AWS SSM Run Command Task - AWS Toolkit for Microsoft Azure DevOps

AWS SSM Run Command Task

(AWS Systems Manager Run Command Task)

Synopsis

Runs a Systems Manager or user-provided Command on a fleet of EC2 instances. Commands can also target on-premise machines if the required Systems Manager agent is installed.

Description

This task runs a Systems Manager Command, or a user-provided Command, on a fleet of EC2 instances. On-premise machines can also be targets if the required Systems Manager agent is installed. The command to run is identified by name. The targets on which the command will be run are identified using either instance IDs or tags. Parameters specific to the selected Command can also be specified.

Parameters

You can set the following parameters for the task. Required parameters are noted by an asterisk (*). Other parameters are optional.

Display name*

The default name of the task instance, which can be modified: Systems Manager Get Parameter

AWS Credentials

Specifies the AWS credentials to be used by the task in the build agent environment.

You can specify credentials using a service endpoint (of type AWS) in the task configuration or you can leave unspecified. If unspecified the task will attempt to obtain credentials from the following sources in order:

  • From task variables named AWS.AccessKeyID, AWS.SecretAccessKey and optionally AWS.SessionToken.

  • From credentials set in environment variables in the build agent process. When using environment variables in the build agent process you may use the standard AWS environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and optionally AWS_SESSION_TOKEN.

  • If the build agent is running on an Amazon EC2 instance, from the instance metadata associated with the EC2 instance. For credentials to be available from EC2 instance metadata the instance must have been started with an instance profile referencing a role granting permissions to the task to make calls to AWS on your behalf. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances.

AWS Region

The AWS Region code (for example, us-east-1, us-west-2) of the Region containing the AWS resources the task will use or create. For more information, see Regions and endpoints in the Amazon Web Services General Reference.

If a Region is not specified in the task configuration the task will attempt to obtain the Region to be used using the standard AWS environment variable AWS_REGION in the build agent process's environment. Tasks running in build agents hosted on Amazon EC2 instances (Windows or Linux) will also attempt to obtain the Region using the instance metadata associated with the EC2 instance if no Region is configured on the task or set in the environment variable.

Note: The Regions listed in the picker are those known at the time this software was released. New Regions that are not listed may still be used by entering the region code of the Region (for example, us_west_2).

Document Name*

The name of the Systems Manager document to execute. This can be a public document or a custom document private to your account and to which the credentials supplied to the task have access.

Parameters

The required and optional parameters for the document to be executed, specified as JSON. Refer to the specific command to be run for details.

Example format: { "parameter1" : [ "value" ], "parameter2" : [ "value","value2" ] }

Comment

User-specified information about the command, such as a brief description of what the command should do. Maximum length 100 characters.

Service Role ARN

The Amazon Resource Name (ARN) or name of the IAM role Systems Manager uses to send notifications. If the name of a role is supplied the task will automatically determine the ARN.

Select Targets by*

Sets how the list of instances to be targeted are specified. You can supply a list of instance IDs, or tags (as key=value pairs) for search criteria or you can supply the instance IDs using the name of a build variable. The value of the build variable should be a comma delimited list of IDs.

Instance IDs

The instance IDs where the command should execute.

You can specify a maximum of 50 IDs, one per line. For more information about how to use Targets, see Sending Commands to a Fleet.

This parameter is required if Select Targets by is set to Manually select instances.

Tags

A list of tags that targets instances using a Key=Value combination that you specify, one per line. For more information about how to use Targets, see Sending Commands to a Fleet.

This parameter is required if Select Targets by is set to From tags.

Variable Name

The name of the build variable containing the list of instance IDs to target, as a comma delimited list.

Note: you should specify just the variable name, do not enclose it in $() syntax.

This parameter is required if Select Targets by is set to Build variable name.

Execution Concurrency

The maximum number of instances that are allowed to execute the command at the same time. You can specify a number such as 10 or a percentage such as 10%. The default value is 50.

For more information about how to use MaxConcurrency, see Using Concurrency Controls.

Max Errors Before Stop

The maximum number of errors allowed without the command failing. When the command fails one more time beyond the value of MaxErrors, the systems stops sending the command to additional targets. You can specify a number like 10 or a percentage like 10%. The default value is 50.

For more information about how to use MaxErrors, see Using Error Controls.

Timeout (seconds)

If this time is reached and the command has not already started executing, it will not execute.

Minimum value of 30, maximum value of 2592000. Default value: 600.

Notification ARN

An Amazon Resource Name (ARN) for a Amazon SNS (SNS) topic. Run Command pushes notifications about command status changes to this topic.

Notification Events

The different events for which you can receive notifications. For more information see Setting Up Events and Notifications.

Notification Type

  • Command: Receive notification when the status of a command changes.

  • Invocation: For commands sent to multiple instances, receive notification on a per-instance basis when the status of a command changes.

S3 Bucket Name

The name of the Amazon S3 bucket where command execution responses should be stored.

S3 Key Prefix

The key prefix (folder structure) within the S3 bucket where the S3 objects containing the responses should be stored.

Command ID Output Variable

The name of a variable that will contain the unique ID assigned to the command. The command ID can be used future references to the request.

Task Permissions

This task requires permissions to call the following AWS service APIs (depending on selected task options, not all APIs may be used):

  • ssm:SendCommand