SSM document does not use role to modify volume
I am trying to modify an existing volume on an EC2 instance using SSM. I attached a role with a policy that allows to modify volumes on EC2 instances. The permission I picked in the policy is called ModifyVolume. When I try to run my script it gives me the following message:
An error occurred (UnauthorizedOperation) when calling the ModifyVolume operation: You are not authorized to perform this operation.
I am sure that the policy I use grants me this permission so I wonder why it does not work?
This is my SSM document:
---
schemaVersion: "2.2"
assumeRole: "{{AutomationAssumeRole}}"
description: "Resizes the specified EBS volume to the target size"
parameters:
AutomationAssumeRole:
type: "String"
description: "The ARN of the role that allows Automation to perform the actions on your behalf."
default: "arn:aws:iam::accountnumber:role/SSMUpdateVolume"
VolumeId:
type: "String"
description: "(Required) EBS volume ID"
Size:
type: "String"
description: "(Required) Target size for the selected volume in GB"
mainSteps:
- action: "aws:runShellScript"
name: "ModifyVolumeSize"
inputs:
runCommand:
- "export AWS_DEFAULT_REGION=eu-central-1"
- "aws ec2 modify-volume --size {{Size}} --volume-id {{VolumeId}}"
This is the role I need below:
I noticed that it works when I assign the permission directly to the role which is assigned to the instance itself. However, I want to only allow this permission temporarily when I use the SSM document. So this means the SSM document does not apply this permission, but uses the one on the instance itself where this ModifyVolume permission is missing. How can I fix this?
I assume that this might be because I am using the aws:runShellScript command, so that it does not apply the role at all and simply calls the scripts on the instance? Could that be the reason? And if that is the case what do I need to do to make this work?
It took me some time to wrap my head around this question, but I think I've got an answer:
AWS Systems Manager Documents work in the following way:
They have actions (e.g. aws:runShellScript, aws:createStack, etc.)
These actions use either the default SSM service role, or a role injected via assumeRole.
That means in your example the action aws:runShellScript is executed using the role SSMUpdateVolume.
However, the the individual commands in the shell script are run using local permissions on the EC2 instance, i.e. the role attached to the Instance Profile, which doesn't have the required permissions.
So, it makes sense that this doesn't work.
To achieve what you want, you could--instead of executing the shell commands--use the aws:executeAwsApi action to modify the volume.
Please note: You are using a document of type Command. For this to work, you need to create a document of type Automation. To do this, when in the AWS Systems Manager Documents console, please choose Create automation instead of Create command or session.
The final document could look similar to the following:
description: Resizes the specified EBS volume to the target size
schemaVersion: '0.3'
assumeRole: '{{ AutomationAssumeRole }}'
parameters:
AutomationAssumeRole:
type: String
default: 'arn:aws:iam::accountnumber:role/SSMUpdateVolume'
description: The ARN of the role that allows Automation to perform the actions on your behalf.
VolumeId:
type: String
description: (Required) EBS volume ID
Size:
type: String
description: (Required) Target size for the selected volume in GB
mainSteps:
- name: ModifyVolumeSize
action: 'aws:executeAwsApi'
inputs:
Service: ec2
Api: ModifyVolume
Size: '{{ Size }}'
VolumeId: '{{ VolumeId }}'
- AWS ElasticBeanstalk EC2 Termination Protection
- Install pgAgent on AWS RDS for Postgres
- Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect)
- List all parameters in AWS SSM Parameter Store
- AWS push_down_predicate not working with DynamoDb
- localstack AWS S3 javascript error : getaddrinfo ENOTFOUND bucketname.localhost
- AWS ECS agent won't start
- AWS VPC (Virtual Private Cloud), rapidly increasing expenses
- SemaphoreCI OIDC AWS connection
- Can't delete AWS internet Gateway
- How to provide multiple StringNotEquals conditions in AWS policy?
- Not able to get ECS fargate metrics on Datadog
- 502 "Internal Server Error" with API Gateway + Lambda when deploying
- Java Springboot application not able to connect to AWS Elasticache Valkey Cache (Serverless)
- Splitting PDF with PyPDF2 in Lambda function
- "libdbus-glib-1.so.2: cannot open shared object file: No such file or directory"
- Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY
- Best way to store Firebase admin private key file for AWS lambda
- AWS Elastic Beanstalk and Secret Manager
- Unable to upload data using sagemaker_session.upload_data in s3 bucket that I created, it is getting stored in default s3 bucket
- Parse Aws IoT message in python
- How to temporarily switch profiles for AWS CLI?
- Python Sqlalchemy insert data into AWS Redshift
- Using AWS Bedrock Prompt Management with InvokeCommand
- How to skip IAM change confirmation during a cdk deploy?
- Restarting AWS lambda function to clear cache
- How to send data to API Post to be used by Lambda Function
- Why is postman showing error message but react app not showing it?
- Terraform shows `InvalidGroup.NotFound` while creating an EC2 instance
- How to delete keys matching pattern in AWS Elasticache Valkey