Run an automated operation powered by Systems Manager Automation
When you run an automation, by default, the automation runs in the context of the user who initiated the automation. This means, for example, if your user has administrator permissions, then the automation runs with administrator permissions and full access to the resources being configured by the automation. As a security best practice, we recommend that you run automation by using an IAM service role that is known in this case as an assume role that is configured with the AmazonSSMAutomationRole managed policy. You might need to add additional IAM policies to your assume role to use various runbooks. Using an IAM service role to run automation is called delegated administration.
When you use a service role, the automation is allowed to run against the AWS resources, but the user who ran the automation has restricted access (or no access) to those resources. For example, you can configure a service role and use it with Automation to restart one or more Amazon Elastic Compute Cloud (Amazon EC2) instances. Automation is a capability of AWS Systems Manager. The automation restarts the instances, but the service role doesn't give the user permission to access those instances.
You can specify a service role at runtime when you run an automation, or you can create custom runbooks and specify the service role directly in the runbook. If you specify a service role, either at runtime or in a runbook, then the service runs in the context of the specified service role. If you don't specify a service role, then the system creates a temporary session in the context of the user and runs the automation.
Note
You must specify a service role for automation that you expect to run longer than 12 hours. If you start a long-running automation in the context of a user, the user's temporary session expires after 12 hours.
Delegated administration ensures elevated security and control of your AWS resources. It also allows an enhanced auditing experience because actions are being performed against your resources by a central service role instead of multiple IAM accounts.
Before you begin
Before you complete the following procedures, you must create the IAM service role and configure a trust relationship for Automation, a capability of AWS Systems Manager. For more information, see Task 1: Create a service role for Automation.
The following procedures describe how to use the Systems Manager console or your preferred command line tool to run a simple automation.
Running a simple automation (console)
The following procedure describes how to use the Systems Manager console to run a simple automation.
To run a simple automation
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. -
In the navigation pane, choose Automation, and then choose Execute automation.
-
In the Automation document list, choose a runbook. Choose one or more options in the Document categories pane to filter SSM documents according to their purpose. To view a runbook that you own, choose the Owned by me tab. To view a runbook that is shared with your account, choose the Shared with me tab. To view all runbooks, choose the All documents tab.
Note
You can view information about a runbook by choosing the runbook name.
-
In the Document details section, verify that Document version is set to the version that you want to run. The system includes the following version options:
-
Default version at runtime – Choose this option if the Automation runbook is updated periodically and a new default version is assigned.
-
Latest version at runtime – Choose this option if the Automation runbook is updated periodically, and you want to run the version that was most recently updated.
-
1 (Default) – Choose this option to run the first version of the document, which is the default.
-
-
Choose Next.
-
In the Execution Mode section, choose Simple execution.
In the Input parameters section, specify the required inputs. Optionally, you can choose an IAM service role from the AutomationAssumeRole list.
-
(Optional) Choose a CloudWatch alarm to apply to your automation for monitoring. To attach a CloudWatch alarm to your automation, the IAM principal that starts the automation must have permission for the
iam:createServiceLinkedRole
action. For more information about CloudWatch alarms, see Using Amazon CloudWatch alarms. Note that if your alarm activates, the automation is stopped. If you use AWS CloudTrail, you will see the API call in your trail. -
Choose Execute.
The console displays the status of the automation. If the automation fails to run, see Troubleshooting Systems Manager Automation.
Running a simple automation (command line)
The following procedure describes how to use the AWS CLI (on Linux or Windows) or AWS Tools for PowerShell to run a simple automation.
To run a simple automation
Install and configure the AWS CLI or the AWS Tools for PowerShell, if you haven't already.
For information, see Installing or updating the latest version of the AWS CLI and Installing the AWS Tools for PowerShell.
-
Run the following command to start a simple automation. Replace each
example resource placeholder
with your own information.Here is an example using the runbook
AWS-RestartEC2Instance
to restart the specified EC2 instance.The system returns information like the following.
-
Run the following command to retrieve the status of the automation.
The system returns information like the following.