I was able to achieve SSM connectivity to a EC2 instance which is in a different account by following the below steps. Its a lengthy process, but the below solution works for me.
I have an aws account where the AWX is hosted. Lets consider that as Account A, and the target account as B where the ec2 instance exist and i need to run my ansible template against.
-
Create a IAM Role eg: ssm-connectivity-poc in both the accounts. And for the role in account B, under the trust relations provide the ARN of the iam role ssm-connectivity-poc of Account A. This is the foundation of the connectivity.
-
In AWX since we are using containers (Execution Environment) to run our templates, ensure AWS SSM Agent is installed along with botocore, boto3 and AWSCli as part of the image build. You need to have your own image pulled to run the templates
“https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm” -
In the Container below folder has to be present i.e,
/root/.aws/ -
Now during my template execution i use execution node. So on this execution node i have place the config file and the credentials file. The credentials file has the sts of IAM role ssm-connectivity-poc which is refreshed frequently using an automation that i have setup.
-
In AWX, job setting there is an option to fetch files from execution node to the containers (AWS EE), with the help of this im pulling the config file and credentials file dynamically
-
Inventory is one of the Key and most important aspect in the whole AWS-SSM via AWX process. In the inventory for linux, i had to provide the instance-id followed by ansible_connection, ansible_aws_ssm_profile, ansible_aws_ssm_region, ansible_remote_tmp and ansible_aws_ssm_bucket_name
If the above steps are in place AWS-SSM connectivity via AWX will work