Search code examples
amazon-web-servicesboto3aws-ssm

AWS SSM describe-instance-information doesn't find my instances

I am using boto3 to control my EC2 instances on AWS from a python environment, using ec2 and ssm services. I have created an IAM account, that has access to AmazonSSMFullAccess and AmazonEC2FullAccess policies.

ec2 = boto3.client(
    'ec2',
    region_name='eu-west-1',
    aws_access_key_id='…',
    aws_secret_access_key='…/…+…'
)

ssm = boto3.client(
    'ssm',
    region_name='eu-west-1',
    aws_access_key_id='…',
    aws_secret_access_key='…/…+…'
)

I ran:

ec2.describe_instances()['Reservations']

Witch returned a list of all my instances. But when I run:

ssm.describe_instance_information()

I get an empty list, though I have at least one instance running on AWS Linux AMI (ami-ca0135b3), and six others on recent Ubuntu AMIs. They are all in eu-west-1 (Ireland). They should have SSM Agent preinstalled : (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html)

I sshed into the AWS Linux instance, and tried to get the logs for ssm using:

sudo tail -f /var/log/amazon/ssm/amazon-ssm-agent.log

But nothing happens there when I run my python code. A sequence of messages gets displayed from time to time :

HealthCheck reporting agent health.
error when calling AWS APIs. error details - NoCredentialProviders: no valid providers in chain. Deprecated.

I also tried running a command through the web interface, selected ' AWS-RunRemoteScript' but no instance is shown below.

My goal is to run:

ssm.send_command(
        DocumentName="AWS-RunShellScript",
        Parameters={'commands': [command]},
        InstanceIds=[instance_id],
    )

But it gives me the following error, probably due to the previous problem.

botocore.errorfactory.InvalidInstanceId: An error occurred (InvalidInstanceId) when calling the SendCommand operation

Solution

  • The agent is pre-installed, but the instance (not just your IAM user) still needs the proper role to communicate with the systems manager. Particularly this step of Configuring Access to Systems Manager.

    By default, Systems Manager doesn't have permission to perform actions on your instances. You must grant access by using an IAM instance profile. An instance profile is a container that passes IAM role information to an Amazon EC2 instance at launch.

    You should review the whole configuration guide and make sure you have configured all required roles appropriately.