Login/Register
AWS SSM session manager not showing instances
Asked Answered
Solved amazon-web-servicesamazon-ec2aws-ssmaws-session-manager
J

3

6

I added the policy: AmazonSSMManagedInstanceCore to the instance profile of the windows instance (which is running the SSM agent)... but it doesn't show up under session manager.

It keeps saying: "There are no instances which are associated with the required IAM role." Any idea what is causing this?

(I've tried with an amazon linux 2 instances as well -- same result).

Edit: Yes the instance is in a private subnet, with possibly no internet access -- so this is the likely problem.

Jaunitajaunt answered 12/5, 2021 at 22:6 Comment(2)
You need to be more specific. Is your instance in a private subnet, any security group or nacls setup?Celebration
Is the instance in a public subnet or a private subnet? If it is a private subnet, is there connectivity to the Internet?Albinus
S
4

aws session manager established communication with ec2 instance with SSM api (using websockets). The subnet your instance is in must have access to the internet, via NAT gateway for example (if it's in a private subnet) or you must create the following VPC endpoints:

  • com.amazonaws.[region].ec2messages
  • com.amazonaws.[region].ssmmessages
Subduct answered 12/5, 2021 at 22:44 Comment(1)
See @Ivan's answer for a required update to thisSomewise
I
3

b.b3rn4rd is correct (just tested it) you need the two VPC endpoints for private subnets if you lack a NAT gateway

  • com.amazonaws.[region].ec2messages
  • com.amazonaws.[region].ssmmessages

but you need one more VPC endpoint for Systems Manager itself

  • com.amazonaws.[region].ssm

which you can see from AWS's own troubleshooting steps when the Systems Manager can't connect to the EC2 instance:

Verify connectivity to Systems Manager endpoints on port 443

The best method to verify connectivity depends on your operating system.

Important: In the following command examples, replace RegionID with your AWS Region ID.

For a list of Systems Manager endpoints by Region, see AWS Systems Manager endpoints and quotas.

...

nc -vz ssm.RegionID.amazonaws.com 443 
nc -vz ec2messages.RegionID.amazonaws.com 443 
nc -vz ssmmessages.RegionID.amazonaws.com 443

Also need to make sure the Security Group the VPC endpoints are in has an inbound rule that allows all inbound TCP traffic from the SG the instances are placed in.

Illicit answered 10/10, 2021 at 14:11 Comment(3)
If your Session Manager preferences write session output to an Amazon S3 bucket or Amazon CloudWatch Logs log group, but an s3 gateway endpoint or logs interface endpoint doesn't exist in the VPC, you might have issues as well (per docs)(docs.aws.amazon.com/systems-manager/latest/userguide/…)Quadrangular
It is also helpful to ensure the latest SSM agent is installed, .e.g.: sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpmQuadrangular
If you have a recent version of the SSM agent, and are able to get into the box by another means, run this command to help diagnose the issue you might be having: sudo ssm-cli get-diagnostics. If it complains about a VPC endpoint, it might help to update/create it to ensure all the right settings are there wrt VPC, Subnet, and SG per referenceQuadrangular
W
2

Place an instance in the private subnet will not be a problem for SSM if you have NAT gateway configured for this private subnet (make sure the private subnet can reach public internet, private subnet -> NAT gateway -> public subnet -> internet gateway).

There are three prerequisites for SSM to see the instances:

  1. SSM agent shall be running
  2. IAM permission. attach policy "AmazonSSMManagedInstanceCore" to the role which is attached to the instance.( you may need to restart the instance after you attach the policy)
  3. Connectivity to the service endpoint. ( if you have changed the outbound rule, try to use 0.0.0.0 for all the traffic to leave the instance as a test)

Hope the above can solve your problem.

Wisp answered 9/6, 2021 at 11:5 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.