CreateAssociation
A State Manager association defines the state that you want to maintain on your managed nodes. For example, an association can specify that anti-virus software must be installed and running on your managed nodes, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an AWS resource group or an AWS autoscaling group, State Manager, a capability of AWS Systems Manager applies the configuration when new managed nodes are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software isn't installed, then State Manager installs it. If the software is installed, but the service isn't running, then the association might instruct State Manager to start the service.
Request Syntax
{
"AlarmConfiguration": {
"Alarms": [
{
"Name": "string
"
}
],
"IgnorePollAlarmFailure": boolean
},
"ApplyOnlyAtCronInterval": boolean
,
"AssociationName": "string
",
"AutomationTargetParameterName": "string
",
"CalendarNames": [ "string
" ],
"ComplianceSeverity": "string
",
"DocumentVersion": "string
",
"Duration": number
,
"InstanceId": "string
",
"MaxConcurrency": "string
",
"MaxErrors": "string
",
"Name": "string
",
"OutputLocation": {
"S3Location": {
"OutputS3BucketName": "string
",
"OutputS3KeyPrefix": "string
",
"OutputS3Region": "string
"
}
},
"Parameters": {
"string
" : [ "string
" ]
},
"ScheduleExpression": "string
",
"ScheduleOffset": number
,
"SyncCompliance": "string
",
"Tags": [
{
"Key": "string
",
"Value": "string
"
}
],
"TargetLocations": [
{
"Accounts": [ "string
" ],
"ExcludeAccounts": [ "string
" ],
"ExecutionRoleName": "string
",
"IncludeChildOrganizationUnits": boolean
,
"Regions": [ "string
" ],
"TargetLocationAlarmConfiguration": {
"Alarms": [
{
"Name": "string
"
}
],
"IgnorePollAlarmFailure": boolean
},
"TargetLocationMaxConcurrency": "string
",
"TargetLocationMaxErrors": "string
",
"Targets": [
{
"Key": "string
",
"Values": [ "string
" ]
}
],
"TargetsMaxConcurrency": "string
",
"TargetsMaxErrors": "string
"
}
],
"TargetMaps": [
{
"string
" : [ "string
" ]
}
],
"Targets": [
{
"Key": "string
",
"Values": [ "string
" ]
}
]
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- AlarmConfiguration
-
The details for the CloudWatch alarm you want to apply to an automation or command.
Type: AlarmConfiguration object
Required: No
- ApplyOnlyAtCronInterval
-
By default, when you create a new association, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don't want an association to run immediately after you create it. This parameter isn't supported for rate expressions.
Type: Boolean
Required: No
- AssociationName
-
Specify a descriptive name for the association.
Type: String
Pattern:
^[a-zA-Z0-9_\-.]{3,128}$
Required: No
- AutomationTargetParameterName
-
Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a capability of AWS Systems Manager.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 50.
Required: No
- CalendarNames
-
The names or Amazon Resource Names (ARNs) of the Change Calendar type documents you want to gate your associations under. The associations only run when that change calendar is open. For more information, see AWS Systems Manager Change Calendar.
Type: Array of strings
Required: No
- ComplianceSeverity
-
The severity level to assign to the association.
Type: String
Valid Values:
CRITICAL | HIGH | MEDIUM | LOW | UNSPECIFIED
Required: No
- DocumentVersion
-
The document version you want to associate with the targets. Can be a specific version or the default version.
Important
State Manager doesn't support running associations that use a new version of a document if that document is shared from another account. State Manager always runs the
default
version of a document if shared from another account, even though the Systems Manager console shows that a new version was processed. If you want to run an association using a new version of a document shared form another account, you must set the document version todefault
.Type: String
Pattern:
([$]LATEST|[$]DEFAULT|^[1-9][0-9]*$)
Required: No
- Duration
-
The number of hours the association can run before it is canceled. Duration applies to associations that are currently running, and any pending and in progress commands on all targets. If a target was taken offline for the association to run, it is made available again immediately, without a reboot.
The
Duration
parameter applies only when both these conditions are true:-
The association for which you specify a duration is cancelable according to the parameters of the SSM command document or Automation runbook associated with this execution.
-
The command specifies the
ApplyOnlyAtCronInterval
parameter, which means that the association doesn't run immediately after it is created, but only according to the specified schedule.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 24.
Required: No
-
- InstanceId
-
The managed node ID.
Note
InstanceId
has been deprecated. To specify a managed node ID for an association, use theTargets
parameter. Requests that include the parameterInstanceID
with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameterInstanceId
, you can't use the parametersAssociationName
,DocumentVersion
,MaxErrors
,MaxConcurrency
,OutputLocation
, orScheduleExpression
. To use these parameters, you must use theTargets
parameter.Type: String
Pattern:
(^i-(\w{8}|\w{17})$)|(^mi-\w{17}$)
Required: No
- MaxConcurrency
-
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running
MaxConcurrency
associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified forMaxConcurrency
.Type: String
Length Constraints: Minimum length of 1. Maximum length of 7.
