AWS System Manager 启动 session:调用 StartSession 操作时发生错误 (TargetNotConnected):<instance_id> 未连接</instance_id>
[英]AWS System Manager start session: An error occurred (TargetNotConnected) when calling the StartSession operation: <instance_id> is not connected
问题描述
Problem:
问题:
When I try to locally connect to a running EC2 instance using the AWS System Session Manager CLI command: aws ssm start-session --target i-123456当我尝试使用 AWS System Session Manager CLI 命令在本地连接到正在运行的 EC2 实例时: aws ssm start-session --target i-123456
I get the error:我收到错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
Background:背景:
- Linux 2 instance hosted on a private su.net within a custom VPC Linux 2 个实例托管在自定义 VPC 内的私有 su.net 上
- VPC endpoints used to connect System Manager to managed instances without the need for a NAT GW or IGW. VPC 端点用于将 System Manager 连接到托管实例,而无需 NAT GW 或 IGW。
- Endpoint Service Names:端点服务名称:
com.amazonaws.us-west-2.s3
com.amazonaws.us-west-2.ec2
com.amazonaws.us-west-2.ec2messages
com.amazonaws.us-west-2.ssm
com.amazonaws.us-west-2.ssmmessages
- AWS CLI == 2.0.40 AWS CLI == 2.0.40
- Python == 3.7.4 Python == 3.7.4
- Custom Terraform module to launch airflow instance within one of the private su.nets (see module "airflow_aws_resources" below)自定义 Terraform 模块以在其中一个私有 su.net 中启动 airflow 实例(参见下面的模块“airflow_aws_resources”)
- The only.tf file that would be relevant to this problem would be airflow.tf within the module "airflow_aws_resources".与此问题相关的only.tf文件是模块“airflow_aws_resources”中的 airflow.tf。 This file contains the security group and instance profile configuration for the EC2 instance that is being connected via SSM.此文件包含通过 SSM 连接的 EC2 实例的安全组和实例配置文件配置。
Reproduce with Terraform:用 Terraform 重现:
module "airflow_aws_resources" {
source = "github.com/marshall7m/tf_modules/airflow-aws-resources"
resource_prefix = "test"
vpc_id = module.vpc.vpc_id
env = "testing"
private_bucket = "test-bucket"
private_subnets_ids = module.vpc.private_subnets
private_subnets_cidr_blocks = module.vpc.private_subnets_cidr_blocks
create_airflow_instance = true
create_airflow_instance_sg = true
create_airflow_db = false
create_airflow_db_sg = false
airflow_instance_ssm_access = true
airflow_instance_ssm_region = "us-west-2"
airflow_instance_ami = "ami-0841edc20334f9287"
airflow_instance_type = "t2.micro"
}
resource "aws_security_group" "vpc_endpoints" {
name = "test-vpc-endpoint-sg"
description = "Default security group for vpc endpoints"
vpc_id = module.vpc.vpc_id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
#private subnet cidr blocks
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
egress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
egress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "2.44.0"
name = "test-vpc"
cidr = "10.0.0.0/24"
azs = ["us-west-2a", "us-west-2b"]
private_subnets = ["10.0.0.32/28", "10.0.0.64/28"]
private_dedicated_network_acl = true
private_subnet_suffix = "private"
public_subnets = ["10.0.0.96/28", "10.0.0.128/28"]
public_dedicated_network_acl = true
public_subnet_suffix = "public"
enable_s3_endpoint = true
enable_ec2messages_endpoint = true
ec2messages_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_ec2_endpoint = true
ec2_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_ssm_endpoint = true
ssm_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_ssmmessages_endpoint = true
ssmmessages_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_nat_gateway = false
single_nat_gateway = false
enable_vpn_gateway = false
create_database_subnet_route_table = false
create_database_internet_gateway_route = false
create_database_subnet_group = false
manage_default_network_acl = false
enable_dns_hostnames = true
enable_dns_support = true
private_inbound_acl_rules = [
{
"description": "Allows inbound https traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 443,
"to_port": 443,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 101
},
{
"description": "Allows inbound http traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 102
}
]
private_outbound_acl_rules = [
{
"description": "Allows outbound https traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 443,
"to_port": 443,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 101
},
{
"description": "Allows outbound http traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 102
}
]
vpc_endpoint_tags = {
type = "vpc-endpoint"
}
}
Attempts:尝试:
#1 #1
I tried the trouble shooting tips within the EC2 Console SSM (AWS Ec2 console >> instance-id >> Connect >> Session Manager):我尝试了 EC2 控制台 SSM 中的故障排除提示(AWS Ec2 控制台 >> instance-id >> 连接 >> Session 管理器):
SSM agent is already pre-installed on AWS Linux instance types.
