Unable to connect EC2 instance using Session Manager

Question

I am using Cloudformation to deploy EC2 instances into different VPC's. Using cloudformation I created a role and role profile and attached it to EC2 instance [Role in question is AmazonEC2RoleforSSM ]. Yet I am unable to connect to EC2 using the sane. Here is the Cloudformation code: AWSTemplateFormatVersion: 2010-09-09 Description: Test and Dev Environment

Resources:
  VPCdev:
    Type: "AWS::EC2::VPC"
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
      Tags:
        - Key: Name
          Value: VPCdev
  VPCtest:
    Type: "AWS::EC2::VPC"
    Properties:
      CidrBlock: 192.168.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
      Tags:
        - Key: Name
          Value: VPCtest
  SubnetDev:
    Type: "AWS::EC2::Subnet"
    Properties:
      AvailabilityZone: !Select [0, !GetAZs '']
      CidrBlock: 10.0.1.0/24
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: SubnetDev
      VpcId: !Ref VPCdev
  SubnetTest:
    Type: "AWS::EC2::Subnet"
    Properties:
      AvailabilityZone: !Select [0, !GetAZs '']
      CidrBlock: 192.168.1.0/24
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: Subnettest
      VpcId: !Ref VPCtest
  IGWdev:
    Type: "AWS::EC2::InternetGateway"
    Properties:
      Tags:
        - Key: Name
          Value: IGWdev
  IGWtest:
    Type: "AWS::EC2::InternetGateway"
    Properties:
      Tags:
        - Key: Name
          Value: IGWtest

  IGWdevattachment:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      InternetGatewayId: !Ref IGWdev
      VpcId: !Ref VPCdev
  IGWtestattachment:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      InternetGatewayId: !Ref IGWtest
      VpcId: !Ref VPCtest

  RouteTabledev:
    Type: "AWS::EC2::RouteTable"
    Properties:
      Tags:
        - Key: Name
          Value: RouteTabledev
      VpcId: !Ref VPCdev
  RouteTabletest:
    Type: "AWS::EC2::RouteTable"
    Properties:
      Tags:
        - Key: Name
          Value: RouteTabletest
      VpcId: !Ref VPCtest

  defaultdev:
    Type: "AWS::EC2::Route"
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IGWdev
      RouteTableId: !Ref RouteTabledev

  defaulttest:
    Type: "AWS::EC2::Route"
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IGWtest
      RouteTableId: !Ref RouteTabletest

  Ec2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles: [ !Ref Ec2InstanceRole ]
  Ec2InstanceRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ ec2.amazonaws.com ]
            Action:
              - sts:AssumeRole
      Path: /

  sgdev:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: sgdev
      GroupName: sgdev
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: sgdev
      VpcId: !Ref VPCdev
  sgtest:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: sgtest
      GroupName: sgtest
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: sgtest
      VpcId: !Ref VPCtest

  instancedev:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-02d55cb47e83a99a0
      InstanceType: "t2.micro"
      IamInstanceProfile: !Ref Ec2InstanceProfile
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          GroupSet:
            - !Ref sgdev
          SubnetId: !Ref SubnetDev
      Tags:
        - Key: Name
          Value: dev

  instancetest:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-02d55cb47e83a99a0
      InstanceType: "t2.micro"
      IamInstanceProfile: !Ref Ec2InstanceProfile
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          GroupSet:
            - !Ref sgtest
          SubnetId: !Ref SubnetTest
      Tags:
        - Key: Name
          Value: test

Also attached is the error screenshot. P.S: I tried manually doing it and it worked. Don't seem to understand where I went wrong, the stack gets succesfully built and all resources get deployed as well.

I am using Ubuntu 18.04 LTS Image, it comes pre installed with Session Manager

did you start the ssm service on the instance? I don't see you doing it in the stack so it would have to be started in the AMI, but I don't know any upstream amis that ship with ssm service running by default. — erik258, Aug 05 '20 at 15:55
@DanielFarrell according to aws docs, ssm agent is preinstalled on all linux os, in this case above ubuntu 16, so it should work. When I try to deploy it manually, it works without installing any agent. — Aniket Paul, Aug 05 '20 at 17:38
installing and starting on boot are different things sometimes. but fair enough, if it works manually that's not it. IT might be something in networking stopping ther server from calling out to ssm. did you spin up your manual test in the stack's vpc and subnets and security groups? — erik258, Aug 05 '20 at 20:58
@DanielFarrell the error was because I didn't associate the subnet to the route table and it was inaccessible. Thanks for your time! — Aniket Paul, Aug 06 '20 at 05:31

score 2 · Accepted Answer · answered Aug 05 '20 at 22:32

It does not work because your subnets are private, they don't have any internet connectivity.

Although you've created public route tables, they are not associated with any subnet.

The following should help:

  MyRouteTableAssoc1:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties: 
      RouteTableId: !Ref RouteTabledev
      SubnetId: !Ref SubnetDev    

  MyRouteTableAssoc2:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties: 
      RouteTableId: !Ref RouteTabletest
      SubnetId: !Ref SubnetTest

Thank you, I missed Subnet Association entirely, It works now — Aniket Paul, Aug 06 '20 at 05:26

Unable to connect EC2 instance using Session Manager

1 Answers1