Pattern:
^([1-9][0-9]*|[1-9][0-9]%|[1-9]%|100%)$
Required: No
- MaxErrors
-
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set
MaxError
to 10%, then the system stops sending the request when the sixth error is received.Executions that are already running an association when
MaxErrors
is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, setMaxConcurrency
to 1 so that executions proceed one at a time.Type: String
Length Constraints: Minimum length of 1. Maximum length of 7.
Pattern:
^([1-9][0-9]*|[0]|[1-9][0-9]%|[0-9]%|100%)$
Required: No
- Name
-
The name of the SSM Command document or Automation runbook that contains the configuration information for the managed node.
You can specify AWS-predefined documents, documents you created, or a document that is shared with you from another AWS account.
For Systems Manager documents (SSM documents) that are shared with you from other AWS accounts, you must specify the complete SSM document ARN, in the following format:
arn:partition:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For AWS-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example,
AWS-ApplyPatchBaseline
orMy-Document
.Type: String
Pattern:
^[a-zA-Z0-9_\-.:/]{3,128}$
Required: Yes
- OutputLocation
-
An Amazon Simple Storage Service (Amazon S3) bucket where you want to store the output details of the request.
Type: InstanceAssociationOutputLocation object
Required: No
- Parameters
-
The parameters for the runtime configuration of the document.
Type: String to array of strings map
Required: No
- ScheduleExpression
-
A cron expression when the association will be applied to the targets.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Required: No
- ScheduleOffset
-
Number of days to wait after the scheduled day to run an association. For example, if you specified a cron schedule of
cron(0 0 ? * THU#2 *)
, you could specify an offset of 3 to run the association each Sunday after the second Thursday of the month. For more information about cron schedules for associations, see Reference: Cron and rate expressions for Systems Manager in the AWS Systems Manager User Guide.Note
To use offsets, you must specify the
ApplyOnlyAtCronInterval
parameter. This option tells the system not to run an association immediately after you create it.Type: Integer
Valid Range: Minimum value of 1. Maximum value of 6.
Required: No
- SyncCompliance
-
The mode for generating association compliance. You can specify
AUTO
orMANUAL
. InAUTO
mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association isCOMPLIANT
. If the association execution doesn't run successfully, the association isNON-COMPLIANT
.In
MANUAL
mode, you must specify theAssociationId
as a parameter for the PutComplianceItems API operation. In this case, compliance data isn't managed by State Manager. It is managed by your direct call to the PutComplianceItems API operation.By default, all associations use
AUTO
mode.Type: String
Valid Values:
AUTO | MANUAL
Required: No
- Tags
-
Adds or overwrites one or more tags for a State Manager association. Tags are metadata that you can assign to your AWS resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define.
Type: Array of Tag objects
Array Members: Maximum number of 1000 items.
Required: No
- TargetLocations
-
A location is a combination of AWS Regions and AWS accounts where you want to run the association. Use this action to create an association in multiple Regions and multiple accounts.
Type: Array of TargetLocation objects
Array Members: Minimum number of 1 item. Maximum number of 100 items.
Required: No
- TargetMaps
-
A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.
Type: Array of string to array of strings maps
Array Members: Minimum number of 0 items. Maximum number of 300 items.
Map Entries: Maximum number of 20 items.
Key Length Constraints: Minimum length of 1. Maximum length of 50.
Array Members: Minimum number of 0 items. Maximum number of 25 items.
Length Constraints: Minimum length of 1. Maximum length of 50.
Required: No
- Targets
-
The targets for the association. You can target managed nodes by using tags, AWS resource groups, all managed nodes in an AWS account, or individual managed node IDs. You can target all managed nodes in an AWS account by specifying the
InstanceIds
key with a value of*
. For more information about choosing targets for an association, see Understanding targets and rate controls in State Manager associations in the AWS Systems Manager User Guide.Type: Array of Target objects
Array Members: Minimum number of 0 items. Maximum number of 5 items.
