Closed Richard-Payne closed 3 years ago
Thor-Bjorgvinsson
commented
3 years ago Hey Richard-Payne, Thanks for reporting this issue. After looking into this, it seems that s3:// is not supported and only https://. Can you change your AWS-ApplyAnsiblePlaybooks parameter to use https:// instead of s3://?
Richard-Payne
commented
3 years ago I can, but then the aws:downloadContent fails unless the bucket is publicly accessible. I wish to avoid it being public.
Thor-Bjorgvinsson
commented
3 years ago I tried this out and it works on my end. Please make sure the role the agent is using has permissions to read s3 and that the SourceInfo is correctly configured for S3. Here is the document I used to test this:
{
"schemaVersion": "2.0",
"description": "TestDocument",
"parameters": {},
"mainSteps": [
{
"action": "aws:downloadContent",
"name": "downloadContent",
"inputs": {
"SourceType": "S3",
"SourceInfo": {
"path": "https://myrandomprivatebucket.s3.amazonaws.com/SomeRandomFile"
}
}
},
{
"action": "aws:runShellScript",
"name": "runShellScript",
"inputs": {
"timeoutSeconds": "3600",
"runCommand": [
"#!/bin/bash",
"ls"
]
}
}
]
}If these steps don't work for you feel free to reopen this ticket
The SSM document AWS-ApplyAnsiblePlaybooks uses the aws:downloadContent action to pull down the Ansible code to run. However, it appears that it does not accept a SourceInfo in the form s3:// and requires https://. This effectively means that aws:downloadContent and consequently AWS-ApplyAnsiblePlaybooks require public buckets. This is an odd choice for infrastructure configuration code that many people would rather be kept private.
Have I missed something?
edit: It seems to work with private buckets and the https:// format when using the "aws ssm send-command" cli on the instance itself. It fails from state manager.