Awesome
Amazon SSM Agent
The Amazon EC2 Simple Systems Manager (SSM) Agent is software developed for the Simple Systems Manager Service. The SSM Agent is the primary component of a feature called Run Command.
Overview
The SSM Agent runs on EC2 instances and enables you to quickly and easily execute remote commands or scripts against one or more instances. The agent uses SSM documents. When you execute a command, the agent on the instance processes the document and configures the instance as specified. Currently, the agent and Run Command enable you to quickly run Shell scripts on an instance using the AWS-RunShellScript SSM document. SSM Agent also enables the Session Manager capability that lets you manage your Amazon EC2 instance through an interactive one-click browser-based shell or through the AWS CLI. When the agent starts, it will create a user called "ssm-user" with sudo or administrator privilege. Session Manager sessions will be launched in context of this user.
Verify Requirements
Setup
- Configuring IAM Roles and Users for SSM Run Command
- Configuring the SSM Agent
- Configuring IAM Roles for Session Manager
- Configuring Users for Session Manager
Executing Commands
SSM Run Command Walkthrough Using the AWS CLI
Starting Sessions
Session Manager Walkthrough Using the AWS Console and CLI
Troubleshooting
Troubleshooting SSM Run Command Troubleshooting SSM Session Manager
Feedback
Thank you for helping us to improve Systems Manager, Run Command and Session Manager. Please send your questions or comments to Systems Manager Forums
Building inside docker container (Recommended)
-
Install docker: Install CentOS
-
Build image
docker build -t ssm-agent-build-image .
- Build the agent
docker run -it --rm --name ssm-agent-build-container -v `pwd`:/amazon-ssm-agent ssm-agent-build-image make build-release
Building on Linux
-
Install go Getting started
-
Install rpm-build and rpmdevtools
-
Run
make buildto build the SSM Agent for Linux, Debian, Windows environment. -
Run
make build-releaseto build the agent and also packages it into a RPM, DEB and ZIP package.
The following folders are generated when the build completes:
bin/debian_386
bin/debian_amd64
bin/linux_386
bin/linux_amd64
bin/linux_arm
bin/linux_arm64
bin/windows_386
bin/windows_amd64
- To enable the Agent for Session Manager scenario on Windows instances
- Clone the repo from https://github.com/masatma/winpty.git
- Follow instructions on https://github.com/rprichard/winpty to build winpty 64-bit binaries
- Copy the winpty.dll and winpty-agent.exe to the bin/SessionManagerShell folder For the Windows Operating System, Session Manager is only supported on Windows Server 2008 R2 through Windows Server 2019 64-bit versions.
Please follow the user guide to copy and install the SSM Agent
Code Layout
- Source code
- Core functionality such as worker management is under core/
- Agent worker code is under agent/
- Other functionality such as IPC is under common/
- Vendor package source code is under vendor/src
- rpm and dpkg artifacts are under packaging
- build scripts are under Tools/src
GOPATH
To use vendor dependencies, the suggested GOPATH format is :<packagesource>/vendor:<packagesource>
Make Targets
The following targets are available. Each may be run with make <target>.
