AWS - Associate EC2 with SSM to enable ssm.client.send_command

Question

I'd like to run a series of bash commands through boto3 on a newly launched instance.

From some research it appears that associating this new instance with SSM is required to achieve this.

Are there any clear mistakes or missed steps below? Also are there better approaches to achieve the stated goal?

Step 1 - Get clients and resources

import boto3

ec2c = boto3.client('ec2')
ec2r = boto3.resource('ec2')
ssmc = boto3.client('ssm')

Step 2 - Create and wait for instance

instances = ec2r.create_instances(
    ImageId = 'ami-####',
    InstanceType = 't2.micro',
    MinCount = 1,
    MaxCount = 1,
    SecurityGroupIds = ['sg-####'])

instance_ids = [i.id for i in instances]
instance = instances[0]

instance.wait_until_running()

Step 3 - Associate instance with IAM profile

"RoleName" has the AmazonEC2RoleforSSM policy attached to it

res = ec2c.associate_iam_instance_profile(
    IamInstanceProfile={
        'Arn': 'arn:aws:iam::###:instance-profile/RoleName',
        'Name': 'RoleName'
    },
    InstanceId = instance.id
)

Step 4 - Check for associations

print(ssmc.describe_instance_information()['InstanceInformationList'])

> []

(I think this empty list is why the next step is failing)

Step 5 - Run commands

resp = ssmc.send_command(
    DocumentName = "AWS-RunShellScript",
    Parameters = {'commands': [mkdir app]},
    InstanceIds = instance_ids
)

> botocore.errorfactory.InvalidInstanceId: An error occurred ...
> ... (InvalidInstanceId) when calling the SendCommand operation:

Answer 1

您正在收到InvalidInstanceId异常，因为ssm代理未在您的实例上运行。