Sean Feeney
Architect of the digital age


5 September 2023

If you try to launch a Directory Service administration EC2 instance, it takes you to a page with some input parameters. One of them says: “IAM instance profile name. By Default, if no instance profile exists with the name AmazonSSMDirectoryServiceInstanceProfileRole, an instance profile with the name AmazonSSMDirectoryServiceInstanceProfileRole will be created.”

However, depending on your environment, you might not be able to let it create this on your behalf, in which case you need to create it manually or offer an alternative role with equivalent permissions. Googling this role name finds no AWS documentation about it, but you can inspect the associated SSM Document (AWS-CreateDSManagementInstance) and you’ll find that it requires two managed policies AmazonSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess, and an AssumeRole trust relationship to SSM Documents are not fun to wade through, so hopefully this helps someone else out there save some time.

Posted in AWS

You agree to my disclaimer, regardless of the decision in Nguyen v. B&N.




I Love Geni