- Newest
- Most votes
- Most comments
The behavior you are seeing is not necessarily a bug, but a side effect of how AWS Systems Manager Default Host Management Configuration (DHMC) works.
When DHMC is enabled, SSM is designed to provide "default" management capabilities (via the AWS-QuickSetup-SSM-DefaultEC2MgmtRole) to instances that do not have an IAM instance profile attached. However, there are scenarios where SSM prefers this default role even if a specific role is present, or where the "Quick Setup" automation enforces this role globally.
To resolve the AccessDenied error, you have two primary paths:
1. Explicitly Override DHMC (Recommended for Production) Ensure your EC2 instances have a specific IAM Instance Profile attached. When a specific profile is attached, SSM should prioritize those credentials over the DHMC default role.
- Action: Go to EC2 Console > Instance > Actions > Security > Modify IAM Role.
- Policy: Ensure this role has both
AmazonSSMManagedInstanceCoreand a custom policy allowings3:GetObjecton your CodePipeline artifact bucket.
2. Update the DHMC Default Role (If using DHMC by design) If your environment relies on DHMC to manage all instances without individual profiles, you must grant the default role permission to access the Pipeline artifacts.
- Action: Attach an inline policy to the
AWS-QuickSetup-SSM-DefaultEC2MgmtRole-eu-west-1role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:GetBucketLocation"], "Resource": [ "arn:aws:s3:::codepipeline-eu-west-1-zzzzzzzz/*", "arn:aws:s3:::codepipeline-eu-west-1-zzzzzzzz" ] } ] }
Why is this happening?
If you have an instance profile attached but SSM still uses the AWS-QuickSetup role, it usually means the instance was registered in SSM before the profile was attached, or the DHMC configuration is set to "force" the default role. A quick restart of the amazon-ssm-agent on the instance or a reboot often forces it to pick up the correct metadata (the instance profile) and stop using the fallback DHMC role.
Documentation Reference: Check the AWS Systems Manager User Guide on DHMC, which explains that the default role is used to ensure "at-scale" management, but can be superseded by specific instance profiles.
Hello.
I believe the steps in Step 2 of the following document are what you need to do.
The error can be resolved by configuring the IAM policy for the EC2 IAM role using the procedure described in the following document.
https://docs.aws.amazon.com/codepipeline/latest/userguide/tutorials-ec2-deploy.html#tutorials-ec2-deploy-role-s3
My EC2 instance role does have the necessary S3 permissions.
The problem here is that SSM is using a different role (AWS-QuickSetup-SSM-DefaultEC2MgmtRole-eu-west-1) to run the EC2 action. This role was created when Default Host Management was enabled in Systems Manager. It can be seen in the systems manager node details as the "Instance Role". The same role is associated with all my instances and it does not seem possible to change it using the console or CLI.
Seems like a bug or limitation in SSM.
You're on the right track. The error indicates that your EC2 instance's IAM role (AWS-QuickSetup-SSM-DefaultEC2MgmtRole-eu-west-1) lacks the necessary S3 permissions to download artifacts from the CodePipeline artifact bucket.
To resolve this Access Denied error, you need to add S3 bucket permissions to the EC2 instance role. Specifically, you should add the s3:GetObject permission scoped to your pipeline's artifact bucket. When creating or updating the instance role, you can either create a default role or update your existing role with this permission.
The instance role needs these S3 permissions because during deployment, the EC2 instance (via SSM) must download the build artifacts from the CodePipeline artifact bucket. Without the s3:GetObject permission on the artifact bucket, the instance cannot retrieve the deployment files, resulting in the Access Denied error you're seeing.
To fix this, update the AWS-QuickSetup-SSM-DefaultEC2MgmtRole-eu-west-1 role by adding a policy that grants s3:GetObject permission for the CodePipeline artifact bucket (codepipeline-eu-west-1-zzzzzzzz in your case). You should scope this permission specifically to your pipeline's artifact bucket for security best practices.
Sources
Amazon EC2 action reference - AWS CodePipeline
Relevant content
- asked a year ago
- asked 3 years ago
Thanks, it is making sense now. I added AmazonSSMManagedInstanceCore to my existing instance role and eventually the download in the deploy action started working. The SSM console still shows AWS-QuickSetup-SSM-DefaultEC2MgmtRole-eu-west-1 as the IAM Role for the instance but it does seem to be using the EC2 instance role.