| Make Target | Description |
|---|---|
build | (Default) build builds the agent for Linux, Debian, Darwin and Windows amd64 and 386 environment |
build-release | build-release checks code style and coverage, builds the agent and also packages it into a RPM, DEB and ZIP package |
release | release checks code style and coverage, runs tests, packages all dependencies to the bin folder. |
package | package packages build result into a RPM, DEB and ZIP package |
pre-build | pre-build goes through Tools/src folder to make sure all the script files are executable |
checkstyle | checkstyle runs the checkstyle script |
quick-integtest | quick-integtest runs all tests tagged with integration using go test |
quick-test | quick-test runs all the tests including integration and unit tests using go test |
coverage | coverage runs all tests and calculate code coverage |
build-linux | build-linux builds the agent for execution in the Linux amd64 environment |
build-windows | build-windows builds the agent for execution in the Windows amd64 environment |
build-darwin | build-darwin builds the agent for execution in the Darwin amd64 environment |
build-linux-386 | build-linux-386 builds the agent for execution in the Linux 386 environment |
build-windows-386 | build-windows-386 builds the agent for execution in the Windows 386 environment |
build-darwin-386 | build-darwin-386 builds the agent for execution in the Darwin 386 environment |
build-arm | build-arm builds the agent for execution in the arm environment |
build-arm64 | build-arm64 builds the agent for execution in the arm64 environment |
package-rpm | package-rpm builds the agent and packages it into a RPM package for Linux amd64 based distributions |
package-deb | package-deb builds the agent and packages it into a DEB package Debian amd64 based distributions |
package-win | package-win builds the agent and packages it into a ZIP package Windows amd64 based distributions |
package-rpm-386 | package-rpm-386 builds the agent and packages it into a RPM package for Linux 386 based distributions |
package-deb-386 | package-deb-386 builds the agent and packages it into a DEB package Debian 386 based distributions |
package-win-386 | package-win-386 builds the agent and packages it into a ZIP package Windows 386 based distributions |
package-rpm-arm64 | package-rpm-arm64 builds the agent and packages it into a RPM package Linux arm64 based distributions |
package-deb-arm | package-deb-arm builds the agent and packages it into a DEB package Debian arm based distributions |
package-deb-arm64 | package-deb-arm64 builds the agent and packages it into a DEB package Debian arm64 based distributions |
package-linux | package-linux create update packages for Linux and Debian based distributions |
package-windows | package-windows create update packages for Windows based distributions |
package-darwin | package-darwin create update packages for Darwin based distributions |
get-tools | get-tools gets gocode and oracle using go get |
clean | clean removes build artifacts |
Contributing
Contributions and feedback are welcome! Proposals and Pull Requests will be considered and responded to. Please see the CONTRIBUTING.md file for more information.
Amazon Web Services does not currently provide support for modified copies of this software.
Runtime Configuration
To set up your own custom configuration for the agent:
- Navigate to /etc/amazon/ssm/ (or C:\Program Files\Amazon\SSM for windows)
- Copy the contents of amazon-ssm-agent.json.template to a new file amazon-ssm-agent.json
- Restart agent
Config Property Definitions:
- Profile - represents configurations for aws credential profile used to get managed instance role and credentials
- ShareCreds (boolean)
- Default: true
- ShareProfile (string)
- ShareCreds (boolean)
- Mds - represents configuration for Message delivery service (MDS) where agent listens for incoming messages
- CommandWorkersLimit (int)
- Default: 5
- StopTimeoutMillis (int64)
- Default: 20000
- Endpoint (string)
- CommandRetryLimit (int)
- Default: 15
- CommandWorkersLimit (int)
- Ssm - represents configuration for Simple Systems Manager (SSM)
- Endpoint (string)
- HealthFrequencyMinutes (int)
- Default: 5
- CustomInventoryDefaultLocation (string)
- AssociationLogsRetentionDurationHours (int)
- Default: 24
- RunCommandLogsRetentionDurationHours (int)
- Default: 336
- SessionLogsRetentionDurationHours (int)
- Default: 336
- Mgs - represents configuration for Message Gateway service
- Region (string)
- Endpoint (string)
- StopTimeoutMillis (int64)
- Default: 20000
- SessionWorkersLimit (int)
- Default: 1000
- Agent - represents metadata for amazon-ssm-agent
- Region (string)
- OrchestrationRootDir (string)
- Default: "orchestration"
- SelfUpdate (boolean)
- Default: false
- TelemetryMetricsToCloudWatch (boolean)
- Default: false
- TelemetryMetricsToSSM (boolean)
- Default: true
- AuditExpirationDay (int)
- Default: 7
- LongRunningWorkerMonitorIntervalSeconds (int)
- Default: 60
- Os - represents os related information, will be logged in reply messages
- Lang (string)
- Default: "en-US"
- Name (string)
- Version (string)
- Default: 1
- Lang (string)
- S3 - represents configurations related to S3 bucket and key for SSM. Endpoint and region are typically determined automatically, and should only be set if a custom endpoint is required. LogBucket and LogKey are currently unused.
- Endpoint (string)
- Default: ""
- Region (string) - Ignored
- LogBucket (string) - Ignored
- LogKey (string) - Ignored
- Endpoint (string)
- Kms - represents configuration for Key Management Service if encryption is enabled for this session (i.e. kmsKeyId is set or using "Port" plugin)
- Endpoint (string)
License
The Amazon SSM Agent is licensed under the Apache 2.0 License.