Setting up Distributor - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting up Distributor

Before you use Distributor, a capability of Amazon Systems Manager, to create, manage, and deploy software packages, follow these steps.

Complete Distributor prerequisites

Before you use Distributor, a capability of Amazon Systems Manager, be sure your environment meets the following requirements.

Distributor prerequisites
Requirement Description

SSM Agent

Amazon Systems Manager SSM Agent version 2.3.274.0 or later must be installed on the managed nodes on which you want to deploy or from which you want to remove packages.

To install or update SSM Agent, see Working with SSM Agent.

Amazon CLI

(Optional) To use the Amazon Command Line Interface (Amazon CLI) instead of the Systems Manager console to create and manage packages, install the newest release of the Amazon CLI on your local computer.

For more information about how to install or upgrade the CLI, see Installing the Amazon Command Line Interface in the Amazon Command Line Interface User Guide.

Amazon Tools for PowerShell

(Optional) To use the Tools for PowerShell instead of the Systems Manager console to create and manage packages, install the newest release of Tools for PowerShell on your local computer.

For more information about how to install or upgrade the Tools for PowerShell, see Setting up the Amazon Tools for Windows PowerShell or Amazon Tools for PowerShell Core in the Amazon Tools for Windows PowerShell User Guide.

Note

Systems Manager doesn't support distributing packages to Oracle Linux managed nodes by using Distributor.

Verify or create an IAM instance profile with Distributor permissions

By default, Amazon Systems Manager doesn't have permission to perform actions on your instances. You must grant access by using an Amazon Identity and Access Management (IAM) instance profile. An instance profile is a container that passes IAM role information to an Amazon Elastic Compute Cloud (Amazon EC2) instance at launch. This requirement applies to permissions for all Systems Manager capabilities, not just Distributor, which is a capability of Amazon Systems Manager.

Note

When you configure your edge devices to run Amazon IoT Greengrass Core software and SSM Agent, you specify an IAM service role that enables Systems Manager to peform actions on it. You don't need to configure managed edge devices with an instance profile.

If you already use other Systems Manager capabilities, such as Run Command and State Manager, an instance profile with the required permissions for Distributor is already attached to your instances. The simplest way to ensure that you have permissions to perform Distributor tasks is to attach the AmazonSSMManagedInstanceCore policy to your instance profile. For more information, see Configure instance permissions required for Systems Manager.

Control user access to packages

Using Amazon Identity and Access Management (IAM) policies, you can control who can create, deploy, and manage packages. You also control which Run Command and State Manager API operations they can perform on managed nodes. Like Distributor, both Run Command and State Manager, are capabilities of Amazon Systems Manager.

ARN Format

User-defined packages are associated with document Amazon Resource Names (ARNs) and have the following format.

arn:aws-cn:ssm:region:account-id:document/document-name

The following is an example.

arn:aws:ssm:us-west-1:123456789012:document/ExampleDocumentName

You can use a pair of Amazon supplied default IAM policies, one for end users and one for administrators, to grant permissions for Distributor activities. Or you can create custom IAM policies appropriate for your permissions requirements.

For more information about using variables in IAM policies, see IAM Policy Elements: Variables.

For information about how to create policies and attach them to users or groups, see Creating IAM Policies and Adding and Removing IAM Policies in the IAM User Guide.

Create or choose an Amazon S3 bucket to store Distributor packages

When you create a package by using the Simple workflow in the Amazon Systems Manager console, you choose an existing Amazon Simple Storage Service (Amazon S3) bucket to which Distributor uploads your software. Distributor is a capability of Amazon Systems Manager. In the Advanced workflow, you must upload .zip files of your software or assets to an Amazon S3 bucket before you begin. Whether you create a package by using the Simple or Advanced workflows in the console, or by using the API, you must have an Amazon S3 bucket before you start creating your package. As part of the package creation process, Distributor copies your installable software and assets from this bucket to an internal Systems Manager store. Because the assets are copied to an internal store, you can delete or repurpose your Amazon S3 bucket when package creation is finished.

For more information about how to create a bucket, see Create a Bucket in the Amazon Simple Storage Service Getting Started Guide. For more information about how to run an Amazon CLI command to create a bucket, see mb in the Amazon CLI Command Reference.