SSM 代理已预安装在 AWS Linux 实例类型上。 Although I doubled checked by accessing the instance via SSH and running sudo status amazon-ssm-agentwhich returned:amazon-ssm-agent start/running, process 1234尽管我通过 SSH 访问实例并运行sudo status amazon-ssm-agent进行了双重检查,结果返回:amazon-ssm-agent start/running, process 1234The EC2 instance profile displayed above includes the required
AmazonSSMManagedInstanceCorepolicy上面显示的 EC2 实例配置文件包括所需的AmazonSSMManagedInstanceCore策略I completed the Session Manager Prerequisite.
我完成了 Session 经理先决条件。
#2 #2
Attaching AmazonSSMFullAccess to the user using the command: aws ssm start-session --target i-123456使用以下命令将AmazonSSMFullAccess附加到用户: aws ssm start-session --target i-123456
Same error while connecting the instance via SSM:通过 SSM 连接实例时出现同样的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
#3 #3
Adding HTTPS inbound/outbound traffic from the VPC endpoint's asscoiated private su.net to the EC2 instance security group (see airflow.tf )将来自 VPC 端点的关联私有 su.net 的 HTTPS 入站/出站流量添加到 EC2 实例安全组(参见airflow.tf )
Same error:同样的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
#4 #4
Within the System Manager console I used the Quick Setup option and configured the Quick Setup with the Instance profile specified in airflow.tf and the System Manager role with the default role.在 System Manager 控制台中,我使用了 Quick Setup 选项,并使用airflow.tf中指定的实例配置文件和具有默认角色的 System Manager 角色配置了 Quick Setup。 The ec2 instance successfully registered "Managed instances" within the quick setup page. ec2 实例在快速设置页面中成功注册了“托管实例”。
Same error:同样的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
#5 #5
Given this is a test VPC and EC2 instance, I tried allowing all types of traffic from all IPv4 sources (0.0.0.0/0) for the following resources:鉴于这是一个测试 VPC 和 EC2 实例,我尝试允许来自所有 IPv4 源 (0.0.0.0/0) 的所有类型的流量用于以下资源:
- Private su.nets NACL私有 su.net NACL
- EC2 instance security group EC2 实例安全组
- The security group associated with the following interface/gateway endpoints:与以下接口/网关端点关联的安全组:
com.amazonaws.us-west-2.s3
com.amazonaws.us-west-2.ec2
com.amazonaws.us-west-2.ec2messages
com.amazonaws.us-west-2.ssm
com.amazonaws.us-west-2.ssmmessages
Same error while connecting the instance via SSM:通过 SSM 连接实例时出现同样的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
11 个解决方案
解决方案1
5 2021-03-26 13:59:43
I would refer here to make sure you have everything set up properly.我会在这里参考以确保您已正确设置所有内容。 I would first add the profile argument.我将首先添加配置文件参数。 If that still doesn't work, I ran into a similar issue when my profiles default region was not the same region I was looking to begin an active session.如果这仍然不起作用,当我的配置文件默认区域与我希望开始活动会话的区域不同时,我遇到了类似的问题。 Thus, I needed to use the region argument as well.因此,我也需要使用 region 参数。 Sample .ssh/config below:示例 .ssh/config 如下:
host ssh i-abc123
ProxyCommand sh -c "aws --region desired_region --profile my_profile ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
I would also encourage using AWS CLI v2.我还鼓励使用 AWS CLI v2。 Once you configure your .ssh/config to look like that above, simply execute the following in a CLI:将 .ssh/config 配置为与上面类似后,只需在 CLI 中执行以下命令:
ssh i-abc123
解决方案2
3 2020-10-03 04:55:41
So you might need to use a profile.因此,您可能需要使用配置文件。 I am using AWS CLI on OSX to connect via the terminal into a linux host in a VPC.我在 OSX 上使用 AWS CLI 通过终端连接到 VPC 中的 linux 主机。 This is an account only accessible via SSO.这是一个只能通过 SSO 访问的帐户。 I was able to create a profile and after authenticating via the CLI to SSO I can establish a connection like this.我能够创建一个配置文件,并且在通过 CLI 对 SSO 进行身份验证后,我可以建立这样的连接。
Do this once这样做一次
