3

I am wanting to run an SSM Document on my EC2 instance, AWSFIS-Run-CPU-Stress. It is being executed via AWS Fault Injection Simulator (FIS), which requires a documentARN to be specified, specifically in format: arn:aws:ssm:us-east-1::document/AWSFIS-Run-CPU-Stress. I have also tried arn:aws:ssm:us-west-2:aws-account-ID:document/AWSFIS-Run-CPU-Stress, replacing 'aws-account-ID' with my AWS account ID.

Here is the AWS FIS documentation that states that you must provide an SSM Document ARN: https://docs.aws.amazon.com/fis/latest/userguide/actions-ssm-agent.html#awsfis-run-cpu-stress

However, when I try to run my Fault Injection experiment with the above ARN (I've tried many different regions), the Document can not be found.

Furthermore, I have tried to use aws ssm describe-document on the Document, but ARN is not returned, so I have no idea what I need to use. It doesn't even look like SSM Documents are region specific. Here is what is returned by aws ssm describe-document:

{
    "Document": {
        "Hash": "f2b00b4471e7236ddb11654c4e076473f5e493e916f09840abb229d5a07822b1",
        "HashType": "Sha256",
        "Name": "Test-AWSFIS-Run-CPU-Stress",
        "Owner": "703381282345",
        "CreatedDate": "2021-05-10T21:08:14.781000+01:00",
        "Status": "Active",
        "DocumentVersion": "1",
        "Description": "Command Document Example JSON Template",
        "Parameters": [
            {
                "Name": "Message",
                "Type": "String",
                "Description": "Example",
                "DefaultValue": "Hello World"
            }
        ],
        "PlatformTypes": [
            "Windows",
            "Linux",
            "MacOS"
        ],
        "DocumentType": "Command",
        "SchemaVersion": "2.2",
        "LatestVersion": "1",
        "DefaultVersion": "1",
        "DocumentFormat": "JSON",
        "Tags": []
    }
}

Where can I find the Document ARN?

Robert
  • 33,429
  • 8
  • 90
  • 94
x3nr0s
  • 1,946
  • 4
  • 26
  • 46

2 Answers2

4

Apparently Systems Manager console does not show the document ARN. In the meantime you can construct the ARN following this format:

"arn:<partition>:ssm:<region>:<account_id>:document/<document_name>"

This is a valid example of a public FIS SSM "run command" document (available from any account in us-east-1 region), not sure why it failed in your case. No account id is expected because it's a public document:

"arn:aws:ssm:us-east-1::document/AWSFIS-Run-CPU-Stress"

And this is an example of a private document (i.e. you own it), note that this does have account id:

"arn:aws:ssm:us-east-1:012345678912:document/MyFISFaultDocument"
Robert
  • 33,429
  • 8
  • 90
  • 94
1

You can execute the specified document using the following aws ssm send-command --document-name "AWSFIS-Run-CPU-Stress" --document-version "4" --parameters '{"CPU":["0"],"InstallDependencies":["True"]}' --timeout-seconds 600 --max-concurrency "50" --max-errors "0" --region us-east-1

You can obtain the above command line by filling in the parameters from this link https://console.aws.amazon.com/systems-manager/run-command/send-command?region=us-east-1#

Nana Lakshmanan
  • 741
  • 3
  • 6
  • Thanks for the info Nana, but this doesn't solve the problem - I needed to retrieve the ARN for use within FIS Luckily I guessed the correct region and got FIS working, but I don't want to have to guess the ARN in the future. – x3nr0s Jun 07 '21 at 07:37