Airflow Summit 2025 is coming October 07-09. Register now for early bird ticket!

Amazon Simple Systems Manager (SSM)

Amazon Simple Systems Manager (Amazon SSM) is a service that helps centrally view, manage, and operate nodes at scale in AWS, on-premises, and multi-cloud environments. Systems Manager consolidates various tools to help complete common node tasks across AWS accounts and Regions. To use Systems Manager, nodes must be managed, which means SSM Agent is installed on the machine and the agent can communicate with the Systems Manager service.

Prerequisite Tasks

To use these operators, you must do a few things:

Generic Parameters

aws_conn_id

Reference to Amazon Web Services Connection ID. If this parameter is set to None then the default boto3 behaviour is used without a connection lookup. Otherwise use the credentials stored in the Connection. Default: aws_default

region_name

AWS Region Name. If this parameter is set to None or omitted then region_name from AWS Connection Extra Parameter will be used. Otherwise use the specified value instead of the connection value. Default: None

verify

Whether or not to verify SSL certificates.

  • False - Do not validate SSL certificates.

  • path/to/cert/bundle.pem - A filename of the CA cert bundle to use. You can specify this argument if you want to use a different CA cert bundle than the one used by botocore.

If this parameter is set to None or is omitted then verify from AWS Connection Extra Parameter will be used. Otherwise use the specified value instead of the connection value. Default: None

botocore_config

The provided dictionary is used to construct a botocore.config.Config. This configuration can be used to configure Avoid Throttling exceptions, timeouts, etc.

Example, for more detail about parameters please have a look botocore.config.Config
{
    "signature_version": "unsigned",
    "s3": {
        "us_east_1_regional_endpoint": True,
    },
    "retries": {
      "mode": "standard",
      "max_attempts": 10,
    },
    "connect_timeout": 300,
    "read_timeout": 300,
    "tcp_keepalive": True,
}

If this parameter is set to None or omitted then config_kwargs from AWS Connection Extra Parameter will be used. Otherwise use the specified value instead of the connection value. Default: None

Note

Specifying an empty dictionary, {}, will overwrite the connection configuration for botocore.config.Config

Operators

Runs commands on one or more managed nodes

To run SSM run command, you can use SsmRunCommandOperator.

To monitor the state of the command for a specific instance, you can use the “command_executed” Waiter. Additionally, you can use the following components to track the status of the command execution: SsmRunCommandCompletedSensor Sensor, or the SsmRunCommandTrigger Trigger.

tests/system/amazon/aws/example_ssm.py[source]

run_command = SsmRunCommandOperator(
    task_id="run_command",
    document_name="AWS-RunShellScript",
    run_command_kwargs=run_command_kwargs,
    wait_for_completion=False,
)

Sensors

Wait for an Amazon SSM run command

To wait on the state of an Amazon SSM run command job until it reaches a terminal state you can use SsmRunCommandCompletedSensor

tests/system/amazon/aws/example_ssm.py[source]

await_run_command = SsmRunCommandCompletedSensor(
    task_id="await_run_command", command_id=run_command.output
)

IAM Permissions

You need to ensure the following IAM permissions are granted to allow Airflow to run and monitor SSM Run Command executions:

{
  "Effect": "Allow",
  "Action": [
    "ssm:SendCommand",
    "ssm:ListCommandInvocations",
    "ssm:GetCommandInvocation"
  ],
  "Resource": "*"
}

This policy allows access to all SSM documents and managed instances. For production environments, it is recommended to restrict the Resource field to specific SSM document ARNs and, if applicable, to the ARNs of intended target resources (such as EC2 instances), in accordance with the principle of least privilege.

Reference

Was this entry helpful?