那些遇到过的问题

如何配置 IAM 角色以为新的 EC2 实例启用 SSM?

Vad*_*rov 5 amazon-web-services amazon-iam aws-cli aws-ssm

我正在运行以下命令:

\n
KEY=test\nQUERY=ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210430\n\naws ec2 create-key-pair --key-name $KEY --query \'KeyMaterial\' --output text > $KEY.pem\nchmod 600 $KEY.pem\n\naws ec2 create-security-group --group-name "$KEY" --description "$KEY" --output text > $KEY.sg.txt\nSGID=$(cat $KEY.sg.txt)\naws ec2 authorize-security-group-ingress --group-id $SGID --protocol tcp --port 22 --cidr 0.0.0.0/0 > $KEY.sg.json\n\nAMIID=$(aws ec2 describe-images --filters "Name=name,Values=$QUERY" --query "reverse(sort_by(Images, &CreationDate))[0].[ImageId]" --output text)\nINSTANCEID=$(aws ec2 run-instances --count 1 --instance-type t2.micro --key-name "$KEY" --security-group-ids "$KEY" --image-id $AMIID --query \'Instances[*].InstanceId\' --output text)\n\n# after a wait, instance appears running\n\naws ssm describe-instance-information --output text\n# prints nothing\n\naws ssm send-command --instance-ids "$INSTANCEID" --document-name "AWS-RunShellScript" --comment "IP config" --parameters commands=ifconfig --output text\n# fails with invalid InstanceId\n
Run Code Online (Sandbox Code Playgroud)\n

我尝试过 ssh,ssm 代理似乎正在运行,从https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ec2-instance-not-appear/看来 IAM角色配置错误。

\n

如何正确配置 IAM 角色/IAM 实例配置文件以使用 SSM 代理并使用它运行命令?或者考虑到日志可能还有其他问题?

\n

谢谢你!

\n

ssh 工作原理:

\n
$ sudo cat /var/log/amazon/ssm/amazon-ssm-agent.log\n\nubuntu@ip-172-31-28-150:~$ sudo cat /var/log/amazon/ssm/amazon-ssm-agent.log\n2021-10-21 14:43:21 WARN Error adding the directory \'/etc/amazon/ssm\' to watcher: no such file or directory\n2021-10-21 14:43:21 INFO [amazon-ssm-agent] amazon-ssm-agent - v3.0.529.0\n2021-10-21 14:43:21 INFO [amazon-ssm-agent] OS: linux, Arch: amd64\n2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker is not running, starting worker process\n2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker (pid:1185) started\n2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] Monitor long running worker health every 60 seconds\n2021-10-21 14:43:23 WARN Error adding the directory \'/etc/amazon/ssm\' to watcher: no such file or directory\n2021-10-21 14:43:23 INFO [ssm-agent-worker] Dial to Core Agent broadcast channel\n2021-10-21 14:43:23 INFO [ssm-agent-worker] Start to listen to Core Agent termination channel\n2021-10-21 14:43:23 INFO [ssm-agent-worker] Dial to Core Agent broadcast channel\n2021-10-21 14:43:23 INFO [ssm-agent-worker] Start to listen to Core Agent health channel\n2021-10-21 14:43:23 INFO [ssm-agent-worker] Create new startup processor\n2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Executing startup processor tasks\n2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: Amazon SSM Agent v3.0.529.0 is running\n2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: OsProductName: Ubuntu\n2021-10-21 14:43:23 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: OsVersion: 20.04\n2021-10-21 14:43:23 INFO [ssm-agent-worker] Entering SSM Agent hibernate - EC2RoleRequestError: no EC2 instance role found\ncaused by: EC2MetadataError: failed to make EC2Metadata request\n        status code: 404, request id:\ncaused by: <?xml version="1.0" encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\n <head>\n  <title>404 - Not Found</title>\n </head>\n <body>\n  <h1>404 - Not Found</h1>\n </body>\n</html>\n
Run Code Online (Sandbox Code Playgroud)\n
$ sudo snap services amazon-ssm-agent\n\nService                            Startup  Current  Notes\namazon-ssm-agent.amazon-ssm-agent  enabled  active   -\n\n$ sudo systemctl status snap.amazon-ssm-agent.amazon-ssm-agent.service\n\n\xe2\x97\x8f snap.amazon-ssm-agent.amazon-ssm-agent.service - Service for snap application amazon-ssm-agent.amazon-ssm-agent\n     Loaded: loaded (/etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service; enabled; vendor preset: enabled)\n     Active: active (running) since Thu 2021-10-21 14:43:20 UTC; 4min 32s ago\n   Main PID: 1153 (amazon-ssm-agen)\n      Tasks: 17 (limit: 1160)\n     Memory: 94.9M\n     CGroup: /system.slice/snap.amazon-ssm-agent.amazon-ssm-agent.service\n             \xe2\x94\x9c\xe2\x94\x801153 /snap/amazon-ssm-agent/3552/amazon-ssm-agent\n             \xe2\x94\x94\xe2\x94\x801185 /snap/amazon-ssm-agent/3552/ssm-agent-worker\n\nOct 21 14:43:20 ip-172-31-28-150 systemd[1]: Started Service for snap application amazon-ssm-agent.amazon-ssm-agent.\nOct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: Error occurred fetching the seelog config file path:  open /etc/amazon/ssm/seelog.xml: no such file or directory\nOct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: Initializing new seelog logger\nOct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: New Seelog Logger Creation Complete\nOct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:21 WARN Error adding the directory \'/etc/amazon/ssm\' to watcher: no such file or directory\nOct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:21 INFO [amazon-ssm-agent] amazon-ssm-agent - v3.0.529.0\nOct 21 14:43:21 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:21 INFO [amazon-ssm-agent] OS: linux, Arch: amd64\nOct 21 14:43:22 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker is not running, starting worker process\nOct 21 14:43:22 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker (pid:1185) started\nOct 21 14:43:22 ip-172-31-28-150 amazon-ssm-agent.amazon-ssm-agent[1153]: 2021-10-21 14:43:22 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] Monitor long running worker health every 60 seconds\n
Run Code Online (Sandbox Code Playgroud)\n

