CreateAssociation - AWS Systems Manager


A State Manager association defines the state that you want to maintain on your instances. For example, an association can specify that anti-virus software must be installed and running on your instances, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an AWS Resource Group or an AWS Autoscaling Group, State Manager applies the configuration when new instances are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software is not installed, then State Manager installs it. If the software is installed, but the service is not running, then the association might instruct State Manager to start the service.

Request Syntax

{ "ApplyOnlyAtCronInterval": boolean, "AssociationName": "string", "AutomationTargetParameterName": "string", "ComplianceSeverity": "string", "DocumentVersion": "string", "InstanceId": "string", "MaxConcurrency": "string", "MaxErrors": "string", "Name": "string", "OutputLocation": { "S3Location": { "OutputS3BucketName": "string", "OutputS3KeyPrefix": "string", "OutputS3Region": "string" } }, "Parameters": { "string" : [ "string" ] }, "ScheduleExpression": "string", "SyncCompliance": "string", "TargetLocations": [ { "Accounts": [ "string" ], "ExecutionRoleName": "string", "Regions": [ "string" ], "TargetLocationMaxConcurrency": "string", "TargetLocationMaxErrors": "string" } ], "Targets": [ { "Key": "string", "Values": [ "string" ] } ] }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.


By default, when you create a new associations, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don't want an association to run immediately after you create it. This parameter is not supported for rate expressions.

Type: Boolean

Required: No


Specify a descriptive name for the association.

Type: String

Pattern: ^[a-zA-Z0-9_\-.]{3,128}$

Required: No


Specify the target for the association. This target is required for associations that use an Automation document and target resources by using rate controls.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 50.

Required: No


The severity level to assign to the association.

Type: String


Required: No


The document version you want to associate with the target(s). Can be a specific version or the default version.

Type: String

Pattern: ([$]LATEST|[$]DEFAULT|^[1-9][0-9]*$)

Required: No


The instance ID.


InstanceId has been deprecated. To specify an instance ID for an association, use the Targets parameter. Requests that include the parameter InstanceID with SSM documents that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId, you cannot use the parameters AssociationName, DocumentVersion, MaxErrors, MaxConcurrency, OutputLocation, or ScheduleExpression. To use these parameters, you must use the Targets parameter.

Type: String

Pattern: (^i-(\w{8}|\w{17})$)|(^mi-\w{17}$)

Required: No


The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.

If a new instance starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new instance will process its association within the limit specified for MaxConcurrency.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 7.

Pattern: ^([1-9][0-9]*|[1-9][0-9]%|[1-9]%|100%)$

Required: No


The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 instances and set MaxError to 10%, then the system stops sending the request when the sixth error is received.

Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 7.

Pattern: ^([1-9][0-9]*|[0]|[1-9][0-9]%|[0-9]%|100%)$

Required: No


The name of the SSM document that contains the configuration information for the instance. You can specify Command or Automation documents.

You can specify AWS-predefined documents, documents you created, or a document that is shared with you from another account.

For SSM documents that are shared with you from other AWS accounts, you must specify the complete SSM document ARN, in the following format:


For example:


For AWS-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.

Type: String

Pattern: ^[a-zA-Z0-9_\-.:/]{3,128}$

Required: Yes


An S3 bucket where you want to store the output details of the request.

Type: InstanceAssociationOutputLocation object

Required: No


The parameters for the runtime configuration of the document.

Type: String to array of strings map

Required: No


A cron expression when the association will be applied to the target(s).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: No


The mode for generating association compliance. You can specify AUTO or MANUAL. In AUTO mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is COMPLIANT. If the association execution doesn't run successfully, the association is NON-COMPLIANT.

In MANUAL mode, you must specify the AssociationId as a parameter for the PutComplianceItems API action. In this case, compliance data is not managed by State Manager. It is managed by your direct call to the PutComplianceItems API action.

By default, all associations use AUTO mode.

Type: String

Valid Values: AUTO | MANUAL

Required: No


A location is a combination of AWS Regions and AWS accounts where you want to run the association. Use this action to create an association in multiple Regions and multiple accounts.

Type: Array of TargetLocation objects

Array Members: Minimum number of 1 item. Maximum number of 100 items.

Required: No


The targets for the association. You can target instances by using tags, AWS Resource Groups, all instances in an AWS account, or individual instance IDs. For more information about choosing targets for an association, see Using targets and rate controls with State Manager associations in the AWS Systems Manager User Guide.

