Bronze IISystems Manager: Automation
Hello,
On exercise 4 (Create playbook) I'm getting an error if I configure Step One according the instruction, and I can't proceed with the playbook creation.
"AccessDeniedException: User: {{user}} is not authorized to perform: ssm:CreateDocument on resource: {{resource}}/NewRunbook because no permissions boundary allows the ssm:CreateDocument action"
This is how I structured the code:
schemaVersion: '0.3'
assumeRole: {{according the instructions}}
description: EC2-Stop-Prod-EU-WEST-1
mainSteps:
- name: Pause
action: aws:pause
nextStep: Approve
isEnd: false
inputs: {}
- name: Approve
action: aws:approve
nextStep: get_instance_ids
isEnd: false
inputs:
Approvers:
- {{according the instructions}}
- name: get_instance_ids
action: aws:executeAwsApi
nextStep: turn_off_prod_instances
isEnd: false
inputs:
Api: DescribeInstances
Service: ec2
Filters:
- Name: tag-key
Values:
- prod
- Name: instance-state-name
Values:
- running
outputs:
- Name: InstanceIds
Selector: $.Reservations..Instances..InstanceId
Type: StringList
- name: turn_off_prod_instances
action: aws:executeScript
isEnd: true
inputs:
Runtime: python3.8
Handler: script_handler
Script: |-
def script_handler(events,context):
import boto3
#Initialize client
ec2 = boto3.client('ec2')
instanceList = events['InstanceIds']
for instance in instanceList:
ec2.stop_instances(InstanceIds=[instance])
InputPayload:
InstanceIds: '{{get_instance_ids.InstanceIds}}'
Does anyone had the same error while doing this lab?
Regards,
TillyCorless T3S0r0 I can confirm that this is working as expected now, if you're still seeing the permission error, I'd double check you're changing the name of the runbook before saving it for the first time.
