Encountered below error while doing health check for session manager on AWS:
amazon-ssm-agent[17614]: 2020-05-19 12:57:35 ERROR [MessagingDeliveryService] [Association] Unable to load instance associations, unable to retrieve associations unable to retrieve associations AccessDeniedException: User: arn:aws:sts::395456465418:assumed-role/SessionManagerInstanceProfile/i-02c8c2ae1dce2ce84 is not authorized to perform: ssm:ListAssociations on resource: arn:aws:ssm:ap-southeast-1:395456465418:*
Believe this is caused by insufficient privilege granted for the instance IAM policy. But what additional access should I grant in order to resolve this error?
Below is the current inline policy which was copied from AWS documentation.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ec2-sessionmanager-logs"
},
{
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:GenerateDataKey",
"Resource": "*"
}
]
}
The error message indicates:
is not authorized to perform: ssm:ListAssociations
The action:
Grants permission to list the associations for a specified SSM document or managed instance
Thus, the policy should contain: ssm:ListAssociations. Currently, in the policy you've posted in the question, there is no such action permitted.