Required: No
Response Syntax
{
"AssociationDescription": {
"AlarmConfiguration": {
"Alarms": [
{
"Name": "string"
}
],
"IgnorePollAlarmFailure": boolean
},
"ApplyOnlyAtCronInterval": boolean,
"AssociationId": "string",
"AssociationName": "string",
"AssociationVersion": "string",
"AutomationTargetParameterName": "string",
"CalendarNames": [ "string" ],
"ComplianceSeverity": "string",
"Date": number,
"DocumentVersion": "string",
"Duration": number,
"InstanceId": "string",
"LastExecutionDate": number,
"LastSuccessfulExecutionDate": number,
"LastUpdateAssociationDate": number,
"MaxConcurrency": "string",
"MaxErrors": "string",
"Name": "string",
"OutputLocation": {
"S3Location": {
"OutputS3BucketName": "string",
"OutputS3KeyPrefix": "string",
"OutputS3Region": "string"
}
},
"Overview": {
"AssociationStatusAggregatedCount": {
"string" : number
},
"DetailedStatus": "string",
"Status": "string"
},
"Parameters": {
"string" : [ "string" ]
},
"ScheduleExpression": "string",
"ScheduleOffset": number,
"Status": {
"AdditionalInfo": "string",
"Date": number,
"Message": "string",
"Name": "string"
},
"SyncCompliance": "string",
"TargetLocations": [
{
"Accounts": [ "string" ],
"ExcludeAccounts": [ "string" ],
"ExecutionRoleName": "string",
"IncludeChildOrganizationUnits": boolean,
"Regions": [ "string" ],
"TargetLocationAlarmConfiguration": {
"Alarms": [
{
"Name": "string"
}
],
"IgnorePollAlarmFailure": boolean
},
"TargetLocationMaxConcurrency": "string",
"TargetLocationMaxErrors": "string",
"Targets": [
{
"Key": "string",
"Values": [ "string" ]
}
],
"TargetsMaxConcurrency": "string",
"TargetsMaxErrors": "string"
}
],
"TargetMaps": [
{
"string" : [ "string" ]
}
],
"Targets": [
{
"Key": "string",
"Values": [ "string" ]
}
],
"TriggeredAlarms": [
{
"Name": "string",
"State": "string"
}
]
}
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- AssociationDescription
-
Information about the association.
Type: AssociationDescription object
Errors
For information about the errors that are common to all actions, see Common Errors.
- AssociationAlreadyExists
-
The specified association already exists.
HTTP Status Code: 400
- AssociationLimitExceeded
-
You can have at most 2,000 active associations.
HTTP Status Code: 400
- InternalServerError
-
An error occurred on the server side.
HTTP Status Code: 500
- InvalidDocument
-
The specified SSM document doesn't exist.
HTTP Status Code: 400
- InvalidDocumentVersion
-
The document version isn't valid or doesn't exist.
HTTP Status Code: 400
- InvalidInstanceId
-
The following problems can cause this exception:
-
You don't have permission to access the managed node.
-
AWS Systems Manager Agent (SSM Agent) isn't running. Verify that SSM Agent is running.
-
SSM Agent isn't registered with the SSM endpoint. Try reinstalling SSM Agent.
-
The managed node isn't in a valid state. Valid states are:
Running
,Pending
,Stopped
, andStopping
. Invalid states are:Shutting-down
andTerminated
.
HTTP Status Code: 400
-
- InvalidOutputLocation
-
The output location isn't valid or doesn't exist.
HTTP Status Code: 400
- InvalidParameters
-
You must specify values for all required parameters in the AWS Systems Manager document (SSM document). You can only supply values to parameters defined in the SSM document.
HTTP Status Code: 400
- InvalidSchedule
-
The schedule is invalid. Verify your cron or rate expression and try again.
HTTP Status Code: 400
- InvalidTag
-
The specified tag key or value isn't valid.
HTTP Status Code: 400
- InvalidTarget
-
The target isn't valid or doesn't exist. It might not be configured for Systems Manager or you might not have permission to perform the operation.
HTTP Status Code: 400
- InvalidTargetMaps
-
TargetMap parameter isn't valid.
HTTP Status Code: 400
- UnsupportedPlatformType
-
The document doesn't support the platform type of the given managed node IDs. For example, you sent an document for a Windows managed node to a Linux node.
HTTP Status Code: 400
Examples
Example
This example illustrates one usage of CreateAssociation.
Sample Request
POST / HTTP/1.1
Host: ssm.us-east-2.amazonaws.com
Accept-Encoding: identity
X-Amz-Target: AmazonSSM.CreateAssociation
Content-Type: application/x-amz-json-1.1
User-Agent: aws-cli/1.17.12 Python/3.6.8 Darwin/18.7.0 botocore/1.14.12
X-Amz-Date: 20240324T140427Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20240324/us-east-2/ssm/aws4_request,
SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=39c3b3042cd2aEXAMPLE
Content-Length: 67
{
"Name": "AWS-UpdateSSMAgent",
"InstanceId": "i-02573cafcfEXAMPLE"
}
Sample Response
{
"AssociationDescription": {
"ApplyOnlyAtCronInterval": false,
"AssociationId": "f7d193fe-7722-4f2b-ac53-d8736EXAMPLE",
"AssociationVersion": "1",
"Date": 1585058668.255,
"DocumentVersion": "$DEFAULT",
"InstanceId": "i-02573cafcfEXAMPLE",
"LastUpdateAssociationDate": 1585058668.255,
"Name": "AWS-UpdateSSMAgent",
"Overview": {
"DetailedStatus": "Creating",
"Status": "Pending"
},
"Status": {
"Date": 1585058668.255,
"Message": "Associated with AWS-UpdateSSMAgent",
"Name": "Associated"
},
"Targets": [
{
"Key": "InstanceIds",
"Values": [
"i-02573cafcfEXAMPLE"
]
}
]
}
}
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: