Running Systems Manager Run Command from AWS Lambda

In this post, we are going to learn how to execute EC2 run commands from AWS Lambda. Using lambda function as an upper layer to run command can be useful to validate command (if that needs to be run) or apply suitable runtime parameters values.

Prerequisites

  • AWS Lambda
  • Systems manager Run command

Create a Run command Document

  • Open EC2 dashboard and click on Documents link (available under SYSTEM MANAGER SHARED RESOURCES).
  • Click on Create Document. Enter following details:
    1. Name*: ApacheServiceController
    2. Document type: Command
    3. Content*: {"schemaVersion":"2.2", "description":"linux apache service controller", "parameters":{"action":{"type":"String","default":"status"}}, "mainSteps":[{"action":"aws:runShellScript","name":"ApacheService", "precondition":{"StringEquals":["platformType","Linux"]}, "inputs":{"runCommand":["service apache2 {{action}}"]}}]}
    4. Click on Create Command.
  • Now go to Documents section and scroll down to find ApacheServiceController.
  • Congratulations – we have done first part now move to next section in which we discuss how to use this Document to control Apache service.

Create Lambda function

Go to Lambda console and create a new lambda function.

  1. Click on ‘Author from scratch’.
  2. Click ‘Next’.
  3. Under basic information.
    1. Name* : lambdaRunCommandHandler.
    2. Runtime: Java 8.
  4. Upload function package*: aws-examples-0.0.1-SNAPSHOT.jar file (Download from here).
  5. Lambda function handler and role
    1. Enter Handler*: com.aws.example.lambda.LambdaRunCommandHandler::runCommandHandler.
    2. Role*: Create new role from the template(s).
    3. Role name: LambdaSSMAccessRole
    4. Policy templates: Basic Edge Lambda permissions
  6. Click ‘Next’.
  7. Click on ‘Create Function’.
  8. Done – In next section we will authorize LambdaSSMAccessRole IAM role to perform SSM run command.

Authorize Lambda function to execute SSM run command

  1. Open IAM management console.
  2. Under Roles section find and open LambdaSSMAccessRole role.
  3. Click on ‘Edit trust relationships’ under tab ‘Trust relationships’.
    1. You need to include one more entry under “Service”. Append “ec2.amazonaws.com” in “Service” field. Or replace with :  {"Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Principal":{ "Service":["edgelambda.amazonaws.com","lambda.amazonaws.com","ec2.amazonaws.com"]}, "Action":"sts:AssumeRole"}]}
  4. Click on ‘Update Trust Policy’ after including “ec2.amazonaws.com” in “Service” field.
  5. You will find ec2.amazonaws.com in the list of Trusted entities.
  6. Now click on ‘Attach policy’ under tab Permissions.
  7. Find AmazonSSMFullAccess and mark it checked. Click on Attach policy.
  8. Done – Now its time to test our lambda function.

AWS Lambda function test

  1. Go to lambda console and open lambdaRunCommandHandler function.
  2. Open ‘Configure test event’. Select ‘Hello World’ event template. Enter JSON input: { "document": "ApacheServiceController", "instanceIds":["i-0XX11XX8fXX72XX23"] }
  3. You have to replace sample instance id (i-0XX11XX8fXX72XX23) from a real instance id that configured SSM agent and have apache installed on it.
  4. Click on ‘Save and test’.
  5. You must see: Execution result Succeeded.
  6. Now open the EC2 console and go to the Run command section. You must see Command invocation details with success.

Congratulations we just learned how to execute Systems manager run command from AWS lambda functions. I hope you will use your creating mind to use it in production.

Leave a Reply

Your email address will not be published. Required fields are marked *