Table of Contents
SSM.
Client
¶A low-level client representing Amazon Simple Systems Manager (SSM)
Amazon Web Services Systems Manager is a collection of capabilities to help you manage your applications and infrastructure running in the Amazon Web Services Cloud;. Systems Manager simplifies application and resource management, shortens the time to detect and resolve operational problems, and helps you manage your Amazon Web Services resources securely at scale.
This reference is intended to be used with the Amazon Web Services Systems Manager User Guide.
To get started, verify prerequisites. For more information, see Setting up Amazon Web Services Systems Manager.
Related resources
import boto3
client = boto3.client('ssm')
These are the available methods:
add_tags_to_resource()
associate_ops_item_related_item()
can_paginate()
cancel_command()
cancel_maintenance_window_execution()
close()
create_activation()
create_association()
create_association_batch()
create_document()
create_maintenance_window()
create_ops_item()
create_ops_metadata()
create_patch_baseline()
create_resource_data_sync()
delete_activation()
delete_association()
delete_document()
delete_inventory()
delete_maintenance_window()
delete_ops_metadata()
delete_parameter()
delete_parameters()
delete_patch_baseline()
delete_resource_data_sync()
delete_resource_policy()
deregister_managed_instance()
deregister_patch_baseline_for_patch_group()
deregister_target_from_maintenance_window()
deregister_task_from_maintenance_window()
describe_activations()
describe_association()
describe_association_execution_targets()
describe_association_executions()
describe_automation_executions()
describe_automation_step_executions()
describe_available_patches()
describe_document()
describe_document_permission()
describe_effective_instance_associations()
describe_effective_patches_for_patch_baseline()
describe_instance_associations_status()
describe_instance_information()
describe_instance_patch_states()
describe_instance_patch_states_for_patch_group()
describe_instance_patches()
describe_inventory_deletions()
describe_maintenance_window_execution_task_invocations()
describe_maintenance_window_execution_tasks()
describe_maintenance_window_executions()
describe_maintenance_window_schedule()
describe_maintenance_window_targets()
describe_maintenance_window_tasks()
describe_maintenance_windows()
describe_maintenance_windows_for_target()
describe_ops_items()
describe_parameters()
describe_patch_baselines()
describe_patch_group_state()
describe_patch_groups()
describe_patch_properties()
describe_sessions()
disassociate_ops_item_related_item()
get_automation_execution()
get_calendar_state()
get_command_invocation()
get_connection_status()
get_default_patch_baseline()
get_deployable_patch_snapshot_for_instance()
get_document()
get_inventory()
get_inventory_schema()
get_maintenance_window()
get_maintenance_window_execution()
get_maintenance_window_execution_task()
get_maintenance_window_execution_task_invocation()
get_maintenance_window_task()
get_ops_item()
get_ops_metadata()
get_ops_summary()
get_paginator()
get_parameter()
get_parameter_history()
get_parameters()
get_parameters_by_path()
get_patch_baseline()
get_patch_baseline_for_patch_group()
get_resource_policies()
get_service_setting()
get_waiter()
label_parameter_version()
list_association_versions()
list_associations()
list_command_invocations()
list_commands()
list_compliance_items()
list_compliance_summaries()
list_document_metadata_history()
list_document_versions()
list_documents()
list_inventory_entries()
list_ops_item_events()
list_ops_item_related_items()
list_ops_metadata()
list_resource_compliance_summaries()
list_resource_data_sync()
list_tags_for_resource()
modify_document_permission()
put_compliance_items()
put_inventory()
put_parameter()
put_resource_policy()
register_default_patch_baseline()
register_patch_baseline_for_patch_group()
register_target_with_maintenance_window()
register_task_with_maintenance_window()
remove_tags_from_resource()
reset_service_setting()
resume_session()
send_automation_signal()
send_command()
start_associations_once()
start_automation_execution()
start_change_request_execution()
start_session()
stop_automation_execution()
terminate_session()
unlabel_parameter_version()
update_association()
update_association_status()
update_document()
update_document_default_version()
update_document_metadata()
update_maintenance_window()
update_maintenance_window_target()
update_maintenance_window_task()
update_managed_instance_role()
update_ops_item()
update_ops_metadata()
update_patch_baseline()
update_resource_data_sync()
update_service_setting()
Adds or overwrites one or more tags for the specified resource. Tags are metadata that you can assign to your automations, documents, managed nodes, maintenance windows, Parameter Store parameters, and patch baselines. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define. For example, you could define a set of tags for your account's managed nodes that helps you track each node's owner and stack level. For example:
Key=Owner,Value=DbAdmin
Key=Owner,Value=SysAdmin
Key=Owner,Value=Dev
Key=Stack,Value=Production
Key=Stack,Value=Pre-Production
Key=Stack,Value=Test
Most resources can have a maximum of 50 tags. Automations can have a maximum of 5 tags.
We recommend that you devise a set of tag keys that meets your needs for each resource type. Using a consistent set of tag keys makes it easier for you to manage your resources. You can search and filter the resources based on the tags you add. Tags don't have any semantic meaning to and are interpreted strictly as a string of characters.
For more information about using tags with Amazon Elastic Compute Cloud (Amazon EC2) instances, see Tagging your Amazon EC2 resources in the Amazon EC2 User Guide .
See also: AWS API Documentation
Request Syntax
response = client.add_tags_to_resource(
ResourceType='Document'|'ManagedInstance'|'MaintenanceWindow'|'Parameter'|'PatchBaseline'|'OpsItem'|'OpsMetadata'|'Automation'|'Association',
ResourceId='string',
Tags=[
{
'Key': 'string',
'Value': 'string'
},
]
)
[REQUIRED]
Specifies the type of resource you are tagging.
Note
The ManagedInstance
type for this API operation is for on-premises managed nodes. You must specify the name of the managed node in the following format: mi-ID_number
. For example, mi-1a2b3c4d5e6f
.
[REQUIRED]
The resource ID you want to tag.
Use the ID of the resource. Here are some examples:
MaintenanceWindow
:mw-012345abcde
PatchBaseline
:pb-012345abcde
Automation
:example-c160-4567-8519-012345abcde
OpsMetadata
object:ResourceID
for tagging is created from the Amazon Resource Name (ARN) for the object. Specifically,ResourceID
is created from the strings that come after the wordopsmetadata
in the ARN. For example, an OpsMetadata object with an ARN ofarn:aws:ssm:us-east-2:1234567890:opsmetadata/aws/ssm/MyGroup/appmanager
has aResourceID
of eitheraws/ssm/MyGroup/appmanager
or/aws/ssm/MyGroup/appmanager
.
For the Document
and Parameter
values, use the name of the resource.
ManagedInstance
:mi-012345abcde
Note
The ManagedInstance
type for this API operation is only for on-premises managed nodes. You must specify the name of the managed node in the following format: mi-ID_number
. For example, mi-1a2b3c4d5e6f
.
[REQUIRED]
One or more tags. The value parameter is required.
Warning
Don't enter personally identifiable information in this field.
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
The name of the tag.
The value of the tag.
dict
Response Syntax
{}
Response Structure
Exceptions
SSM.Client.exceptions.InvalidResourceType
SSM.Client.exceptions.InvalidResourceId
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.TooManyTagsError
SSM.Client.exceptions.TooManyUpdates
Associates a related item to a Systems Manager OpsCenter OpsItem. For example, you can associate an Incident Manager incident or analysis with an OpsItem. Incident Manager and OpsCenter are capabilities of Amazon Web Services Systems Manager.
See also: AWS API Documentation
Request Syntax
response = client.associate_ops_item_related_item(
OpsItemId='string',
AssociationType='string',
ResourceType='string',
ResourceUri='string'
)
[REQUIRED]
The ID of the OpsItem to which you want to associate a resource as a related item.
[REQUIRED]
The type of association that you want to create between an OpsItem and a resource. OpsCenter supports IsParentOf
and RelatesTo
association types.