aws sso login --profile my_customer
Then verify the sso login was successful with a trivial command (on my osx terminal)然后用一个简单的命令验证 sso 登录是否成功(在我的 osx 终端上)
aws s3 ls --profile my_customer custbucket-s3-sftp/rds/
now establish session manager connection现在建立会话管理器连接
aws ssm start-session --profile my_customer --target i-0012345abcdef890
I know you are using python but maybe this helps.我知道您正在使用 python,但也许这会有所帮助。
解决方案3
3 2021-05-06 07:52:00
In some cases, you've to verify the following:在某些情况下,您必须验证以下内容:
- AWS Account/Profile AWS 账户/资料
- AWS region AWS 区域
In one case, I found that it was trying to connect to aws profile.在一种情况下,我发现它正在尝试连接到 aws 配置文件。
Later in other case I was connecting to a different region.后来在其他情况下,我连接到不同的区域。
解决方案4
3 2022-09-29 06:53:32
In my case, I had to wait like 10 minutes after I attached an IAM Role to EC2 using AWS Console/UI就我而言,在使用 AWS 控制台/UI 将 IAM 角色附加到 EC2 后,我不得不等待大约 10 分钟
解决方案5
1 2021-05-17 09:46:32
I was also getting the same error when I tried to connect from my Terminal: An error occurred (TargetNotConnected) when calling the StartSession operation: i-122334455 is not connected.当我尝试从终端连接时,我也遇到了同样的错误: An error occurred (TargetNotConnected) when calling the StartSession operation: i-122334455 is not connected.
In my case, the issue was that the SSM installed on the target instance was out of date.就我而言,问题在于目标实例上安装的 SSM 已过期。 I discovered this by trying to start the session from Systems Manager in the AWS console;我通过尝试从 AWS 控制台中的 Systems Manager 启动会话发现了这一点; basically going to Systems Manager->Fleet Manager->{INSTANCE_ID}->Instance Actions->Start Session.基本上去 Systems Manager->Fleet Manager->{INSTANCE_ID}->Instance Actions->Start Session。 When I tried that, I got the error message that the SSM agent on the target ec2 instance was out of date.当我尝试这样做时,我收到目标 ec2 实例上的 SSM 代理已过期的错误消息。 After updating, I was able to login successfully.更新后,我能够成功登录。
To update, you can either enable SSM agent auto-update for all managed instances, update the particular instance manually, or do selective update of the managed instances.要进行更新,您可以为所有托管实例启用 SSM 代理自动更新、手动更新特定实例或对托管实例进行选择性更新。 See the following documentation for info:有关信息,请参阅以下文档:
- https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-troubleshooting.html#session-manager-troubleshooting-instances https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-troubleshooting.html#session-manager-troubleshooting-instances
- https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-updates.html https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-updates.html
- https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html
解决方案6
1 2022-10-18 18:21:49
I ran into similar issue.我遇到了类似的问题。 If you attempt to start a session on a managed node that is located in a different AWS account or AWS Region then you will see similar kind of error.如果您尝试在位于不同 AWS 账户或 AWS 区域的托管节点上启动 session,您将看到类似的错误。 For example, my aws instance is located us-east-2 region and my aws default profile is set in us-east-1 so when I ran "aws ssm start-session instance_number" it returned error as the ssm does not know about the instances that are in us-east-2 region.例如,我的 aws 实例位于 us-east-2 区域,我的 aws 默认配置文件设置在 us-east-1 中,所以当我运行“aws ssm start-session instance_number”时它返回错误,因为 ssm 不知道us-east-2 区域中的实例。 To fix the problem, I over ridded region filter name and ran "aws ssm start-session instance_number --region us-east-2".为了解决这个问题,我删除了区域过滤器名称并运行了“aws ssm start-session instance_number --region us-east-2”。 I was able to connect to the instance with no issues..我能够毫无问题地连接到实例..
