I have an EC2 instance on which I have some scripts I want to run every day at a certain time. In order to automate this, I implemented a lambda function with the code from https://gist.github.com/lrakai/18303e1fc1fb1d8635cc20eee73a06a0, adapted to my region, instance and shell commands. I plan to link it to EventBridge for scheduled execution.

My EC2 has an installed and updated SSM Agent, my Lambda Function has the following policies: AWSEC2FullAccess and another custom generated policy for using log group. When testing the function, I get the following error:

An error occurred (AccessDeniedException) when calling the SendCommand operation: user [my Lambda's ARN] is not authorized to perform: ssm:SendCommand on resource: [my EC2 ARN] because no identity-based policy allows the ssm:SendCommand action",   "errorType": "ClientError"

I have cannot find the policy I need to attach to the Lambda function's role to allow this action to go through, and I am not sure which resources to specify if creating one.

PS. I tried an alternative architecture with directly an EventBridge Rule with Target the System Manager Run Command and with Target Key "InstanceIds", Target Value [my instance id], and commands in the constant parameter section, but it didn't work unfortunately, so I am trying this way instead.

Happy to provide any more info if necessary, Thx for any leads.

CodePudding user response：

arn:aws:iam::aws:policy/AmazonEC2FullAccess does not include ssm permissions. To rectify that you can add an inline policy to your function role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": "*"
        }
    ]
}

You can replace * with the ARN of the command you want to use to be more explicit.