0

I am trying to activate the AWS ec2 instance at ssm manager using the boto3 api call however its failing with regex error.

Issue is already raised at https://github.com/aws/aws-sdk-js/issues/2748 but no proper solution found

response = client.create_activation(DefaultInstanceName='my-instance-name', 
                                   IamRole='arn:aws:iam::xxxxxxx:role/my-role-name')

Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 320, in _api_call return self._make_api_call(operation_name, kwargs) File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 623, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (ValidationException) when calling the CreateActivation operation: 1 validation error detected: Value 'arn:aws:iam::xxxxxxxx:role/my-role-name' at 'iamRole' failed to satisfy constraint: Member must satisfy regular expression pattern: ^[\p{L}\p{N}+=,.@-_/]*$

Though i have copied the IAM Role ARN.

I really appreciate if anybody has a solution for this..

Matus Dubrava
  • 13,637
  • 2
  • 38
  • 54
vini
  • 87
  • 12

1 Answers1

0

IamRole parameter expects name of the role, not ARN. You should replace arn:aws:iam::xxxxxxx:role/my-role-name with my-role-name.

response = client.create_activation(DefaultInstanceName='my-instance-name',
                                    IamRole='my-role-name')
Matus Dubrava
  • 13,637
  • 2
  • 38
  • 54
  • I tried this before posting this question however no luck. Below is the output for you. return self._make_api_call(operation_name, kwargs) File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 623, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (ValidationException) when calling the reateActivation operation: Not existing role: arn:aws:iam::xxxxxxx:role/my-role-name. – vini Aug 12 '19 at 10:33
  • Are you sure that you role name is correct and that there is proper trust relationship configured between your role and the service? Note that if there is no trust between them then it will not work. – Matus Dubrava Aug 12 '19 at 11:48
  • Could you please how to elaborate your suggestion or any links where i could configure the trust relationship as i haven't come across this in aws docs. – vini Aug 12 '19 at 15:56
  • Go to IAM service -> roles -> select the role that you are referencing -> select trust relationship tab -> see trusted entities -> ssm service should be trusted. Also see https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html – Matus Dubrava Aug 12 '19 at 16:24