create ec2 instance with ssm enabled

Question

I am creating an EC2 instance with SSM attached to the instance.

    def createInstances(self):
        instances = self.ec2_client.create_instances(
            ImageId="ami-09e67e426f25ce0d7",  # Ubuntu Server 20.04 LTS (HVM), SSD Volume Type
            MinCount=1,
            MaxCount=1,
            InstanceType="m4.2xlarge",
            KeyName="ec2-key-pair",
            IamInstanceProfile={
                'Arn': 'arn:aws:iam::aws:instance-profile/AmazonEC2RoleforSSM',
                'Name': 'AmazonEC2RoleforSSM'
            },
            DryRun=True,
            TagSpecifications=[
                {
                    'ResourceType': 'instance',
                    'Tags': [
                        {
                            'Key': 'department',
                            'Value': 'dev'
                        },
                    ]
                },
            ],

        )

        print(instances["Instances"][0])

I am getting an error as:

botocore.exceptions.ClientError: An error occurred (InvalidParameterCombination) when calling the RunInstances operation: The parameter 'iamInstanceProfile.name' may not be used in combination with 'iamInstanceProfile.arn'

when I removed 'iamInstanceProfile.name' I got another error as:

botocore.exceptions.ClientError: An error occurred (InvalidParameterValue) when calling the RunInstances operation: Value (arn:aws:iam::aws:instance-profile/AmazonEC2RoleforSSM) for parameter iamInstanceProfile.arn is invalid. Invalid IAM Instance Profile ARN

Answer 1

I think there are a couple of things going on. First, you have to create the instance profile for SSM in your account. It's not a standard resource managed by AWS that you can just refer to. If you haven't yet, see the SSM setup instructions for creating an instance profile . As noted there, if you went through SSM Quick Setup, it created the instance profile for you. Its ARN would probably be arn:aws:iam::[your_account_number]:instance-profile/AmazonSSMRoleForInstancesQuickSetup . If you haven't gone through SSM Quick Setup, you'll either need to do so or create the role and instance profile yourself.

Note that if you create a role through the console, the console creates an instance profile for you (if the role is associated with EC2) with the same name as the role. If you create a role using CLI, API, or CDK, you'll need to create the instance profile separately. Either way, you'll need to assign the right IAM policies to the role.

Second, despite the name, AmazonEC2RoleforSSM is an IAM Policy , not a role...and it's deprecated. It's been replaced by a set of policies that provide finer-grained control over SSM permissions. See this AWS Management and Governance Blog on managed instance policy best practices for details. So when you set up your role, you'll need to assign the appropriate SSM policies to it.

Answer 2

try IamInstanceProfile = { 'Name': 'AmazonEC2RoleforSSM' } .

Your Instance Profile ARN is indeed invalid. It should be arn:aws:iam::XXXXXXXXXXXX:instanceprofile/AmazonEC2RoleforSSM where XXXXXXXXXXXX represents your AWS account number.