starting worker process
2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker (pid:1185) started
2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] Monitor long running worker health every 60 seconds
2021-10-21 14:43:23 WARN Error adding the directory '/etc/amazon/ssm' to watcher: no such file or directory
2021-10-21 14:43:23 INFO [ssm-agent-worker] Dial to Core Agent broadcast channel
2021-10-21 14:43:23 INFO [ssm-agent-worker] Start to listen to Core Agent termination channel
2021-10-21 14:43:23 INFO [ssm-agent-worker] Dial to Core Agent broadcast channel
2021-10-21 14:43:23 INFO [ssm-agent-worker] Start to listen to Core Agent health channel
2021-10-21 14:43:23 INFO [ssm-agent-worker] Create new startup processor
2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Executing startup processor tasks
2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: Amazon SSM Agent v3.0.529.0 is running
2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: OsProductName: Ubuntu
2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: OsVersion: 20.04
2021-10-21 14:43:23 INFO [ssm-agent-worker] Entering SSM Agent hibernate - EC2RoleRequestError: no EC2 instance role found
caused by: EC2MetadataError: failed to make EC2Metadata request
status code: 404, request id:
caused by: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
$ sudo snap services amazon-ssm-agent
Service Startup Current Notes
amazon-ssm-agent.amazon-ssm-agent enabled active -
$ sudo systemctl status snap.amazon-ssm-agent.amazon-ssm-agent.service
● snap.amazon-ssm-agent.amazon-ssm-agent.service - Service for snap application amazon-ssm-agent.amazon-ssm-agent
Loaded: loaded (/etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-10-21 14:43:20 UTC; 4min 32s ago
Main PID: 1153 (amazon-ssm-agen)
Tasks: 17 (limit: 1160)
Memory: 94.9M
CGroup: /system.slice/snap.amazon-ssm-agent.amazon-ssm-agent.service
├─1153 /snap/amazon-ssm-agent/3552/amazon-ssm-agent
└─1185 /snap/amazon-ssm-agent/3552/ssm-agent-worker
Oct 21 14:43:20 ip-172-31-28-150 systemd[1]: Started Service for snap application amazon-ssm-agent.amazon-ssm-agent.
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: Error occurred fetching the seelog config file path: open /etc/amazon/ssm/seelog.xml: no such file or directory
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: Initializing new seelog logger
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: New Seelog Logger Creation Complete
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:21 WARN Error adding the directory '/etc/amazon/ssm' to watcher: no such file or directory
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:21 INFO [amazon-ssm-agent] amazon-ssm-agent - v3.0.529.0
Oct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:21 INFO [amazon-ssm-agent] OS: linux, Arch: amd64
Oct 21 14:43:22 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker is not running, starting worker process
Oct 21 14:43:22 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker (pid:1185) started
Oct 21 14:43:22 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] Monitor long running worker health every 60 seconds
我假设您的 EC2 实例可以通过互联网网关访问互联网。否则,您必须为 SSM 设置 VPC 端点(请参阅 https://aws.amazon.com/blogs/mt/automated-configuration-of-session-manager-without-an-internet-gateway/)。
然后您需要将具有适当权限的实例配置文件附加到您的实例。为此,您可以例如使用现有的托管策略 AmazonSSMManagedInstanceCore。要附加配置文件,请使用 aws ec2 run-instances 命令中的 --iam-instance-profile。
您可以在 https://acloudguru.com/hands-on-labs/creating-an-ssm-iam-role-and-configuring-an-ec2-instance-with-aws-systems-manager-via-the-cli 找到一个动手实验室,它似乎描述了有关如何创建实例配置文件并通过 cli 将其附加到实例的所有必要步骤。请注意,此实验室不使用 AmazonSSMManagedInstanceCore 托管策略。但步骤保持不变。