[REQUIRED]
The type of resource that you want to associate with an OpsItem. OpsCenter supports the following types:
AWS::SSMIncidents::IncidentRecord
: an Incident Manager incident.
AWS::SSM::Document
: a Systems Manager (SSM) document.
[REQUIRED]
The Amazon Resource Name (ARN) of the Amazon Web Services resource that you want to associate with the OpsItem.
dict
Response Syntax
{
'AssociationId': 'string'
}
Response Structure
(dict) --
AssociationId (string) --
The association ID.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.OpsItemNotFoundException
SSM.Client.exceptions.OpsItemLimitExceededException
SSM.Client.exceptions.OpsItemInvalidParameterException
SSM.Client.exceptions.OpsItemRelatedItemAlreadyExistsException
can_paginate
(operation_name)¶Check if an operation can be paginated.
create_foo
, and you'd normally invoke the
operation as client.create_foo(**kwargs)
, if the
create_foo
operation can be paginated, you can use the
call client.get_paginator("create_foo")
.True
if the operation can be paginated,
False
otherwise.cancel_command
(**kwargs)¶Attempts to cancel the command specified by the Command ID. There is no guarantee that the command will be terminated and the underlying process stopped.
See also: AWS API Documentation
Request Syntax
response = client.cancel_command(
CommandId='string',
InstanceIds=[
'string',
]
)
[REQUIRED]
The ID of the command you want to cancel.
(Optional) A list of managed node IDs on which you want to cancel the command. If not provided, the command is canceled on every node on which it was requested.
dict
Response Syntax
{}
Response Structure
(dict) --
Whether or not the command was successfully canceled. There is no guarantee that a request can be canceled.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidCommandId
SSM.Client.exceptions.InvalidInstanceId
SSM.Client.exceptions.DuplicateInstanceId
cancel_maintenance_window_execution
(**kwargs)¶Stops a maintenance window execution that is already in progress and cancels any tasks in the window that haven't already starting running. Tasks already in progress will continue to completion.
See also: AWS API Documentation
Request Syntax
response = client.cancel_maintenance_window_execution(
WindowExecutionId='string'
)
[REQUIRED]
The ID of the maintenance window execution to stop.
{
'WindowExecutionId': 'string'
}
Response Structure
The ID of the maintenance window execution that has been stopped.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.DoesNotExistException
close
()¶Closes underlying endpoint connections.
create_activation
(**kwargs)¶Generates an activation code and activation ID you can use to register your on-premises servers, edge devices, or virtual machine (VM) with Amazon Web Services Systems Manager. Registering these machines with Systems Manager makes it possible to manage them using Systems Manager capabilities. You use the activation code and ID when installing SSM Agent on machines in your hybrid environment. For more information about requirements for managing on-premises machines using Systems Manager, see Setting up Amazon Web Services Systems Manager for hybrid environments in the Amazon Web Services Systems Manager User Guide .
Note
Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and VMs that are configured for Systems Manager are all called managed nodes .
See also: AWS API Documentation
Request Syntax
response = client.create_activation(
Description='string',
DefaultInstanceName='string',
IamRole='string',
RegistrationLimit=123,
ExpirationDate=datetime(2015, 1, 1),
Tags=[
{
'Key': 'string',
'Value': 'string'
},
],
RegistrationMetadata=[
{
'Key': 'string',
'Value': 'string'
},
]
)
A user-defined description of the resource that you want to register with Systems Manager.
Warning
Don't enter personally identifiable information in this field.
The name of the registered, managed node as it will appear in the Amazon Web Services Systems Manager console or when you use the Amazon Web Services command line tools to list Systems Manager resources.
Warning
Don't enter personally identifiable information in this field.
[REQUIRED]
The name of the Identity and Access Management (IAM) role that you want to assign to the managed node. This IAM role must provide AssumeRole permissions for the Amazon Web Services Systems Manager service principal ssm.amazonaws.com
. For more information, see Create an IAM service role for a hybrid environment in the Amazon Web Services Systems Manager User Guide .
Note
You can't specify an IAM service-linked role for this parameter. You must create a unique role.
1
.Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag an activation to identify which servers or virtual machines (VMs) in your on-premises environment you intend to activate. In this case, you could specify the following key-value pairs:
Key=OS,Value=Windows
Key=Environment,Value=Production
Warning
When you install SSM Agent on your on-premises servers and VMs, you specify an activation ID and code. When you specify the activation ID and code, tags assigned to the activation are automatically applied to the on-premises servers or VMs.
You can't add tags to or delete tags from an existing activation. You can tag your on-premises servers, edge devices, and VMs after they connect to Systems Manager for the first time and are assigned a managed node ID. This means they are listed in the Amazon Web Services Systems Manager console with an ID that is prefixed with "mi-". For information about how to add tags to your managed nodes, see AddTagsToResource. For information about how to remove tags from your managed nodes, see RemoveTagsFromResource.
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
The name of the tag.
The value of the tag.
Reserved for internal use.
Reserved for internal use.
Reserved for internal use.
Reserved for internal use.
dict
Response Syntax
{
'ActivationId': 'string',
'ActivationCode': 'string'
}
Response Structure
(dict) --
ActivationId (string) --
The ID number generated by the system when it processed the activation. The activation ID functions like a user name.
ActivationCode (string) --
The code the system generates when it processes the activation. The activation code functions like a password to validate the activation ID.
Exceptions
SSM.Client.exceptions.InvalidParameters
SSM.Client.exceptions.InternalServerError
create_association
(**kwargs)¶A State Manager association defines the state that you want to maintain on your managed nodes. For example, an association can specify that anti-virus software must be installed and running on your managed nodes, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an Amazon Web Services resource group or an Amazon Web Services autoscaling group, State Manager, a capability of Amazon Web Services Systems Manager applies the configuration when new managed nodes are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software isn't installed, then State Manager installs it. If the software is installed, but the service isn't running, then the association might instruct State Manager to start the service.
See also: AWS API Documentation
Request Syntax
response = client.create_association(
Name='string',
DocumentVersion='string',
InstanceId='string',
Parameters={
'string': [
'string',
]
},
Targets=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
ScheduleExpression='string',
OutputLocation={
'S3Location': {
'OutputS3Region': 'string',
'OutputS3BucketName': 'string',
'OutputS3KeyPrefix': 'string'
}
},
AssociationName='string',
AutomationTargetParameterName='string',
MaxErrors='string',
MaxConcurrency='string',
ComplianceSeverity='CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'UNSPECIFIED',
SyncCompliance='AUTO'|'MANUAL',
ApplyOnlyAtCronInterval=True|False,
CalendarNames=[
'string',
],
TargetLocations=[
{
'Accounts': [
'string',
],
'Regions': [
'string',
],
'TargetLocationMaxConcurrency': 'string',
'TargetLocationMaxErrors': 'string',
'ExecutionRoleName': 'string',
'TargetLocationAlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
],
ScheduleOffset=123,
TargetMaps=[
{
'string': [
'string',
]
},
],
Tags=[
{
'Key': 'string',
'Value': 'string'
},
],
AlarmConfiguration={
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
)
[REQUIRED]
The name of the SSM Command document or Automation runbook that contains the configuration information for the managed node.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For Systems Manager documents (SSM documents) that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:partition:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline
or My-Document
.
The document version you want to associate with the target(s). Can be a specific version or the default version.
Warning
State Manager doesn't support running associations that use a new version of a document if that document is shared from another account. State Manager always runs the default
version of a document if shared from another account, even though the Systems Manager console shows that a new version was processed. If you want to run an association using a new version of a document shared form another account, you must set the document version to default
.
The managed node ID.
Note
InstanceId
has been deprecated. To specify a managed node ID for an association, use the Targets
parameter. Requests that include the parameter InstanceID
with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId
, you can't use the parameters AssociationName
, DocumentVersion
, MaxErrors
, MaxConcurrency
, OutputLocation
, or ScheduleExpression
. To use these parameters, you must use the Targets
parameter.
The parameters for the runtime configuration of the document.
