28

The below is the code which i am running from python to execute commands in aws ec2 instance

import boto3
ec2 = boto3.client('ssm',region_name='us-east-1',aws_access_key_id='xxxxxxxxxxxxxxx',aws_secret_access_key='xxxxxxxxx')
a = ec2.send_command(InstanceIds=ids, DocumentName='AWS-RunShellScript', Comment='abcdabcd', Parameters={"commands":["ifconfig"]})

But it is giving the below error

InvalidInstanceId: An error occurred (InvalidInstanceId) when calling the SendCommand operation:
kenorb
  • 155,785
  • 88
  • 678
  • 743
Teja
  • 837
  • 3
  • 14
  • 24
  • Is `ids` a valid list of EC2 instance IDs? The error message is saying that it isn't. – Mark B Oct 31 '17 at 12:06
  • @MarkB......id is valid....I have checked – Teja Oct 31 '17 at 12:08
  • Is `ids` a list or a single string? It expects it to be a list. – Mark B Oct 31 '17 at 12:20
  • @MarkB.... ids = ['i-0ce6exxxx2e3xxxx'].....ids is a list – Teja Oct 31 '17 at 12:23
  • And that instance is in the `us-east-1` region? – Mark B Oct 31 '17 at 12:25
  • @MarkB......yes i have more than two instances....their availability zones are 'us-east-1c' and 'us-east-1d'......so the region_name is 'us-east-1' ... that is correct – Teja Oct 31 '17 at 12:30
  • Do you see `instance-id` in the output of `aws ssm describe-instance-information --output text`? If not, SSM agent is not installed in that instance. – helloV Oct 31 '17 at 14:11
  • Possible duplicate of [SSM send command to EC2 instance Failed](https://stackoverflow.com/questions/42279963/ssm-send-command-to-ec2-instance-failed) – kenorb Feb 07 '18 at 16:53

5 Answers5

37

The following scenarios can result in this error message:

  • Instance id is invalid (in the comments you have verified it isn't)
  • Instance is in a different region (in the comments you have verified it isn't)
  • Instance is not currently in the Running state
  • Instance does not have the AWS SSM agent installed and running.
  • instance does not have the correct iam permissions to register with ssm

You need to login to the AWS EC2/SSM console and make sure the instance(s) you are trying manage show up in the SYSTEMS MANAGER SHARED RESOURCES - Managed Instances list, and that they show a Ping status of Online. If not, you need to fix that before trying to send commands to the instance(s) in question.

You should use one of the following two policies to make sure your aws ec2 instance can register itself with ssm:

  • AmazonSSMManagedInstanceCore
  • AmazonSSMFullAccess
2ps
  • 15,099
  • 2
  • 27
  • 47
Mark B
  • 183,023
  • 24
  • 297
  • 295
  • 13
    You have to create and attach the policy `AmazonSSMFullAccess` to the machine (thats maybe more broad than you need) but that was why it wasn't working for me... You do that by clicking on (when selected on the ec2 instance) `Action > Instance Settings > Attach/Replace IAM Role` then create a role for ec2 that has that permission then attach, should take like 5-10 mins to pop up in `SYSTEMS MANAGER SHARED RESOURCES - Managed Instances` as mark mentions. – Glen Thompson Sep 20 '18 at 16:31
  • I am getting the same error while trying to run commands during the termination:wait state. as per the documentation it should be possible to use run command but I am unable to make it work. The code works fine when the instance is in running state. – Shurmajee Jun 19 '20 at 21:19
  • 2
    installed SSM agent like Mark wrote, and made the IAM Role like Glen wrote. Didn't work. Then i rebooted the EC2 instances and it worked. Maybe that helps someone. – ElMaquinista Jun 24 '20 at 07:34
  • 1
    @Joshi if rebooting the server fixed it, then it sounds like the SSM agent wasn't actually running after you installed it. – Mark B Jun 24 '20 at 12:45
  • My instance was not showing up in Systems Manager > Session Manager > Start session. For the user I had to add a new inline policy like so: { "Version": "2012-10-17", "Statement": [ { "Sid": "PassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam:::role/*" ] } ] } – Prashant Saraswat Sep 29 '21 at 14:34
  • After attaching the policy AmazonSSMFullAccess to the machine as in Greg Thompson's comment above, it showed up in the AWS Console Systems Manager under "Fleet Manager" – killdash9 Feb 04 '22 at 21:06
  • The correct policy to attach should be `AmazonSSMManagedInstanceCore` – Paolo Apr 03 '22 at 17:00
14

Make sure your instance has SSM setup. For Linux, you need to use Amazon Linux AMI or install manually.

Run:

aws ssm describe-instance-information --output text

to see the SSM agent version from your instances. So make sure your instance is on that list.

See also: SSM send command to EC2 instance Failed.

kenorb
  • 155,785
  • 88
  • 678
  • 743
4

You must make sure you have the SSM Agent installed on your instance, which comes preinstalled on a few AMIs.

Also, what ended up working for me was going through the setup on the AWS Systems Manager service. The Quick Setup is pretty painless, just give it a couple minutes to run. After I ran through the Quick Setup and tested my command directly on Systems Manager, my Lambda function also successfully ran.

Ryan Buchmeier
  • 147
  • 1
  • 8
1

I had the exact same error message and the problem was the version of boto3 in aws.

When I added boto3 as a lambda layer the lambda code ran perfectly.

chrisd
  • 11
  • 1
  • I'm getting the same error in lambda but working in local. what do you mean by boto3 as a lambda layer? – Eshwar P Apr 15 '20 at 14:53
0

I had this issue with an AWS EC2 instance that was working fine previously with Amazon SSM.

I got the error when I tried to run my GitLab pipeline:

An error occurred (InvalidInstanceId) when calling the SendCommand operation: Instances [[i-078d0der4a16e4502]] not in a valid state for account 321403451707

Here's how I fixed it:

  • I checked the IAM permissions and it already had the SecretsManagerReadWrite policy attached to the EC2 IAM role. And the pipeline has been working fine.
  • I was also sure that the SSM agent was installed on the EC2 previously which is the reason why the pipeline was working fine before.
  • The instance ID was also correct, and I double-checked it again just to be sure that there was no mistake.

All I had to do was restart the EC2 instance just like Elmaquinista suggested above and then tried running the pipeline again.

This time, it worked fine.

Promise Preston
  • 24,334
  • 12
  • 145
  • 143