I have created a custom AWS SSM document for use with Run Command, I am then trying to use Boto 3 in order to send that command to a single EC2 instance.
The document require 2 parameters to be sent to it but I cannot figure out how to correctly do this by looking at the docs here: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ssm.html#SSM.Client.send_command
I can use the CLI successfully with this command:
aws ssm send-command \
--document-name "ResetVpnMfa" \
--document-version "1" \
--targets '[{"Key":"InstanceIds","Values":["i-abcabcab"]}]' \
--parameters '{"command":["GoogleAuthlock"],"username":["some.user"]}' \
--timeout-seconds 30 \
--region eu-west-1
My Python code:
import boto3
client = boto3.client('ssm', region_name='eu-west-1')
params={
'command': ['GoogleAuthLock'],
'username': ['some.user'],
}
response = client.send_command(
InstanceIds=['i-abcabcab'],
DocumentName='ResetVpnMfa',
DocumentVersion='1',
TimeoutSeconds=30,
Comment='VPN MFA reset for some.user via Boto',
Parameters=params
)
I get the following error:
botocore.errorfactory.InvalidParameters: An error occurred (InvalidParameters) when calling the SendCommand operation:
The SSM Document itself:
---
schemaVersion: "2.2"
description: "Unlock or reset MFA on OpenVPN"
parameters:
username:
type: "String"
description: "VPN user e.g. digger.dachshund"
command:
type: "String"
description: "Command to unlock or reset MFA on OpenVPN."
allowedValues:
- GoogleAuthlock
- GoogleAuthRegen
mainSteps:
- action: "aws:runShellScript"
name: "VPNResetMFA"
inputs:
runCommand:
- "/usr/local/openvpn_as/scripts/sacli --user {{username}} --lock 0 {{command}}"
