I am using Service Catalog to execute the SSM Automation Document, so my Service Catalog has its own Role called "My_END_USER_Role", and I've created another role with permission to stop the EC2 for SSM Automation Document.
My_END_USER_Role this roles has the AWSServiceCatalogEndUserFullAccess, the easy solution is to give this role directly the permission that I need but I do not want the user out of the Service Catalog do any action like stop EC2, so I want to assume MY_SSM_ROLE with extra permission, but I get this error
An error occurred (InvalidAutomationExecutionParametersException) when calling the StartAutomationExecution operation: The defined assume role is unable to be assumed.
base on AWS Troubleshooting - section Assume Role Can't Be Assumed either is role not existed which cannot be true for me or The assume role doesn't have a trust relationship with the Systems Manager service, now I am stuck here how should I give the trust relationship!!?
SSM Automation Document
description: Stop EC2 Instance
schemaVersion: '0.3'
assumeRole: '{{ AutomationAssumeRole }}'
parameters:
AutomationAssumeRole:
type: String
default: 'arn:aws:iam::ACCOUNTID:role/MY_SSM_ROLE'
description: The ARN of the role that allows Automation to perform the actions on your behalf.
InstanceId:
type: 'AWS::EC2::Instance::Id'
mainSteps:
- name: StopInstance
action: 'aws:changeInstanceState'
inputs:
InstanceIds:
- '{{ InstanceId }}'
DesiredState: stopped
just for a test I gave MY_SSM_ROLE the admin permission and also includes this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"iam:PassRole",
"ssm:StartAutomationExecution"
],
"Resource": "*"
}
]
}
found the solution, I had to add a proper services to trust relationship for MY_SSM_ROLE Role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ssm.amazonaws.com",
"iam.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}