解决方案7
0 2022-01-17 09:42:41
Explaination : Unfortunately ec2 instances are not fault tolerant and under your system server is a host system.说明:不幸的是, ec2实例不是容错的,并且在您的系统服务器下是一个主机系统。 As a best practice you should add another instances to backup and prevent single point of failure.作为最佳实践,您应该添加另一个实例来备份并防止单点故障。
One of the possible reasons when you try to ssm/ssh your host and get TargetNotConnected issue can happen from several reasons: if a host hardware fails, connectivity/electricity issues, software memory leak ( running out of memory ), full disk that are not cleaned up or your application can handle edge cases and crashing itself.当您尝试 ssm/ssh 您的主机并出现TargetNotConnected问题时,可能的原因之一可能是由于以下几个原因:如果主机硬件出现故障、连接/电力问题、软件内存泄漏(内存不足)、未满的磁盘清理或您的应用程序可以处理边缘情况并自行崩溃。
Under parts of this cases ec2 instance state might still be running though the reachability fails.在这种情况下,尽管可达性失败,但 ec2 实例状态可能仍在运行。
When you run aws ec2 describe-instance-status --instance-ids <instance-id> you might notice that the instance state is running though the health check fails.当您运行aws ec2 describe-instance-status --instance-ids <instance-id>时,您可能会注意到实例状态正在运行,但运行状况检查失败。
Example :示例:
request: aws ec2 describe-instance-status --instance-ids i-abc123请求: aws ec2 describe-instance-status --instance-ids i-abc123
response:回复:
{
"InstanceStatuses": [
{
"AvailabilityZone": "us-west-1b",
"InstanceId": "i-abc123",
"InstanceState": {
"Code": 16,
"Name": "running"
},
"InstanceStatus": {
"Details": [
{
"ImpairedSince": "2020-10-10T12:10:00+00:00",
"Name": "reachability",
"Status": "failed"
}
],
"Status": "impaired"
},
"SystemStatus": {
"Details": [
{
"Name": "reachability",
"Status": "passed"
}
],
"Status": "ok"
}
}
]
}
Solution would be recreating this instance again if it's an hardware issue ( in iaac platforms such as terraform / clodformation or manually ofcourse ) if it's applicative issue connect into machine and solve the exact problem.如果它是硬件问题(在 iaac 平台中,例如 terraform / clodformation 或手动当然),如果它是应用问题连接到机器并解决确切问题,则解决方案将再次重新创建此实例。
解决方案8
0 2022-04-26 14:59:56
Do your Interface type VPC endpoints have private DNS enabled?您的Interface类型 VPC 终端节点是否启用了私有 DNS?
Session Manager appears to need private_dns_enabled = true in Terraform VPC endpoints of Interface type in order to work.会话管理器似乎需要在Interface类型的 Terraform VPC 端点中使用private_dns_enabled = true才能工作。
解决方案9
0 2022-05-31 17:54:46
I ran into this after making some changes with terraform that modified the EC2 instance in place.在使用修改了 EC2 实例的 terraform 进行了一些更改后,我遇到了这个问题。 Turns out that all I needed to do was reboot the EC2, and then it allowed me to connect again原来我需要做的就是重新启动 EC2,然后它允许我再次连接
解决方案10
0 2022-11-15 10:58:01
private ec2 instance require access Inte.net(ssm point)私有 ec2 实例需要访问 Inte.net(ssm 点)
Therefore, it needs to be implemented with NAT gateway.所以需要用NAT网关来实现。
解决方案11
0 2023-01-30 23:13:43
Yet another possible gotcha:另一个可能的陷阱:
I confused the security group on the VPC endpoints with the security group that was attached to my EC2 instance .我将 VPC 端点上的安全组与附加到我的 EC2 实例的安全组混淆了。 At first I interpreted it as giving that security group (and instance) access to my VPC endpoints.起初我将其解释为授予该安全组(和实例)访问我的 VPC 端点的权限。
Instead, I needed to create a new security group that specifies the inbound/outbound traffic allowed on my VPC endpoints.相反,我需要创建一个新的安全组来指定我的 VPC 端点上允许的入站/出站流量。 From the AWS docs :来自AWS 文档:
The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private su.net of the managed instance.