The targets for the association. You can target managed nodes by using tags, Amazon Web Services resource groups, all managed nodes in an Amazon Web Services account, or individual managed node IDs. You can target all managed nodes in an Amazon Web Services account by specifying the InstanceIds
key with a value of *
. For more information about choosing targets for an association, see Using targets and rate controls with State Manager associations in the Amazon Web Services Systems Manager User Guide .
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
User-defined criteria for sending commands that target managed nodes that meet the criteria.
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
An Amazon Simple Storage Service (Amazon S3) bucket where you want to store the output details of the request.
An S3 bucket where you want to store the results of this request.
The Amazon Web Services Region of the S3 bucket.
The name of the S3 bucket.
The S3 bucket subfolder.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError
to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors
is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency
to 1 so that executions proceed one at a time.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency
associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency
.
The mode for generating association compliance. You can specify AUTO
or MANUAL
. In AUTO
mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is COMPLIANT
. If the association execution doesn't run successfully, the association is NON-COMPLIANT
.
In MANUAL
mode, you must specify the AssociationId
as a parameter for the PutComplianceItems API operation. In this case, compliance data isn't managed by State Manager. It is managed by your direct call to the PutComplianceItems API operation.
By default, all associations use AUTO
mode.
The names or Amazon Resource Names (ARNs) of the Change Calendar type documents you want to gate your associations under. The associations only run when that change calendar is open. For more information, see Amazon Web Services Systems Manager Change Calendar.
A location is a combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association. Use this action to create an association in multiple Regions and multiple accounts.
The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services Regions targeted by the current Automation execution.
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole
.
The details for the CloudWatch alarm you want to apply to an automation or command.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
Number of days to wait after the scheduled day to run an association. For example, if you specified a cron schedule of cron(0 0 ? * THU#2 *)
, you could specify an offset of 3 to run the association each Sunday after the second Thursday of the month. For more information about cron schedules for associations, see Reference: Cron and rate expressions for Systems Manager in the Amazon Web Services Systems Manager User Guide .
Note
To use offsets, you must specify the ApplyOnlyAtCronInterval
parameter. This option tells the system not to run an association immediately after you create it.
A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.
Adds or overwrites one or more tags for a State Manager association. Tags are metadata that you can assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define.
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
The name of the tag.
The value of the tag.
The details for the CloudWatch alarm you want to apply to an automation or command.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
dict
Response Syntax
{
'AssociationDescription': {
'Name': 'string',
'InstanceId': 'string',
'AssociationVersion': 'string',
'Date': datetime(2015, 1, 1),
'LastUpdateAssociationDate': datetime(2015, 1, 1),
'Status': {
'Date': datetime(2015, 1, 1),
'Name': 'Pending'|'Success'|'Failed',
'Message': 'string',
'AdditionalInfo': 'string'
},
'Overview': {
'Status': 'string',
'DetailedStatus': 'string',
'AssociationStatusAggregatedCount': {
'string': 123
}
},
'DocumentVersion': 'string',
'AutomationTargetParameterName': 'string',
'Parameters': {
'string': [
'string',
]
},
'AssociationId': 'string',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'ScheduleExpression': 'string',
'OutputLocation': {
'S3Location': {
'OutputS3Region': 'string',
'OutputS3BucketName': 'string',
'OutputS3KeyPrefix': 'string'
}
},
'LastExecutionDate': datetime(2015, 1, 1),
'LastSuccessfulExecutionDate': datetime(2015, 1, 1),
'AssociationName': 'string',
'MaxErrors': 'string',
'MaxConcurrency': 'string',
'ComplianceSeverity': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'UNSPECIFIED',
'SyncCompliance': 'AUTO'|'MANUAL',
'ApplyOnlyAtCronInterval': True|False,
'CalendarNames': [
'string',
],
'TargetLocations': [
{
'Accounts': [
'string',
],
'Regions': [
'string',
],
'TargetLocationMaxConcurrency': 'string',
'TargetLocationMaxErrors': 'string',
'ExecutionRoleName': 'string',
'TargetLocationAlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
],
'ScheduleOffset': 123,
'TargetMaps': [
{
'string': [
'string',
]
},
],
'AlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
},
'TriggeredAlarms': [
{
'Name': 'string',
'State': 'UNKNOWN'|'ALARM'
},
]
}
}
Response Structure
(dict) --
AssociationDescription (dict) --
Information about the association.
Name (string) --
The name of the SSM document.
InstanceId (string) --
The managed node ID.
AssociationVersion (string) --
The association version.
Date (datetime) --
The date when the association was made.
LastUpdateAssociationDate (datetime) --
The date when the association was last updated.
Status (dict) --
The association status.
Date (datetime) --
The date when the status changed.
Name (string) --
The status.
Message (string) --
The reason for the status.
AdditionalInfo (string) --
A user-defined string.
Overview (dict) --
Information about the association.
Status (string) --
The status of the association. Status can be: Pending, Success, or Failed.
DetailedStatus (string) --
A detailed status of the association.
AssociationStatusAggregatedCount (dict) --
Returns the number of targets for the association status. For example, if you created an association with two managed nodes, and one of them was successful, this would return the count of managed nodes by status.
DocumentVersion (string) --
The document version.
AutomationTargetParameterName (string) --
Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a capability of Amazon Web Services Systems Manager.
Parameters (dict) --
A description of the parameters for a document.
AssociationId (string) --
The association ID.
Targets (list) --
The managed nodes targeted by the request.
(dict) --
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
Key (string) --
User-defined criteria for sending commands that target managed nodes that meet the criteria.
Values (list) --
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
ScheduleExpression (string) --
A cron expression that specifies a schedule when the association runs.
OutputLocation (dict) --
An S3 bucket where you want to store the output details of the request.
S3Location (dict) --
An S3 bucket where you want to store the results of this request.
OutputS3Region (string) --
The Amazon Web Services Region of the S3 bucket.
OutputS3BucketName (string) --
The name of the S3 bucket.
OutputS3KeyPrefix (string) --
The S3 bucket subfolder.
LastExecutionDate (datetime) --
The date on which the association was last run.
LastSuccessfulExecutionDate (datetime) --
The last date on which the association was successfully run.
AssociationName (string) --
The association name.
MaxErrors (string) --
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError
to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors
is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency
to 1 so that executions proceed one at a time.
MaxConcurrency (string) --
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency
associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency
.
ComplianceSeverity (string) --
The severity level that is assigned to the association.
SyncCompliance (string) --
The mode for generating association compliance. You can specify AUTO
or MANUAL
. In AUTO
mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is COMPLIANT
. If the association execution doesn't run successfully, the association is NON-COMPLIANT
.
In MANUAL
mode, you must specify the AssociationId
as a parameter for the PutComplianceItems API operation. In this case, compliance data isn't managed by State Manager, a capability of Amazon Web Services Systems Manager. It is managed by your direct call to the PutComplianceItems API operation.
By default, all associations use AUTO
mode.
ApplyOnlyAtCronInterval (boolean) --
By default, when you create a new associations, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don't want an association to run immediately after you create it. This parameter isn't supported for rate expressions.
CalendarNames (list) --
The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that change calendar is open. For more information, see Amazon Web Services Systems Manager Change Calendar.
TargetLocations (list) --
The combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association.
(dict) --
The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
Accounts (list) --
The Amazon Web Services accounts targeted by the current Automation execution.
Regions (list) --
The Amazon Web Services Regions targeted by the current Automation execution.
TargetLocationMaxConcurrency (string) --
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
TargetLocationMaxErrors (string) --
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
ExecutionRoleName (string) --
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole
.
TargetLocationAlarmConfiguration (dict) --
The details for the CloudWatch alarm you want to apply to an automation or command.
IgnorePollAlarmFailure (boolean) --
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
Alarms (list) --
The name of the CloudWatch alarm specified in the configuration.
(dict) --
A CloudWatch alarm you apply to an automation or command.
Name (string) --
The name of your CloudWatch alarm.
ScheduleOffset (integer) --
Number of days to wait after the scheduled day to run an association.
TargetMaps (list) --
A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.
AlarmConfiguration (dict) --
The details for the CloudWatch alarm you want to apply to an automation or command.
IgnorePollAlarmFailure (boolean) --
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
Alarms (list) --
The name of the CloudWatch alarm specified in the configuration.
(dict) --
A CloudWatch alarm you apply to an automation or command.
Name (string) --
The name of your CloudWatch alarm.
TriggeredAlarms (list) --
The CloudWatch alarm that was invoked during the association.
(dict) --
The details about the state of your CloudWatch alarm.
Name (string) --
The name of your CloudWatch alarm.
State (string) --
The state of your CloudWatch alarm.
Exceptions
SSM.Client.exceptions.AssociationAlreadyExists
SSM.Client.exceptions.AssociationLimitExceeded
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidDocument
SSM.Client.exceptions.InvalidDocumentVersion
SSM.Client.exceptions.InvalidInstanceId
SSM.Client.exceptions.UnsupportedPlatformType
SSM.Client.exceptions.InvalidOutputLocation
SSM.Client.exceptions.InvalidParameters
SSM.Client.exceptions.InvalidTarget
SSM.Client.exceptions.InvalidSchedule
SSM.Client.exceptions.InvalidTargetMaps
SSM.Client.exceptions.InvalidTag
create_association_batch
(**kwargs)¶Associates the specified Amazon Web Services Systems Manager document (SSM document) with the specified managed nodes or targets.
When you associate a document with one or more managed nodes using IDs or tags, Amazon Web Services Systems Manager Agent (SSM Agent) running on the managed node processes the document and configures the node as specified.
If you associate a document with a managed node that already has an associated document, the system returns the AssociationAlreadyExists exception.
See also: AWS API Documentation
Request Syntax
response = client.create_association_batch(
Entries=[
{
'Name': 'string',
'InstanceId': 'string',
'Parameters': {
'string': [
'string',
]
},
'AutomationTargetParameterName': 'string',
'DocumentVersion': 'string',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'ScheduleExpression': 'string',
'OutputLocation': {
'S3Location': {
'OutputS3Region': 'string',
'OutputS3BucketName': 'string',
'OutputS3KeyPrefix': 'string'
}
},
'AssociationName': 'string',
'MaxErrors': 'string',
'MaxConcurrency': 'string',
'ComplianceSeverity': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'UNSPECIFIED',
'SyncCompliance': 'AUTO'|'MANUAL',
'ApplyOnlyAtCronInterval': True|False,
'CalendarNames': [
'string',
],
'TargetLocations': [
{
'Accounts': [
'string',
],
'Regions': [
'string',
],
'TargetLocationMaxConcurrency': 'string',
'TargetLocationMaxErrors': 'string',
'ExecutionRoleName': 'string',
'TargetLocationAlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
],
'ScheduleOffset': 123,
'TargetMaps': [
{
'string': [
'string',
]
},
],
'AlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
]
)
[REQUIRED]
One or more associations.
Describes the association of a Amazon Web Services Systems Manager document (SSM document) and a managed node.
The name of the SSM document that contains the configuration information for the managed node. You can specify Command or Automation runbooks.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For SSM documents that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:aws:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline
or My-Document
.
The managed node ID.
Note
InstanceId
has been deprecated. To specify a managed node ID for an association, use the Targets
parameter. Requests that include the parameter InstanceID
with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId
, you can't use the parameters AssociationName
, DocumentVersion
, MaxErrors
, MaxConcurrency
, OutputLocation
, or ScheduleExpression
. To use these parameters, you must use the Targets
parameter.
A description of the parameters for a document.
Specify the target for the association. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a capability of Amazon Web Services Systems Manager.
The document version.
The managed nodes targeted by the request.
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
User-defined criteria for sending commands that target managed nodes that meet the criteria.
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
A cron expression that specifies a schedule when the association runs.
An S3 bucket where you want to store the results of this request.
An S3 bucket where you want to store the results of this request.
The Amazon Web Services Region of the S3 bucket.
The name of the S3 bucket.
The S3 bucket subfolder.
Specify a descriptive name for the association.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError
to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors
is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency
to 1 so that executions proceed one at a time.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency
associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency
.
The severity level to assign to the association.
The mode for generating association compliance. You can specify AUTO
or MANUAL
. In AUTO
mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is COMPLIANT
. If the association execution doesn't run successfully, the association is NON-COMPLIANT
.
In MANUAL
mode, you must specify the AssociationId
as a parameter for the PutComplianceItems API operation. In this case, compliance data isn't managed by State Manager, a capability of Amazon Web Services Systems Manager. It is managed by your direct call to the PutComplianceItems API operation.
By default, all associations use AUTO
mode.
By default, when you create a new associations, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don't want an association to run immediately after you create it. This parameter isn't supported for rate expressions.
The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see Amazon Web Services Systems Manager Change Calendar.
Use this action to create an association in multiple Regions and multiple accounts.
The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services Regions targeted by the current Automation execution.
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole
.
The details for the CloudWatch alarm you want to apply to an automation or command.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
Number of days to wait after the scheduled day to run an association.
A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.
The details for the CloudWatch alarm you want to apply to an automation or command.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
{
'Successful': [
{
'Name': 'string',
'InstanceId': 'string',
'AssociationVersion': 'string',
'Date': datetime(2015, 1, 1),
'LastUpdateAssociationDate': datetime(2015, 1, 1),
'Status': {
'Date': datetime(2015, 1, 1),
'Name': 'Pending'|'Success'|'Failed',
'Message': 'string',
'AdditionalInfo': 'string'
},
'Overview': {
'Status': 'string',
'DetailedStatus': 'string',
'AssociationStatusAggregatedCount': {
'string': 123
}
},
'DocumentVersion': 'string',
'AutomationTargetParameterName': 'string',
'Parameters': {
'string': [
'string',
]
},
'AssociationId': 'string',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'ScheduleExpression': 'string',
'OutputLocation': {
'S3Location': {
'OutputS3Region': 'string',
'OutputS3BucketName': 'string',
'OutputS3KeyPrefix': 'string'
}
},
'LastExecutionDate': datetime(2015, 1, 1),
'LastSuccessfulExecutionDate': datetime(2015, 1, 1),
'AssociationName': 'string',
'MaxErrors': 'string',
'MaxConcurrency': 'string',
'ComplianceSeverity': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'UNSPECIFIED',
'SyncCompliance': 'AUTO'|'MANUAL',
'ApplyOnlyAtCronInterval': True|False,
'CalendarNames': [
'string',
],
'TargetLocations': [
{
'Accounts': [
'string',
],
'Regions': [
'string',
],
'TargetLocationMaxConcurrency': 'string',
'TargetLocationMaxErrors': 'string',
'ExecutionRoleName': 'string',
'TargetLocationAlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
],
'ScheduleOffset': 123,
'TargetMaps': [
{
'string': [
'string',
]
},
],
'AlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
},
'TriggeredAlarms': [
{
'Name': 'string',
'State': 'UNKNOWN'|'ALARM'
},
]
},
],
'Failed': [
{
'Entry': {
'Name': 'string',
'InstanceId': 'string',
'Parameters': {
'string': [
'string',
]
},
'AutomationTargetParameterName': 'string',
'DocumentVersion': 'string',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'ScheduleExpression': 'string',
'OutputLocation': {
'S3Location': {
'OutputS3Region': 'string',
'OutputS3BucketName': 'string',
'OutputS3KeyPrefix': 'string'
}
},
'AssociationName': 'string',
'MaxErrors': 'string',
'MaxConcurrency': 'string',
'ComplianceSeverity': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'UNSPECIFIED',
'SyncCompliance': 'AUTO'|'MANUAL',
'ApplyOnlyAtCronInterval': True|False,
'CalendarNames': [
'string',
],
'TargetLocations': [
{
'Accounts': [
'string',
],
'Regions': [
'string',
],
'TargetLocationMaxConcurrency': 'string',
'TargetLocationMaxErrors': 'string',
'ExecutionRoleName': 'string',
'TargetLocationAlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
],
'ScheduleOffset': 123,
'TargetMaps': [
{
'string': [
'string',
]
},
],
'AlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
'Message': 'string',
'Fault': 'Client'|'Server'|'Unknown'
},
]
}
Response Structure
Information about the associations that succeeded.
Describes the parameters for a document.
The name of the SSM document.
The managed node ID.
The association version.
The date when the association was made.
The date when the association was last updated.
The association status.
The date when the status changed.
The status.
The reason for the status.
A user-defined string.
Information about the association.
The status of the association. Status can be: Pending, Success, or Failed.
A detailed status of the association.
Returns the number of targets for the association status. For example, if you created an association with two managed nodes, and one of them was successful, this would return the count of managed nodes by status.
The document version.
Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a capability of Amazon Web Services Systems Manager.
A description of the parameters for a document.
The association ID.
The managed nodes targeted by the request.
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
User-defined criteria for sending commands that target managed nodes that meet the criteria.
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
A cron expression that specifies a schedule when the association runs.
An S3 bucket where you want to store the output details of the request.
An S3 bucket where you want to store the results of this request.
The Amazon Web Services Region of the S3 bucket.
The name of the S3 bucket.
The S3 bucket subfolder.
The date on which the association was last run.
The last date on which the association was successfully run.
The association name.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError
to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors
is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency
to 1 so that executions proceed one at a time.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency
associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency
.
The severity level that is assigned to the association.
The mode for generating association compliance. You can specify AUTO
or MANUAL
. In AUTO
mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is COMPLIANT
. If the association execution doesn't run successfully, the association is NON-COMPLIANT
.
In MANUAL
mode, you must specify the AssociationId
as a parameter for the PutComplianceItems API operation. In this case, compliance data isn't managed by State Manager, a capability of Amazon Web Services Systems Manager. It is managed by your direct call to the PutComplianceItems API operation.
By default, all associations use AUTO
mode.
By default, when you create a new associations, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don't want an association to run immediately after you create it. This parameter isn't supported for rate expressions.
The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that change calendar is open. For more information, see Amazon Web Services Systems Manager Change Calendar.
The combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association.
The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services Regions targeted by the current Automation execution.
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole
.
The details for the CloudWatch alarm you want to apply to an automation or command.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
Number of days to wait after the scheduled day to run an association.
A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.
The details for the CloudWatch alarm you want to apply to an automation or command.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
The CloudWatch alarm that was invoked during the association.
The details about the state of your CloudWatch alarm.
The name of your CloudWatch alarm.
The state of your CloudWatch alarm.
Information about the associations that failed.
Describes a failed association.
The association.
The name of the SSM document that contains the configuration information for the managed node. You can specify Command or Automation runbooks.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For SSM documents that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:aws:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline
or My-Document
.
The managed node ID.
Note
InstanceId
has been deprecated. To specify a managed node ID for an association, use the Targets
parameter. Requests that include the parameter InstanceID
with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId
, you can't use the parameters AssociationName
, DocumentVersion
, MaxErrors
, MaxConcurrency
, OutputLocation
, or ScheduleExpression
. To use these parameters, you must use the Targets
parameter.
A description of the parameters for a document.
Specify the target for the association. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a capability of Amazon Web Services Systems Manager.
The document version.
The managed nodes targeted by the request.
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
User-defined criteria for sending commands that target managed nodes that meet the criteria.
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
A cron expression that specifies a schedule when the association runs.
An S3 bucket where you want to store the results of this request.
An S3 bucket where you want to store the results of this request.
The Amazon Web Services Region of the S3 bucket.
The name of the S3 bucket.
The S3 bucket subfolder.
Specify a descriptive name for the association.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError
to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors
is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency
to 1 so that executions proceed one at a time.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency
associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency
.
The severity level to assign to the association.
The mode for generating association compliance. You can specify AUTO
or MANUAL
. In AUTO
mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is COMPLIANT
. If the association execution doesn't run successfully, the association is NON-COMPLIANT
.
In MANUAL
mode, you must specify the AssociationId
as a parameter for the PutComplianceItems API operation. In this case, compliance data isn't managed by State Manager, a capability of Amazon Web Services Systems Manager. It is managed by your direct call to the PutComplianceItems API operation.
By default, all associations use AUTO
mode.
By default, when you create a new associations, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don't want an association to run immediately after you create it. This parameter isn't supported for rate expressions.
The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see Amazon Web Services Systems Manager Change Calendar.
Use this action to create an association in multiple Regions and multiple accounts.
The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services Regions targeted by the current Automation execution.
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole
.
The details for the CloudWatch alarm you want to apply to an automation or command.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
Number of days to wait after the scheduled day to run an association.
A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.
The details for the CloudWatch alarm you want to apply to an automation or command.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
A description of the failure.
The source of the failure.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidDocument
SSM.Client.exceptions.InvalidDocumentVersion
SSM.Client.exceptions.InvalidInstanceId
SSM.Client.exceptions.InvalidParameters
SSM.Client.exceptions.DuplicateInstanceId
SSM.Client.exceptions.AssociationLimitExceeded
SSM.Client.exceptions.UnsupportedPlatformType
SSM.Client.exceptions.InvalidOutputLocation
SSM.Client.exceptions.InvalidTarget
SSM.Client.exceptions.InvalidSchedule
SSM.Client.exceptions.InvalidTargetMaps
create_document
(**kwargs)¶Creates a Amazon Web Services Systems Manager (SSM document). An SSM document defines the actions that Systems Manager performs on your managed nodes. For more information about SSM documents, including information about supported schemas, features, and syntax, see Amazon Web Services Systems Manager Documents in the Amazon Web Services Systems Manager User Guide .
See also: AWS API Documentation
Request Syntax
response = client.create_document(
Content='string',
Requires=[
{
'Name': 'string',
'Version': 'string'
},
],
Attachments=[
{
'Key': 'SourceUrl'|'S3FileUrl'|'AttachmentReference',
'Values': [
'string',
],
'Name': 'string'
},
],
Name='string',
DisplayName='string',
VersionName='string',
DocumentType='Command'|'Policy'|'Automation'|'Session'|'Package'|'ApplicationConfiguration'|'ApplicationConfigurationSchema'|'DeploymentStrategy'|'ChangeCalendar'|'Automation.ChangeTemplate'|'ProblemAnalysis'|'ProblemAnalysisTemplate'|'CloudFormation'|'ConformancePackTemplate',
DocumentFormat='YAML'|'JSON'|'TEXT',
TargetType='string',
Tags=[
{
'Key': 'string',
'Value': 'string'
},
]
)
[REQUIRED]
The content for the new SSM document in JSON or YAML format. We recommend storing the contents for your new document in an external JSON or YAML file and referencing the file in a command.
For examples, see the following topics in the Amazon Web Services Systems Manager User Guide .
A list of SSM documents required by a document. This parameter is used exclusively by AppConfig. When a user creates an AppConfig configuration in an SSM document, the user must also specify a required document for validation purposes. In this case, an ApplicationConfiguration
document requires an ApplicationConfigurationSchema
document for validation purposes. For more information, see What is AppConfig? in the AppConfig User Guide .
An SSM document required by the current document.
The name of the required SSM document. The name can be an Amazon Resource Name (ARN).
The document version required by the current document.
A list of key-value pairs that describe attachments to a version of a document.
Identifying information about a document attachment, including the file name and a key-value pair that identifies the location of an attachment to a document.
The key of a key-value pair that identifies the location of an attachment to a document.
The value of a key-value pair that identifies the location of an attachment to a document. The format for Value depends on the type of key you specify.
"Values": [ "s3://doc-example-bucket/my-folder" ]
"Values": [ "s3://doc-example-bucket/my-folder/my-file.py" ]
"Values": [ "MyOtherDocument/3/my-other-file.py" ]
However, if the SSM document is shared with you from another account, the full SSM document ARN must be specified instead of the document name only. For example: "Values": [ "arn:aws:ssm:us-east-2:111122223333:document/OtherAccountDocument/3/their-file.py" ]
The name of the document attachment file.
[REQUIRED]
A name for the SSM document.
Warning
You can't use the following strings as document name prefixes. These are reserved by Amazon Web Services for use as document name prefixes:
aws
amazon
amzn
Release12.1
. This value is unique across all versions of a document, and can't be changed.The type of document to create.
Note
The DeploymentStrategy
document type is an internal-use-only document type reserved for AppConfig.
/AWS::EC2::Instance
. If you specify a value of '/' the document can run on all types of resources. If you don't specify a value, the document can't run on any resources. For a list of valid resource types, see Amazon Web Services resource and property types reference in the CloudFormation User Guide .Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag an SSM document to identify the types of targets or the environment where it will run. In this case, you could specify the following key-value pairs:
Key=OS,Value=Windows
Key=Environment,Value=Production
Note
To add tags to an existing SSM document, use the AddTagsToResource operation.
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
The name of the tag.
The value of the tag.
dict
Response Syntax
{
'DocumentDescription': {
'Sha1': 'string',
'Hash': 'string',
'HashType': 'Sha256'|'Sha1',
'Name': 'string',
'DisplayName': 'string',
'VersionName': 'string',
'Owner': 'string',
'CreatedDate': datetime(2015, 1, 1),
'Status': 'Creating'|'Active'|'Updating'|'Deleting'|'Failed',
'StatusInformation': 'string',
'DocumentVersion': 'string',
'Description': 'string',
'Parameters': [
{
'Name': 'string',
'Type': 'String'|'StringList',
'Description': 'string',
'DefaultValue': 'string'
},
],
'PlatformTypes': [
'Windows'|'Linux'|'MacOS',
],
'DocumentType': 'Command'|'Policy'|'Automation'|'Session'|'Package'|'ApplicationConfiguration'|'ApplicationConfigurationSchema'|'DeploymentStrategy'|'ChangeCalendar'|'Automation.ChangeTemplate'|'ProblemAnalysis'|'ProblemAnalysisTemplate'|'CloudFormation'|'ConformancePackTemplate',
'SchemaVersion': 'string',
'LatestVersion': 'string',
'DefaultVersion': 'string',
'DocumentFormat': 'YAML'|'JSON'|'TEXT',
'TargetType': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'AttachmentsInformation': [
{
'Name': 'string'
},
],
'Requires': [
{
'Name': 'string',
'Version': 'string'
},
],
'Author': 'string',
'ReviewInformation': [
{
'ReviewedTime': datetime(2015, 1, 1),
'Status': 'APPROVED'|'NOT_REVIEWED'|'PENDING'|'REJECTED',
'Reviewer': 'string'
},
],
'ApprovedVersion': 'string',
'PendingReviewVersion': 'string',
'ReviewStatus': 'APPROVED'|'NOT_REVIEWED'|'PENDING'|'REJECTED',
'Category': [
'string',
],
'CategoryEnum': [
'string',
]
}
}
Response Structure
(dict) --
DocumentDescription (dict) --
Information about the SSM document.
Sha1 (string) --
The SHA1 hash of the document, which you can use for verification.
Hash (string) --
The Sha256 or Sha1 hash created by the system when the document was created.
Note
Sha1 hashes have been deprecated.
HashType (string) --
The hash type of the document. Valid values include Sha256
or Sha1
.
Note
Sha1 hashes have been deprecated.
Name (string) --
The name of the SSM document.
DisplayName (string) --
The friendly name of the SSM document. This value can differ for each version of the document. If you want to update this value, see UpdateDocument.
VersionName (string) --
The version of the artifact associated with the document.
Owner (string) --
The Amazon Web Services user account that created the document.
CreatedDate (datetime) --
The date when the document was created.
Status (string) --
The status of the SSM document.
StatusInformation (string) --
A message returned by Amazon Web Services Systems Manager that explains the Status
value. For example, a Failed
status might be explained by the StatusInformation
message, "The specified S3 bucket doesn't exist. Verify that the URL of the S3 bucket is correct."
DocumentVersion (string) --
The document version.
Description (string) --
A description of the document.
Parameters (list) --
A description of the parameters for a document.
(dict) --
Parameters specified in a System Manager document that run on the server when the command is run.
Name (string) --
The name of the parameter.
Type (string) --
The type of parameter. The type can be either String or StringList.
Description (string) --
A description of what the parameter does, how to use it, the default value, and whether or not the parameter is optional.
DefaultValue (string) --
If specified, the default values for the parameters. Parameters without a default value are required. Parameters with a default value are optional.
PlatformTypes (list) --
The list of operating system (OS) platforms compatible with this SSM document.
DocumentType (string) --
The type of document.
SchemaVersion (string) --
The schema version.
LatestVersion (string) --
The latest version of the document.
DefaultVersion (string) --
The default version.
DocumentFormat (string) --
The document format, either JSON or YAML.
TargetType (string) --
The target type which defines the kinds of resources the document can run on. For example, /AWS::EC2::Instance
. For a list of valid resource types, see Amazon Web Services resource and property types reference in the CloudFormation User Guide .
Tags (list) --
The tags, or metadata, that have been applied to the document.
(dict) --
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
Key (string) --
The name of the tag.
Value (string) --
The value of the tag.
AttachmentsInformation (list) --
Details about the document attachments, including names, locations, sizes, and so on.
(dict) --
An attribute of an attachment, such as the attachment name.
Name (string) --
The name of the attachment.
Requires (list) --
A list of SSM documents required by a document. For example, an ApplicationConfiguration
document requires an ApplicationConfigurationSchema
document.
(dict) --
An SSM document required by the current document.
Name (string) --
The name of the required SSM document. The name can be an Amazon Resource Name (ARN).
Version (string) --
The document version required by the current document.
Author (string) --
The user in your organization who created the document.
ReviewInformation (list) --
Details about the review of a document.
(dict) --
Information about the result of a document review request.
ReviewedTime (datetime) --
The time that the reviewer took action on the document review request.
Status (string) --
The current status of the document review request.
Reviewer (string) --
The reviewer assigned to take action on the document review request.
ApprovedVersion (string) --
The version of the document currently approved for use in the organization.
PendingReviewVersion (string) --
The version of the document that is currently under review.
ReviewStatus (string) --
The current status of the review.
Category (list) --
The classification of a document to help you identify and categorize its use.
CategoryEnum (list) --
The value that identifies a document's category.
Exceptions
SSM.Client.exceptions.DocumentAlreadyExists
SSM.Client.exceptions.MaxDocumentSizeExceeded
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidDocumentContent
SSM.Client.exceptions.DocumentLimitExceeded
SSM.Client.exceptions.InvalidDocumentSchemaVersion
create_maintenance_window
(**kwargs)¶Creates a new maintenance window.
Note
The value you specify for Duration
determines the specific end time for the maintenance window based on the time it begins. No maintenance window tasks are permitted to start after the resulting endtime minus the number of hours you specify for Cutoff
. For example, if the maintenance window starts at 3 PM, the duration is three hours, and the value you specify for Cutoff
is one hour, no maintenance window tasks can start after 5 PM.
See also: AWS API Documentation
Request Syntax
response = client.create_maintenance_window(
Name='string',
Description='string',
StartDate='string',
EndDate='string',
Schedule='string',
ScheduleTimezone='string',
ScheduleOffset=123,
Duration=123,
Cutoff=123,
AllowUnassociatedTargets=True|False,
ClientToken='string',
Tags=[
{
'Key': 'string',
'Value': 'string'
},
]
)
[REQUIRED]
The name of the maintenance window.
StartDate
allows you to delay activation of the maintenance window until the specified future date.EndDate
allows you to set a date and time in the future when the maintenance window will no longer run.[REQUIRED]
The schedule of the maintenance window in the form of a cron or rate expression.
The number of days to wait after the date and time specified by a cron expression before running the maintenance window.
