Amazon Simple Systems Manager (SSM)¶
Amazon Simple Systems Manager (Amazon SSM) is a service that helps centrally view, manage, and operate nodes at scale in AWS, on-premises, and multi-cloud environments. Systems Manager consolidates various tools to help complete common node tasks across AWS accounts and Regions. To use Systems Manager, nodes must be managed, which means SSM Agent is installed on the machine and the agent can communicate with the Systems Manager service.
Prerequisite Tasks¶
To use these operators, you must do a few things:
Create necessary resources using AWS Console or AWS CLI.
Install API libraries via pip.
pip install 'apache-airflow[amazon]'Detailed information is available Installation of Airflow®
Generic Parameters¶
- aws_conn_id
Reference to Amazon Web Services Connection ID. If this parameter is set to
None
then the default boto3 behaviour is used without a connection lookup. Otherwise use the credentials stored in the Connection. Default:aws_default
- region_name
AWS Region Name. If this parameter is set to
None
or omitted then region_name from AWS Connection Extra Parameter will be used. Otherwise use the specified value instead of the connection value. Default:None
- verify
Whether or not to verify SSL certificates.
False
- Do not validate SSL certificates.path/to/cert/bundle.pem - A filename of the CA cert bundle to use. You can specify this argument if you want to use a different CA cert bundle than the one used by botocore.
If this parameter is set to
None
or is omitted then verify from AWS Connection Extra Parameter will be used. Otherwise use the specified value instead of the connection value. Default:None
- botocore_config
The provided dictionary is used to construct a botocore.config.Config. This configuration can be used to configure Avoid Throttling exceptions, timeouts, etc.
Example, for more detail about parameters please have a look botocore.config.Config¶{ "signature_version": "unsigned", "s3": { "us_east_1_regional_endpoint": True, }, "retries": { "mode": "standard", "max_attempts": 10, }, "connect_timeout": 300, "read_timeout": 300, "tcp_keepalive": True, }
If this parameter is set to
None
or omitted then config_kwargs from AWS Connection Extra Parameter will be used. Otherwise use the specified value instead of the connection value. Default:None
Note
Specifying an empty dictionary,
{}
, will overwrite the connection configuration for botocore.config.Config
Operators¶
Runs commands on one or more managed nodes¶
To run SSM run command, you can use
SsmRunCommandOperator
.
To monitor the state of the command for a specific instance, you can use the “command_executed”
Waiter. Additionally, you can use the following components to track the status of the command execution:
SsmRunCommandCompletedSensor
Sensor,
or the SsmRunCommandTrigger
Trigger.
run_command = SsmRunCommandOperator(
task_id="run_command",
document_name="AWS-RunShellScript",
run_command_kwargs=run_command_kwargs,
wait_for_completion=False,
)
Sensors¶
Wait for an Amazon SSM run command¶
To wait on the state of an Amazon SSM run command job until it reaches a terminal state you can use
SsmRunCommandCompletedSensor
await_run_command = SsmRunCommandCompletedSensor(
task_id="await_run_command", command_id=run_command.output
)
IAM Permissions¶
You need to ensure the following IAM permissions are granted to allow Airflow to run and monitor SSM Run Command executions:
{
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:ListCommandInvocations",
"ssm:GetCommandInvocation"
],
"Resource": "*"
}
This policy allows access to all SSM documents and managed instances. For production environments,
it is recommended to restrict the Resource
field to specific SSM document ARNs and, if applicable,
to the ARNs of intended target resources (such as EC2 instances), in accordance with the principle of least privilege.