So I added rules to allow all HTTPS traffic in/out of the VPC endpoint.因此,我添加了规则以允许所有 HTTPS 流量进/出 VPC 端点。
This is separate from the security group on the ec2 instance, for which I allowed all outbound traffic and no inbound traffic.这与 ec2 实例上的安全组是分开的,我允许所有出站流量但不允许入站流量。
As soon as I added the new VPC security group to each of my VPC endpoints, the instance appeared in session manager as being connected and ready to start sessions.一旦我将新的 VPC 安全组添加到我的每个 VPC 端点,该实例就会在 session 管理器中显示为已连接并准备启动会话。
解决方案12
-2 已采纳 2020-10-06 18:41:18
Problem:问题:
When I try to locally connect to a running EC2 instance using the AWS System Session Manager CLI command: aws ssm start-session --target i-123456当我尝试使用AWS System Session Manager CLI命令本地连接到正在运行的EC2实例时: aws ssm start-session --target i-123456
I get the error:我得到了错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
Background:背景:
- Linux 2 instance hosted on a private subnet within a custom VPC Linux 2实例托管在自定义VPC内的私有子网上
- VPC endpoints used to connect System Manager to managed instances without the need for a NAT GW or IGW. VPC 端点用于将系统管理器连接到托管实例,而无需NAT GW或IGW。
- Endpoint Service Names:端点服务名称:
com.amazonaws.us-west-2.s3
com.amazonaws.us-west-2.ec2
com.amazonaws.us-west-2.ec2messages
com.amazonaws.us-west-2.ssm
com.amazonaws.us-west-2.ssmmessages
- AWS CLI == 2.0.40 AWS CLI == 2.0.40
- Python == 3.7.4 Python == 3.7.4
- Custom Terraform module to launch airflow instance within one of the private subnets (see module "airflow_aws_resources" below)定制Terraform模块,用于在私有子网之一中启动气流实例(请参见下面的模块“ airflow_aws_resources”)
- The only .tf file that would be relevant to this problem would be airflow.tf within the module "airflow_aws_resources".唯一.tf文件,这将是有关这个问题将是airflow.tf模块“airflow_aws_resources”内。 This file contains the security group and instance profile configuration for the EC2 instance that is being connected via SSM.该文件包含通过SSM连接的EC2实例的安全组和实例配置文件配置。
Reproduce with Terraform:用Terraform复制:
module "airflow_aws_resources" {
source = "github.com/marshall7m/tf_modules/airflow-aws-resources"
resource_prefix = "test"
vpc_id = module.vpc.vpc_id
env = "testing"
private_bucket = "test-bucket"
private_subnets_ids = module.vpc.private_subnets
private_subnets_cidr_blocks = module.vpc.private_subnets_cidr_blocks
create_airflow_instance = true
create_airflow_instance_sg = true
create_airflow_db = false
create_airflow_db_sg = false
airflow_instance_ssm_access = true
airflow_instance_ssm_region = "us-west-2"
airflow_instance_ami = "ami-0841edc20334f9287"
airflow_instance_type = "t2.micro"
}
resource "aws_security_group" "vpc_endpoints" {
name = "test-vpc-endpoint-sg"
description = "Default security group for vpc endpoints"
vpc_id = module.vpc.vpc_id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
#private subnet cidr blocks
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
egress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
egress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.0.0.32/28", "10.0.0.64/28"]
}
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "2.44.0"
name = "test-vpc"
cidr = "10.0.0.0/24"
azs = ["us-west-2a", "us-west-2b"]
private_subnets = ["10.0.0.32/28", "10.0.0.64/28"]
private_dedicated_network_acl = true
private_subnet_suffix = "private"
public_subnets = ["10.0.0.96/28", "10.0.0.128/28"]
public_dedicated_network_acl = true
public_subnet_suffix = "public"
enable_s3_endpoint = true
enable_ec2messages_endpoint = true
ec2messages_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_ec2_endpoint = true
ec2_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_ssm_endpoint = true
ssm_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_ssmmessages_endpoint = true
