S3Pixels

Account

EC2 & SSM

EC2 & SSM setup

Create an EC2 instance role (e.g. ec2-ssm-role) with AmazonSSMManagedInstanceCore and attach it to each VM. Your S3Pixels role from /setup is separate — enable EC2 + SSM there first if you have not already.

Step 1: Create EC2 instance role
Trust = EC2 service only. Attach AmazonSSMManagedInstanceCore manually — do not use the “EC2 Role for AWS Systems Manager” shortcut.

This page is only for the EC2 instance role (not your S3Pixels role from /setup).

Create the role in IAM

  1. Open IAM → Roles Create role. Open create role wizard
  2. Under Trusted entity type, choose AWS service.
  3. In the use case list, search EC2 and select the first option named EC2 — “Allows EC2 instances to call AWS services on your behalf.” Click Next.

Do not pick EC2 Role for AWS Systems Manager — that is a bundled preset. You want a clean role and attach AmazonSSMManagedInstanceCore yourself.

  1. On Add permissions, search for and check the box next to AmazonSSMManagedInstanceCore only (do not add extra policies unless you know you need them). View policy in IAM
  2. Click Next. Set role name to (or your own name — use the same name when attaching to EC2). Click Create role.
  3. AWS usually creates an instance profile with the same name. When launching or modifying an instance, pick that profile (not the S3Pixels role ARN).
Sanity check before launch: Trust policy shows ec2.amazonaws.com · Permissions include AmazonSSMManagedInstanceCore · Instance profile name matches role name (e.g. ec2-ssm-role).

Attach this role to each instance

  • SSM Agent — pre-installed on Amazon Linux 2/2023; others need manual install.
  • EC2 → select instance → Actions → Security → Modify IAM role → choose (or your profile name). Open EC2 instances
  • Or at launch: set IAM instance profile to that role. If you launch from this app, pass the instance profile name, not the role ARN (instance-profile/…).
  • Systems Manager → Fleet Manager → instance status Online (often 2–5 minutes after attach + reboot if needed).

All IAM roles

Step 2: Verify in the app
Fleet Manager must show Online before chat commands work.
  • Dashboard → EC2 — instances should list.
  • Cloud Assistant: List EC2 instances in ap-south-1 — SSM column should be Online.
  • Run a test: echo hello from ssm on one instance id.

Launching EC2 from code? Pass IamInstanceProfile.Name = your instance profile name (e.g. ec2-ssm-role), not the role ARN. Your S3Pixels role needs iam:PassRole — enable EC2 on /setup.

← Back to main AWS setup