You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Create an image pipeline. For the image workflow, use the "build-image-with-update-ssm-agent" workflow (arn:aws:imagebuilder:us-east-1:aws:workflow/build/build-image-with-update-ssm-agent/1.0.0/1 in my case, but I don't think the region matters) . For the infrastructure configuration, choose "Create infrastructure configuration using service defaults". The components and distribution settings are likely irrelevant, since the workflow never reaches the point of using them.
Run the image pipeline. It will fail during the step UpdateSSMAgent with the following error:
"User: arn:aws:sts::##############:assumed-role/AWSServiceRoleForImageBuilder/ImageBuilder is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:us-east-1::document/AWS-UpdateSSMAgent because no identity-based policy allows the ssm:SendCommand action"
Cause:
The resource policy for the role contains these rights:
It does not appear to allow the resource arn:aws:ssm:::document/AWS-UpdateSSMAgent , which seems to be why the UpdateSSMAgent step would be getting an Access Denied error.
I can recreate this in the IAM Policy Simulator using the role AWSServiceRoleForImageBuilder. Even if I add the tag "createdby: EC2 Image Builder", the simulation shows the action is denied:
I believe the policy needs to be updated to include the right to run ssm:sendcommand on AWS-UpdateSSMAgent. I am unable to change this because it is an Amazon-managed role, so I can't edit the permissions or add policies to it.
Workaround:
Right now the only workaround I see is to not use the workflow with Update-SSMAgent
The text was updated successfully, but these errors were encountered:
Steps to recreate:
Create an image pipeline. For the image workflow, use the "build-image-with-update-ssm-agent" workflow (arn:aws:imagebuilder:us-east-1:aws:workflow/build/build-image-with-update-ssm-agent/1.0.0/1 in my case, but I don't think the region matters) . For the infrastructure configuration, choose "Create infrastructure configuration using service defaults". The components and distribution settings are likely irrelevant, since the workflow never reaches the point of using them.
Run the image pipeline. It will fail during the step UpdateSSMAgent with the following error:
"User: arn:aws:sts::##############:assumed-role/AWSServiceRoleForImageBuilder/ImageBuilder is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:us-east-1::document/AWS-UpdateSSMAgent because no identity-based policy allows the ssm:SendCommand action"
Cause:
The resource policy for the role contains these rights:
It does not appear to allow the resource arn:aws:ssm:::document/AWS-UpdateSSMAgent , which seems to be why the UpdateSSMAgent step would be getting an Access Denied error.
I can recreate this in the IAM Policy Simulator using the role AWSServiceRoleForImageBuilder. Even if I add the tag "createdby: EC2 Image Builder", the simulation shows the action is denied:
I believe the policy needs to be updated to include the right to run ssm:sendcommand on AWS-UpdateSSMAgent. I am unable to change this because it is an Amazon-managed role, so I can't edit the permissions or add policies to it.
Workaround:
Right now the only workaround I see is to not use the workflow with Update-SSMAgent
The text was updated successfully, but these errors were encountered: