I recently wanted to create an Amazon EventBridge rule that will schedule an SSM Automation document.
A rule watches for certain events (cron in my case) and then routes them to AWS targets that you choose. You can create a rule that performs an AWS action automatically when another AWS action happens, or a rule that performs an AWS action regularly on a set schedule.
EventBridge needs permission to call SSM Start Automation Execution with the supplied Automation document and parameters. The rule will offer the generation of a new IAM role for this task.
In my case I received an error like below:
Error Output
The Automation definition for an SSM Automation target must contain an AssumeRole that evaluates to an IAM role ARN.
If you recieving this error you can create the role manually using the following CloudFormation Template.
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template IAM Roles for Event Bridge | SSM Automation
Resources:
AutomationServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole
Path: "/"
RoleName: EventBridgeAutomationServiceRole