For example, the following cron expression schedules a maintenance window to run on the third Tuesday of every month at 11:30 PM.
cron(30 23 ? * TUE#3 *)
If the schedule offset is 2
, the maintenance window won't run until two days later.
[REQUIRED]
The duration of the maintenance window in hours.
[REQUIRED]
The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution.
[REQUIRED]
Enables a maintenance window task to run on managed nodes, even if you haven't registered those nodes as targets. If enabled, then you must specify the unregistered managed nodes (by node ID) when you register a task with the maintenance window.
If you don't enable this option, then you must specify previously-registered targets when you register a task with the maintenance window.
User-provided idempotency token.
This field is autopopulated if not provided.
Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a maintenance window to identify the type of tasks it will run, the types of targets, and the environment it will run in. In this case, you could specify the following key-value pairs:
Key=TaskType,Value=AgentUpdate
Key=OS,Value=Windows
Key=Environment,Value=Production
Note
To add tags to an existing maintenance window, use the AddTagsToResource operation.
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
The name of the tag.
The value of the tag.
dict
Response Syntax
{
'WindowId': 'string'
}
Response Structure
(dict) --
WindowId (string) --
The ID of the created maintenance window.
Exceptions
SSM.Client.exceptions.IdempotentParameterMismatch
SSM.Client.exceptions.ResourceLimitExceededException
SSM.Client.exceptions.InternalServerError
create_ops_item
(**kwargs)¶Creates a new OpsItem. You must have permission in Identity and Access Management (IAM) to create a new OpsItem. For more information, see Getting started with OpsCenter in the Amazon Web Services Systems Manager User Guide .
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see Amazon Web Services Systems Manager OpsCenter in the Amazon Web Services Systems Manager User Guide .
See also: AWS API Documentation
Request Syntax
response = client.create_ops_item(
Description='string',
OpsItemType='string',
OperationalData={
'string': {
'Value': 'string',
'Type': 'SearchableString'|'String'
}
},
Notifications=[
{
'Arn': 'string'
},
],
Priority=123,
RelatedOpsItems=[
{
'OpsItemId': 'string'
},
],
Source='string',
Title='string',
Tags=[
{
'Key': 'string',
'Value': 'string'
},
],
Category='string',
Severity='string',
ActualStartTime=datetime(2015, 1, 1),
ActualEndTime=datetime(2015, 1, 1),
PlannedStartTime=datetime(2015, 1, 1),
PlannedEndTime=datetime(2015, 1, 1),
AccountId='string'
)
[REQUIRED]
Information about the OpsItem.
The type of OpsItem to create. Systems Manager supports the following types of OpsItems:
/aws/issue
This type of OpsItem is used for default OpsItems created by OpsCenter./aws/changerequest
This type of OpsItem is used by Change Manager for reviewing and approving or rejecting change requests./aws/insights
This type of OpsItem is used by OpsCenter for aggregating and reporting on duplicate OpsItems.Operational data is custom data that provides useful reference details about the OpsItem. For example, you can specify log files, error strings, license keys, troubleshooting tips, or other relevant data. You enter operational data as key-value pairs. The key has a maximum length of 128 characters. The value has a maximum size of 20 KB.
Warning
Operational data keys can't begin with the following: amazon
, aws
, amzn
, ssm
, /amazon
, /aws
, /amzn
, /ssm
.
You can choose to make the data searchable by other users in the account or you can restrict search access. Searchable data means that all users with access to the OpsItem Overview page (as provided by the DescribeOpsItems API operation) can view and search on the specified data. Operational data that isn't searchable is only viewable by users who have access to the OpsItem (as provided by the GetOpsItem API operation).
Use the /aws/resources
key in OperationalData to specify a related resource in the request. Use the /aws/automations
key in OperationalData to associate an Automation runbook with the OpsItem. To view Amazon Web Services CLI example commands that use these keys, see Creating OpsItems manually in the Amazon Web Services Systems Manager User Guide .
An object that defines the value of the key and its type in the OperationalData map.
The value of the OperationalData key.
The type of key-value pair. Valid types include SearchableString
and String
.
The Amazon Resource Name (ARN) of an SNS topic where notifications are sent when this OpsItem is edited or changed.
A notification about the OpsItem.
The Amazon Resource Name (ARN) of an Amazon Simple Notification Service (Amazon SNS) topic where notifications are sent when this OpsItem is edited or changed.
One or more OpsItems that share something in common with the current OpsItems. For example, related OpsItems can include OpsItems with similar error messages, impacted resources, or statuses for the impacted resource.
An OpsItems that shares something in common with the current OpsItem. For example, related OpsItems can include OpsItems with similar error messages, impacted resources, or statuses for the impacted resource.
The ID of an OpsItem related to the current OpsItem.
[REQUIRED]
The origin of the OpsItem, such as Amazon EC2 or Systems Manager.
Note
The source name can't contain the following strings: aws
, amazon
, and amzn
.
[REQUIRED]
A short heading that describes the nature of the OpsItem and the impacted resource.
Optional metadata that you assign to a resource. You can restrict access to OpsItems by using an inline IAM policy that specifies tags. For more information, see Getting started with OpsCenter in the Amazon Web Services Systems Manager User Guide .
Tags use a key-value pair. For example:
Key=Department,Value=Finance
Warning
To add tags to a new OpsItem, a user must have IAM permissions for both the ssm:CreateOpsItems
operation and the ssm:AddTagsToResource
operation. To add tags to an existing OpsItem, use the AddTagsToResource operation.
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
The name of the tag.
The value of the tag.
/aws/changerequest
./aws/changerequest
./aws/changerequest
./aws/changerequest
.dict
Response Syntax
{
'OpsItemId': 'string',
'OpsItemArn': 'string'
}
Response Structure
(dict) --
OpsItemId (string) --
The ID of the OpsItem.
OpsItemArn (string) --
The OpsItem Amazon Resource Name (ARN).
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.OpsItemAlreadyExistsException
SSM.Client.exceptions.OpsItemLimitExceededException
SSM.Client.exceptions.OpsItemInvalidParameterException
SSM.Client.exceptions.OpsItemAccessDeniedException
create_ops_metadata
(**kwargs)¶If you create a new application in Application Manager, Amazon Web Services Systems Manager calls this API operation to specify information about the new application, including the application type.
See also: AWS API Documentation
Request Syntax
response = client.create_ops_metadata(
ResourceId='string',
Metadata={
'string': {
'Value': 'string'
}
},
Tags=[
{
'Key': 'string',
'Value': 'string'
},
]
)
[REQUIRED]
A resource ID for a new Application Manager application.
Metadata for a new Application Manager application.
Metadata to assign to an Application Manager application.
Metadata value to assign to an Application Manager application.
Optional metadata that you assign to a resource. You can specify a maximum of five tags for an OpsMetadata object. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag an OpsMetadata object to identify an environment or target Amazon Web Services Region. In this case, you could specify the following key-value pairs:
Key=Environment,Value=Production
Key=Region,Value=us-east-2
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
The name of the tag.
The value of the tag.
dict
Response Syntax
{
'OpsMetadataArn': 'string'
}
Response Structure
(dict) --
OpsMetadataArn (string) --
The Amazon Resource Name (ARN) of the OpsMetadata Object or blob created by the call.
Exceptions
SSM.Client.exceptions.OpsMetadataAlreadyExistsException
SSM.Client.exceptions.OpsMetadataTooManyUpdatesException
SSM.Client.exceptions.OpsMetadataInvalidArgumentException
SSM.Client.exceptions.OpsMetadataLimitExceededException
SSM.Client.exceptions.InternalServerError
create_patch_baseline
(**kwargs)¶Creates a patch baseline.
Note
For information about valid key-value pairs in PatchFilters
for each supported operating system type, see PatchFilter.
