3.5 KiB
SSM
TL;DR
Usage
# Start sessions.
aws ssm start-session --target 'instance-id'
# Run commands.
aws ssm start-session \
--target 'instance-id' \
--document-name 'CustomCommandSessionDocument' \
--parameters '{"logpath":["/var/log/amazon/ssm/amazon-ssm-agent.log"]}'
Real world use cases
Gotchas
-
SSM starts shell sessions under
/usr/bin(source):Other shell profile configuration options
By default, Session Manager starts in the "/usr/bin" directory.
Integrate with Ansible
Create a dynamic inventory named aws_ec2.yml.
It needs to be named like that to be found by the ['community.aws.aws_ssm' connection plugin][community.aws.aws_ssm connection].
# File: 'aws_ec2.yml'.
plugin: aws_ec2
regions:
- eu-west-1
keyed_groups:
- key: tags.application
# add hosts to tag_application_<tag_value> groups for each aws_ec2 host's
# tags.application attribute
prefix: tag_application_
separator: ""
- key: tags.Name
# add hosts to tag_Name_<tag_value> groups for each aws_ec2 host's tags.Name
# attribute
prefix: tag_Name_
separator: ""
hostnames:
- <instance-id>
Pitfalls:
-
One shall not use the
remote_userconnection option, as it is not supported by the plugin.
From the plugin notes:The
community.aws.aws_ssmconnection plugin does not support using theremote_userandansible_uservariables to configure the remote user. Thebecome_userparameter should be used to configure which user to run commands as. Remote commands will often default to running as thessm-agentuser, however this will also depend on how SSM has been configured. -
Since SSM starts shell sessions under
/usr/bin, one must explicitly set Ansible's temporary directory to a folder the remote user can write to (source):ANSIBLE_REMOTE_TMP='/tmp' ansible…# file: ansible.cfg remote_tmp=/tmp- hosts: all + vars: + ansible_remote_tmp: /tmp tasks: …