Notes on tech, mostly... : Testing out AWS ssm

I was poking around the AWS CLI and testing out different features / functionality. Amazons ssm caught my eye. I decided to have a look at the remote functionality offered by this tool. I'm consolidating all the notes I found in different resources here, to do a simple test. Here's a high level overview of what it took me to get this configured and working properly:

1. Create a role and policy and assign that to an EC2 instance at launch time. You can't assign it to a running instance. The policy I assigned to the role that I attached to the instance is called: AmazonEC2RoleforSSM

2. Assign permissions to the user that will be executing the commands. The name of the policy is: AmazonSSMFullAccess

Of course, for your environment, make sure you adhere to your security requirements. There are better ways to restrict this.

3. Deploy the instance and install the ssm agent. You can either install the agent by passing user-data or manually afterwards. It's a a simple rpm package.

4. Create a policy document, mine was:

       
{
     "schemaVersion": "1.2",
     "description": "Check ip configuration of a Linux instance.",
     "parameters": {
     },
     "runtimeConfig": {
       "aws:runShellScript": {
       "properties": [
       {
       "id": "0.aws:runShellScript",
       "runCommand": 
    }
   ]
  }
 }
}

From the examples here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-ssm-doc.html

5. Associate the ssm document to the instance:

       

aws ssm create-association --instance-id i-9f4ba703 --name Test-Document-Scollier-Delete

6. Run the command:

       

$ aws ssm send-command --document-name "Test-Document-Scollier-Delete" --instance-ids "i-9f4ba703" --region us-east-1

{
    "Command": {
    "Status": "Pending",
    "ExpiresAfter": 1464091829.69,
    "Parameters": {},
    "DocumentName": "Test-Document-Scollier-Delete",
    "InstanceIds": [
    "i-9f4ba703"
    ],
  "CommandId": "db1bcbbc-556a-48a3-bcc1-0bc5bb88c2f8",
  "RequestedDateTime": 1464091229.69
}

7. Then you can check the output either via CLI or in the AWS console. It's really as simple as that.

Resources I used:

http://www.awsomeblog.com/amazon-ec2-simple-systems-manager/
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/walkthrough-cli.html
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/execute-remote-commands.html

I was looking for different use cases, and David Duncan summed it up quite nicely here as a reply to one of my tweets:

@collier_s ssm run command has policy-driven power. Run your own scripts or ones shared with you, it has real #community potential
— David Duncan (@davdunc) May 24, 2016

Notes on tech, mostly...

Pages

Thursday, May 26, 2016

Testing out AWS ssm

No comments:

Post a Comment