Menu
Amazon EC2 Systems Manager
User Guide

Method 1: Using AWS CloudFormation to Configure Roles for Automation

Automation requires an IAM instance profile role and a service role. The instance profile role gives Automation permission to perform actions on your instances, such as executing commands or starting and stopping services. The service role (also called an assume role) gives Automation permission to assume your IAM role and perform actions on your behalf. For example, the service role, allows Automation to create a new Amazon Machine Image (AMI) when executing the aws:createImage action in an Automation document. You can create an IAM instance profile role and a service role for Systems Manager Automation from an AWS CloudFormation template, as described in this section.

After you create the instance profile role, you must assign it to any instance that you plan to configure using Automation. For information about how to assign the role to an existing instance, see Attaching an IAM Role to an Instance in the Amazon EC2 User Guide. For information about how to assign the role when you create a new instance, see Task 3: Create an Amazon EC2 Instance that Uses the Systems Manager Role.

Note

You can also use these roles and their Amazon Resource Names (ARNs) in Automation documents, such as the AWS-UpdateLinuxAmi document. Using these roles or their ARNs in Automation documents enables Automation to perform actions on your managed instances, launch new instances, and perform actions on your behalf. To view an example, see Automation CLI Walkthrough: Patch a Linux AMI.

Create the Instance Profile Role and Service Role Using AWS CloudFormation

Use the following procedure to create the required IAM roles for Systems Manager Automation by using AWS CloudFormation.

To create the required IAM roles

  1. On your local computer, open a text editor such as Notepad. Copy and paste the following AWS CloudFormation template into the text editor and save the file with a .yaml file extension (for example, automationsetup.yaml).

    Important

    Preserve the indentations of this sample template when you paste it into the text editor. YAML uses the indentations to distinguish between data layers.

    Copy
    AWSTemplateFormatVersion: '2010-09-09' Description: AWS CloudFormation template IAM Roles for Systems Manager | Automation Service Resources: ManagedInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ssm.amazonaws.com - ec2.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM Path: "/" ManagedInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref ManagedInstanceRole AutomationServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ssm.amazonaws.com - ec2.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole Path: "/" Policies: - PolicyName: passrole PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - iam:PassRole Resource: - !GetAtt ManagedInstanceRole.Arn
  2. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/.

  3. Choose Create Stack.

  4. On the Create Stack page, under Choose a template, choose Upload a template to Amazon S3.

  5. Choose Browse, and then choose the file you created in Step 1.

  6. Choose Next.

  7. On the Specify Details page, in the Stack Name field, type Automation, and then choose Next.

  8. On the Options page, you don’t need to make any selections. Choose Next.

  9. On the Review page, scroll down and choose the I acknowledge that AWS CloudFormation might create IAM resources option.

  10. Choose Create.

AWS CloudFormation shows the CREATE_IN_PROGRESS status for approximately three minutes. The status changes to CREATE_COMPLETE after the stack has been created and your roles are ready to use.

Copying Role Information for Automation

Use the following procedure to copy the instance profile role and Automation service role from the AWS CloudFormation console. You must specify these roles when you when you run an Automation document, such as the AWS-UpdateLinuxAmi document.

To copy the role names

  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/.

  2. Choose the check-box beside the Automation stack you created in the previous procedure.

  3. Choose the Resources tab.

  4. The Resources table includes three items in the Logical ID column: AutomationServiceRole, ManagedInstanceProfile, and ManagedInstanceRole.

  5. Copy the Physical ID for ManagedInstanceProfile. The physical ID will be similar to Automation-ManagedInstanceProfile-1a2b3c4. This is the name of your instance profile role.

  6. Paste the instance profile role into a text file to use later.

  7. Choose the Physical ID link for AutomationServiceRole. The IAM console opens to a summary of the Automation Service Role.

  8. Copy the Amazon Resource Name (ARN) beside Role ARN. The ARN is similar to the following: arn:aws:iam::12345678:role/Automation-AutomationServiceRole-1A2B3C4D5E

  9. Paste the ARN into a text file to use later.

You have finished configuring the required roles for Automation. You can now use the instance profile role and the Automation service role ARN in your Automation documents. For more information, see Automation Console Walkthrough: Patch a Linux AMI and Automation CLI Walkthrough: Patch a Linux AMI.