AWS SSM RunCommand - Issue with RunRemoteScript Document to run PowerShell script with parameters

Question

In AWS SSM, I use RunRemoteScript document to run a PowerShell script to install some software on SSM managed instances. The script is hosted in a public accessible S3 bucket.

The RunCommand works fine with the script not taking any parameters. Software was successfully deployed to managed instances. But my script has a unique CID embedded in the code. For security reasons, I need to take it out and set it as a parameter for the PS script. Ever since then, the RunCommand just keeps failing.

My script looks like below (with parameter CID):

param (
        [Parameter(Position = 0, Mandatory = 1)]
        [string]$CID
)

Start-Transcript -Path "$([System.Environment]::GetEnvironmentVariable('TEMP','Machine'))\app_install.log" -Append
function Install-App {
    <#
    Installs App
    #>
    [CmdletBinding()]
    [OutputType([PSCustomObject])]
    param (
        [Parameter(Position = 0, Mandatory = 1)]
        [string]$msiURL,
        [Parameter(Position = 2, Mandatory = 1)]
        [string]$InstallCheck,
        [Parameter(Position = 3, Mandatory = 1)]
        [string]$CustomerID
    )

    if ( -not(Test-Path $installCheck)) {
    # Do stuff
    ...
    }
    else {
        Write-Host ("$installCheck - Already Installed")
        Return "Already Installed, Skipped $(($msiURL -split '([^\\/]+$)')[1])"
    }
}


Install-App -msiURL "https://s3.amazonaws.com/app.foo.com/Windows/app.exe" -InstallCheck "C:\Program Files\App\app.exe" -CustomerID $CID

Stop-Transcript

By following AWS SSM documentation below, I run the command below to kick off the RunCommand. https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-remote-scripts.html

aws ssm send-command --document-name "AWS-RunRemoteScript" --targets "Key=instanceids,Values=mi-abc12345" 
--parameters '{"sourceType":["S3"],"sourceInfo":["{\"path\": "https://s3.amazonaws.com/app.foo.com/Windows/app_install.ps1\"}"],"commandLine":["app_install.ps1 abcd123456"]}'

The RunCommand keeps failing with error below:

----------ERROR-------

app_install.ps1 : The term 'app_install.ps1' is not recognized

as the name of a cmdlet, function, script file, or operable program. Check the

spelling of the name, or if a path was included, verify that the path is

correct and try again.

At C:\ProgramData\Amazon\SSM\InstanceData\mi-abcd1234\document\orchest

ration\a6811111d-c411-411-a222-bad123456\runPowerShellScript\_script.ps1:4

char:2

+ app_install.ps1 abcd123456

+ ~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : ObjectNotFound: (app_install.ps1:String)

[], CommandNotFoundException

+ FullyQualifiedErrorId : CommandNotFoundException

failed to run commands: exit status 255

I suspect this is to do with the way how RunCommand handles the argument for the PowerShell script. But I cannnot find any examples other than the official document, which I followed. Anyone can point out what the issue is here?

BTW, I already tried putting the ps1 after ".\" without luck.

Answer 1

I found out the cause of the issue. The IAM role attached to the instance did not have sufficient rights to access the S3 bucket holds the script. As a result SSM wasn't able to download the script to the instance, hence the error "...ps1 is not recognized".

So it's not related to the code actually.