ssmmessages_endpoint_security_group_ids = [aws_security_group.vpc_endpoints.id]
enable_nat_gateway = false
single_nat_gateway = false
enable_vpn_gateway = false
create_database_subnet_route_table = false
create_database_internet_gateway_route = false
create_database_subnet_group = false
manage_default_network_acl = false
enable_dns_hostnames = true
enable_dns_support = true
private_inbound_acl_rules = [
{
"description": "Allows inbound https traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 443,
"to_port": 443,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 101
},
{
"description": "Allows inbound http traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 102
}
]
private_outbound_acl_rules = [
{
"description": "Allows outbound https traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 443,
"to_port": 443,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 101
},
{
"description": "Allows outbound http traffic for aws s3 package requests"
"cidr_block": "0.0.0.0/0",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"rule_action": "allow",
"rule_number": 102
}
]
vpc_endpoint_tags = {
type = "vpc-endpoint"
}
}
Attempts:尝试次数:
#1 #1
I tried the trouble shooting tips within the EC2 Console SSM (AWS Ec2 console >> instance-id >> Connect >> Session Manager):我尝试了EC2控制台SSM(AWS Ec2控制台>>实例ID >>连接>>会话管理器)中的故障排除技巧:
SSM agent is already pre-installed on AWS Linux instance types.
SSM代理已预先安装在AWS Linux实例类型上。 Although I doubled checked by accessing the instance via SSH and running sudo status amazon-ssm-agentwhich returned:amazon-ssm-agent start/running, process 1234尽管我通过SSH访问实例并运行sudo status amazon-ssm-agent并通过返回以下内容amazon-ssm-agent start/running, process 1234:amazon-ssm-agent start/running, process 1234The EC2 instance profile displayed above includes the required
AmazonSSMManagedInstanceCorepolicy上面显示的EC2实例配置文件包括必需的AmazonSSMManagedInstanceCore策略I completed the Session Manager Prerequisite.
我完成了会话管理器先决条件。
#2 #2
Attaching AmazonSSMFullAccess to the user using the command: aws ssm start-session --target i-123456使用以下命令将AmazonSSMFullAccess附加到用户: aws ssm start-session --target i-123456
Same error while connecting the instance via SSM:通过SSM连接实例时出现相同的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
#3 #3
Adding HTTPS inbound/outbound traffic from the VPC endpoint's asscoiated private subnet to the EC2 instance security group (see airflow.tf )将来自VPC端点的关联专用子网的HTTPS入站/出站流量添加到EC2实例安全组(请参阅airflow.tf )
Same error:同样的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
#4 #4
Within the System Manager console I used the Quick Setup option and configured the Quick Setup with the Instance profile specified in airflow.tf and the System Manager role with the default role.在系统管理器控制台中,我使用了“快速设置”选项,并使用airflow.tf中指定的“实例”配置文件配置了“快速设置”,并使用默认角色配置了“系统管理器”角色。 The ec2 instance successfully registered "Managed instances" within the quick setup page. ec2实例已在快速设置页面中成功注册了“托管实例”。
Same error:同样的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
#5 #5
Given this is a test VPC and EC2 instance, I tried allowing all types of traffic from all IPv4 sources (0.0.0.0/0) for the following resources:鉴于这是一个测试VPC和EC2实例,我尝试为以下资源允许来自所有IPv4源(0.0.0.0/0)的所有类型的流量:
- Private subnets NACL专用子网NACL
- EC2 instance security group EC2实例安全组
- The security group associated with the following interface/gateway endpoints:与以下接口/网关端点关联的安全组:
com.amazonaws.us-west-2.s3
com.amazonaws.us-west-2.ec2
com.amazonaws.us-west-2.ec2messages
com.amazonaws.us-west-2.ssm
com.amazonaws.us-west-2.ssmmessages
Same error while connecting the instance via SSM:通过SSM连接实例时出现相同的错误:
An error occurred (TargetNotConnected) when calling the StartSession operation: i-123456 is not connected.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.