3.8 KiB
SSM
TL;DR
Usage
# Start sessions.
aws ssm start-session --target 'instance-id'
# Run commands.
aws ssm start-session \
--target 'instance-id' \
--document-name 'CustomCommandSessionDocument' \
--parameters '{"logpath":["/var/log/amazon/ssm/amazon-ssm-agent.log"]}'
Real world use cases
Gotchas
-
SSM starts shell sessions under
/usr/bin(source):Other shell profile configuration options
By default, Session Manager starts in the "/usr/bin" directory.
Integrate with Ansible
Create a dynamic inventory named aws_ec2.yml.
It needs to be named like that to be found by the 'community.aws.aws_ssm' connection plugin.
# File: 'aws_ec2.yml'.
plugin: aws_ec2
regions:
- eu-east-2
keyed_groups:
- key: tags.Name
# add hosts to 'tag_Name_<tag_value>' groups for each aws_ec2 host's 'Tags.Name' attribute
prefix: tag_Name_
separator: ""
- key: tags.application
# add hosts to 'tag_application_<tag_value>' groups for each aws_ec2 host's 'Tags.application' attribute
prefix: tag_application_
separator: ""
hostnames:
- instance-id
# acts as keyword to use the instances' 'InstanceId' attribute
# use 'private-ip-address' to use the instances' 'PrivateIpAddress' attribute instead
Pitfalls:
-
One shall not use the
remote_userconnection option, as it is not supported by the plugin.
From the plugin notes:The
community.aws.aws_ssmconnection plugin does not support using theremote_userandansible_uservariables to configure the remote user. Thebecome_userparameter should be used to configure which user to run commands as. Remote commands will often default to running as thessm-agentuser, however this will also depend on how SSM has been configured. -
Since SSM starts shell sessions under
/usr/bin, one must explicitly set Ansible's temporary directory to a folder the remote user can write to (source):ANSIBLE_REMOTE_TMP='/tmp' ansible…# file: ansible.cfg remote_tmp=/tmp- hosts: all + vars: + ansible_remote_tmp: /tmp tasks: …This, or use the shell profiles in SSM's preferences to change the directory when logged in.