I have an EC2 instance on which I have some scripts I want to run every day at a certain time. In order to automate this, I implemented a lambda function with the code from https://gist.github.com/lrakai/18303e1fc1fb1d8635cc20eee73a06a0, adapted to my region, instance and shell commands. I plan to link it to EventBridge for scheduled execution.
My EC2 has an installed and updated SSM Agent, my Lambda Function has the following policies: AWSEC2FullAccess and another custom generated policy for using log group. When testing the function, I get the following error:
An error occurred (AccessDeniedException) when calling the SendCommand operation: user [my Lambda's ARN] is not authorized to perform: ssm:SendCommand on resource: [my EC2 ARN] because no identity-based policy allows the ssm:SendCommand action", "errorType": "ClientError"
I have cannot find the policy I need to attach to the Lambda function's role to allow this action to go through, and I am not sure which resources to specify if creating one.
PS. I tried an alternative architecture with directly an EventBridge Rule with Target the System Manager Run Command and with Target Key "InstanceIds", Target Value [my instance id], and commands in the constant parameter section, but it didn't work unfortunately, so I am trying this way instead.
Happy to provide any more info if necessary, Thx for any leads.
arn:aws:iam::aws:policy/AmazonEC2FullAccess does not include ssm permissions. To rectify that you can add an inline policy to your function role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ssm:SendCommand",
"Resource": "*"
}
]
}
You can replace * with the ARN of the command you want to use to be more explicit.