Type: Array of Target objects

Array Members: Minimum number of 0 items. Maximum number of 5 items.

Required: No

Response Syntax

{ "AssociationDescription": { "ApplyOnlyAtCronInterval": boolean, "AssociationId": "string", "AssociationName": "string", "AssociationVersion": "string", "AutomationTargetParameterName": "string", "ComplianceSeverity": "string", "Date": number, "DocumentVersion": "string", "InstanceId": "string", "LastExecutionDate": number, "LastSuccessfulExecutionDate": number, "LastUpdateAssociationDate": number, "MaxConcurrency": "string", "MaxErrors": "string", "Name": "string", "OutputLocation": { "S3Location": { "OutputS3BucketName": "string", "OutputS3KeyPrefix": "string", "OutputS3Region": "string" } }, "Overview": { "AssociationStatusAggregatedCount": { "string" : number }, "DetailedStatus": "string", "Status": "string" }, "Parameters": { "string" : [ "string" ] }, "ScheduleExpression": "string", "Status": { "AdditionalInfo": "string", "Date": number, "Message": "string", "Name": "string" }, "SyncCompliance": "string", "TargetLocations": [ { "Accounts": [ "string" ], "ExecutionRoleName": "string", "Regions": [ "string" ], "TargetLocationMaxConcurrency": "string", "TargetLocationMaxErrors": "string" } ], "Targets": [ { "Key": "string", "Values": [ "string" ] } ] } }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


Information about the association.

Type: AssociationDescription object


For information about the errors that are common to all actions, see Common Errors.


The specified association already exists.

HTTP Status Code: 400


You can have at most 2,000 active associations.

HTTP Status Code: 400


An error occurred on the server side.

HTTP Status Code: 500


The specified document does not exist.

HTTP Status Code: 400


The document version is not valid or does not exist.

HTTP Status Code: 400


The following problems can cause this exception:

You do not have permission to access the instance.

SSM Agent is not running. Verify that SSM Agent is running.

SSM Agent is not registered with the SSM endpoint. Try reinstalling SSM Agent.

The instance is not in valid state. Valid states are: Running, Pending, Stopped, Stopping. Invalid states are: Shutting-down and Terminated.

HTTP Status Code: 400


The output location is not valid or does not exist.

HTTP Status Code: 400


You must specify values for all required parameters in the Systems Manager document. You can only supply values to parameters defined in the Systems Manager document.

HTTP Status Code: 400


The schedule is invalid. Verify your cron or rate expression and try again.

HTTP Status Code: 400


The target is not valid or does not exist. It might not be configured for Systems Manager or you might not have permission to perform the operation.

HTTP Status Code: 400


The document does not support the platform type of the given instance ID(s). For example, you sent an document for a Windows instance to a Linux instance.

HTTP Status Code: 400



This example illustrates one usage of CreateAssociation.

Sample Request

POST / HTTP/1.1 Host: Accept-Encoding: identity X-Amz-Target: AmazonSSM.CreateAssociation Content-Type: application/x-amz-json-1.1 User-Agent: aws-cli/1.17.12 Python/3.6.8 Darwin/18.7.0 botocore/1.14.12 X-Amz-Date: 20200324T140427Z Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20200324/us-east-2/ssm/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=39c3b3042cd2aEXAMPLE Content-Length: 67 { "Name":"AWS-UpdateSSMAgent", "InstanceId":"i-02573cafcfEXAMPLE" }

Sample Response

{ "AssociationDescription":{ "ApplyOnlyAtCronInterval":false, "AssociationId":"f7d193fe-7722-4f2b-ac53-d8736EXAMPLE", "AssociationVersion":"1", "Date":1.585058668255E9, "DocumentVersion":"$DEFAULT", "InstanceId":"i-02573cafcfEXAMPLE", "LastUpdateAssociationDate":1.585058668255E9, "Name":"AWS-UpdateSSMAgent", "Overview":{ "DetailedStatus":"Creating", "Status":"Pending" }, "Status":{ "Date":1.585058668255E9, "Message":"Associated with AWS-UpdateSSMAgent", "Name":"Associated" }, "Targets":[ { "Key":"InstanceIds", "Values":[ "i-02573cafcfEXAMPLE" ] } ] } }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: