AWS Trigger Automation from CloudWatch scheduled event

Question

I have the following event source type "schedule" - 20 18 ? * SAT *. The target is SSM Automation. I have the following option ticked "Create a new role for this specific resource". When I proceed to create rule section I get the following error: Error There was an error while saving rule SomeNameTest. Details: The Automation definition used by an SSM Automation target must contain an Assume Role which evaluates to an IAM arn.

The role is supposed to be automatically create, what am I missing the documentation is really hard to follow.

score 0 · Accepted Answer · answered Jun 30 '19 at 11:31

I have fixed that by creating some role,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:*"
            ],
            "Resource": [
                "arn:aws:ssm:eu-west-2:{SomeAccountNumber-PLACEHOLDER}:*",
                "arn:aws:ssm:eu-west-2::document/AWS-RunPowerShellScript"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:*"
            ],
            "Condition": {
                "StringEquals": {
                    "ssm:ResourceTag/{SomeKeyPlaceholder}": "{SomeKeyValuePlaceholder}"
                }
            },
            "Resource": [
                "arn:aws:ec2:eu-west-2:{SomeAccountNumber-PLACEHOLDER}:instance/*"
            ]
        }
    ]
}

then adding it's arn as assume role in the automation document, then creating the event, I have allowed amazon to create a document for me that allows simply giving permissions to run the specific ssm document.

AWS Trigger Automation from CloudWatch scheduled event

1 Answers1