Forum Discussion

T3S0r0's avatar
T3S0r0
Icon for Bronze II rankBronze II
2 months ago
Solved

Systems Manager: Automation

Hello,

On exercise 4 (Create playbook) I'm getting an error if I configure Step One according the instruction, and I can't proceed with the playbook creation.

"AccessDeniedException: User: {{user}} is not authorized to perform: ssm:CreateDocument on resource: {{resource}}/NewRunbook because no permissions boundary allows the ssm:CreateDocument action"

This is how I structured the code:

schemaVersion: '0.3'
assumeRole: {{according the instructions}}
description: EC2-Stop-Prod-EU-WEST-1
mainSteps:
  - name: Pause
    action: aws:pause
    nextStep: Approve
    isEnd: false
    inputs: {}
  - name: Approve
    action: aws:approve
    nextStep: get_instance_ids
    isEnd: false
    inputs:
      Approvers:
        - {{according the instructions}}
  - name: get_instance_ids
    action: aws:executeAwsApi
    nextStep: turn_off_prod_instances
    isEnd: false
    inputs:
      Api: DescribeInstances
      Service: ec2
      Filters:
        - Name: tag-key
          Values:
            - prod
        - Name: instance-state-name
          Values:
            - running
    outputs:
      - Name: InstanceIds
        Selector: $.Reservations..Instances..InstanceId
        Type: StringList
  - name: turn_off_prod_instances
    action: aws:executeScript
    isEnd: true
    inputs:
      Runtime: python3.8
      Handler: script_handler
      Script: |-
        def script_handler(events,context):
            import boto3

            #Initialize client
            ec2 = boto3.client('ec2')
            instanceList = events['InstanceIds']
            for instance in instanceList:
                ec2.stop_instances(InstanceIds=[instance])
      InputPayload:
        InstanceIds: '{{get_instance_ids.InstanceIds}}'


Does anyone had the same error while doing this lab?

Regards,

  • NyePrior's avatar
    NyePrior
    25 days ago

    TillyCorless T3S0r0 I can confirm that this is working as expected now, if you're still seeing the permission error, I'd double check you're changing the name of the runbook before saving it for the first time.

  • TillyCorless's avatar
    TillyCorless
    Icon for Community Manager rankCommunity Manager

    Hi T3S0r0 

    Thanks for raising - after investigating, I now understand that this is a bug which is now being rectified internally. The bug exists because AWS Systems Manager has changed the required permissions since the lab was released, so we need to update the permissions. I'll advise when this is fixed!

    • NyePrior's avatar
      NyePrior
      Icon for Immerser rankImmerser

      TillyCorless T3S0r0 I can confirm that this is working as expected now, if you're still seeing the permission error, I'd double check you're changing the name of the runbook before saving it for the first time.