Kor*_*gen 4

我假设您的 EC2 实例可以通过互联网网关访问互联网。如果没有,您必须为 SSM 设置 VPC 端点(请参阅https://aws.amazon.com/blogs/mt/automated-configuration-of-session-manager-without-an-internet-gateway/) 。

然后,您需要将具有适当权限的实例配置文件附加到您的实例。为此,您可以使用现有的托管策略AmazonSSMManagedInstanceCore。附加您--iam-instance-profileaws ec2 run-instances命令中使用的配置文件。

您可以在https://acloudguru.com/hands-on-labs/creating-an-ssm-iam-role-and-configuring-an-ec2-instance-with-aws-systems-找到动手实验室manager-via-the-cli似乎描述了如何创建实例配置文件并通过 cli 将其附加到实例的所有必要步骤。请注意,本实验不使用AmazonSSMManagedInstanceCore托管策略。但步骤保持不变。

归档时间:

查看次数:

6621 次

最近记录:

4 年,1 月 前
相关归档
何时使用boto3客户端以及何时使用boto3资源? 54
aws cloudformation lambda python坏处理程序 9
如何通过CloudFormation将AWS WAF添加到ALB 9
TransactionCanceledException 中的神秘事务冲突 9
快速AWS自动扩展 7
获取EC2实例Java API的状态 6
AWS API Gateway:由于配置错误导致执行失败:响应中的JSON无效 6
Cognito 用户池和 Wordpress 用户(使用 AWS 登录 wordpress) 6
您可以使用路径参数作为 AWS API Gateway 的身份源吗? 6
“Python”中的欧拉计划#2 5
难疑归档
为什么HTML认为"chucknorris"是一种颜色? 7264
如何丢弃Git中的未分级更改? 4562
如何检查数组是否包含JavaScript中的对象? 3778
将现有的,未提交的工作移动到Git中的新分支 2982
如何检查Bash中是否设置了变量? 1417
如何迭代Bash中变量定义的一系列数字? 1409
适用于PDF文件的MIME媒体类型 1229
对于Android Studio项目,我的.gitignore应该是什么? 1210
退出申请不赞成? 1131
简单的面试问题变得更难:给出数字1..100,找到丢失的数字 1115