See also: AWS API Documentation
Request Syntax
response = client.create_patch_baseline(
OperatingSystem='WINDOWS'|'AMAZON_LINUX'|'AMAZON_LINUX_2'|'AMAZON_LINUX_2022'|'UBUNTU'|'REDHAT_ENTERPRISE_LINUX'|'SUSE'|'CENTOS'|'ORACLE_LINUX'|'DEBIAN'|'MACOS'|'RASPBIAN'|'ROCKY_LINUX',
Name='string',
GlobalFilters={
'PatchFilters': [
{
'Key': 'ARCH'|'ADVISORY_ID'|'BUGZILLA_ID'|'PATCH_SET'|'PRODUCT'|'PRODUCT_FAMILY'|'CLASSIFICATION'|'CVE_ID'|'EPOCH'|'MSRC_SEVERITY'|'NAME'|'PATCH_ID'|'SECTION'|'PRIORITY'|'REPOSITORY'|'RELEASE'|'SEVERITY'|'SECURITY'|'VERSION',
'Values': [
'string',
]
},
]
},
ApprovalRules={
'PatchRules': [
{
'PatchFilterGroup': {
'PatchFilters': [
{
'Key': 'ARCH'|'ADVISORY_ID'|'BUGZILLA_ID'|'PATCH_SET'|'PRODUCT'|'PRODUCT_FAMILY'|'CLASSIFICATION'|'CVE_ID'|'EPOCH'|'MSRC_SEVERITY'|'NAME'|'PATCH_ID'|'SECTION'|'PRIORITY'|'REPOSITORY'|'RELEASE'|'SEVERITY'|'SECURITY'|'VERSION',
'Values': [
'string',
]
},
]
},
'ComplianceLevel': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'INFORMATIONAL'|'UNSPECIFIED',
'ApproveAfterDays': 123,
'ApproveUntilDate': 'string',
'EnableNonSecurity': True|False
},
]
},
ApprovedPatches=[
'string',
],
ApprovedPatchesComplianceLevel='CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'INFORMATIONAL'|'UNSPECIFIED',
ApprovedPatchesEnableNonSecurity=True|False,
RejectedPatches=[
'string',
],
RejectedPatchesAction='ALLOW_AS_DEPENDENCY'|'BLOCK',
Description='string',
Sources=[
{
'Name': 'string',
'Products': [
'string',
],
'Configuration': 'string'
},
],
ClientToken='string',
Tags=[
{
'Key': 'string',
'Value': 'string'
},
]
)
WINDOWS
.[REQUIRED]
The name of the patch baseline.
A set of global filters used to include patches in the baseline.
The set of patch filters that make up the group.
Defines which patches should be included in a patch baseline.
A patch filter consists of a key and a set of values. The filter key is a patch property. For example, the available filter keys for WINDOWS
are PATCH_SET
, PRODUCT
, PRODUCT_FAMILY
, CLASSIFICATION
, and MSRC_SEVERITY
.
The filter values define a matching criterion for the patch property indicated by the key. For example, if the filter key is PRODUCT
and the filter values are ["Office 2013", "Office 2016"]
, then the filter accepts all patches where product name is either "Office 2013" or "Office 2016". The filter values can be exact values for the patch property given as a key, or a wildcard (*), which matches all values.
You can view lists of valid values for the patch properties by running the DescribePatchProperties
command. For information about which patch properties can be used with each major operating system, see DescribePatchProperties.
The key for the filter.
Run the DescribePatchProperties command to view lists of valid keys for each operating system type.
The value for the filter key.
Run the DescribePatchProperties command to view lists of valid values for each key based on operating system type.
A set of rules used to include patches in the baseline.
The rules that make up the rule group.
Defines an approval rule for a patch baseline.
The patch filter group that defines the criteria for the rule.
The set of patch filters that make up the group.
Defines which patches should be included in a patch baseline.
A patch filter consists of a key and a set of values. The filter key is a patch property. For example, the available filter keys for WINDOWS
are PATCH_SET
, PRODUCT
, PRODUCT_FAMILY
, CLASSIFICATION
, and MSRC_SEVERITY
.
The filter values define a matching criterion for the patch property indicated by the key. For example, if the filter key is PRODUCT
and the filter values are ["Office 2013", "Office 2016"]
, then the filter accepts all patches where product name is either "Office 2013" or "Office 2016". The filter values can be exact values for the patch property given as a key, or a wildcard (*), which matches all values.
You can view lists of valid values for the patch properties by running the DescribePatchProperties
command. For information about which patch properties can be used with each major operating system, see DescribePatchProperties.
The key for the filter.
Run the DescribePatchProperties command to view lists of valid keys for each operating system type.
The value for the filter key.
Run the DescribePatchProperties command to view lists of valid values for each key based on operating system type.
A compliance severity level for all approved patches in a patch baseline.
The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of 7
means that patches are approved seven days after they are released. Not supported on Debian Server or Ubuntu Server.
The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Not supported on Debian Server or Ubuntu Server.
Enter dates in the format YYYY-MM-DD
. For example, 2021-12-31
.
For managed nodes identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository. The default value is false
. Applies to Linux managed nodes only.
A list of explicitly approved patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide .
UNSPECIFIED
.false
. Applies to Linux managed nodes only.A list of explicitly rejected patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide .
The action for Patch Manager to take on patches included in the RejectedPackages
list.
ALLOW_AS_DEPENDENCY
: A package in the Rejected
patches list is installed only if it is a dependency of another package. It is considered compliant with the patch baseline, and its status is reported as InstalledOther
. This is the default action if no option is specified.BLOCK
: Packages in the RejectedPatches
list, and packages that include them as dependencies, aren't installed under any circumstances. If a package was installed before it was added to the Rejected patches list, it is considered non-compliant with the patch baseline, and its status is reported as InstalledRejected
.Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
Information about the patches to use to update the managed nodes, including target operating systems and source repository. Applies to Linux managed nodes only.
The name specified to identify the patch source.
The specific operating system versions a patch repository applies to, such as "Ubuntu16.04", "AmazonLinux2016.09", "RedhatEnterpriseLinux7.2" or "Suse12.7". For lists of supported product values, see PatchFilter.
The value of the yum repo configuration. For example:
[main]
name=MyCustomRepository
baseurl=https://my-custom-repository
enabled=1
Note
For information about other options available for your yum repository configuration, see dnf.conf(5).
User-provided idempotency token.
This field is autopopulated if not provided.
Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a patch baseline to identify the severity level of patches it specifies and the operating system family it applies to. In this case, you could specify the following key-value pairs:
Key=PatchSeverity,Value=Critical
Key=OS,Value=Windows
Note
To add tags to an existing patch baseline, use the AddTagsToResource operation.
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
The name of the tag.
The value of the tag.
dict
Response Syntax
{
'BaselineId': 'string'
}
Response Structure
(dict) --
BaselineId (string) --
The ID of the created patch baseline.
Exceptions
SSM.Client.exceptions.IdempotentParameterMismatch
SSM.Client.exceptions.ResourceLimitExceededException
SSM.Client.exceptions.InternalServerError
create_resource_data_sync
(**kwargs)¶A resource data sync helps you view data from multiple sources in a single location. Amazon Web Services Systems Manager offers two types of resource data sync: SyncToDestination
and SyncFromSource
.
You can configure Systems Manager Inventory to use the SyncToDestination
type to synchronize Inventory data from multiple Amazon Web Services Regions to a single Amazon Simple Storage Service (Amazon S3) bucket. For more information, see Configuring resource data sync for Inventory in the Amazon Web Services Systems Manager User Guide .
You can configure Systems Manager Explorer to use the SyncFromSource
type to synchronize operational work items (OpsItems) and operational data (OpsData) from multiple Amazon Web Services Regions to a single Amazon S3 bucket. This type can synchronize OpsItems and OpsData from multiple Amazon Web Services accounts and Amazon Web Services Regions or EntireOrganization
by using Organizations. For more information, see Setting up Systems Manager Explorer to display data from multiple accounts and Regions in the Amazon Web Services Systems Manager User Guide .
A resource data sync is an asynchronous operation that returns immediately. After a successful initial sync is completed, the system continuously syncs data. To check the status of a sync, use the ListResourceDataSync.
Note
By default, data isn't encrypted in Amazon S3. We strongly recommend that you enable encryption in Amazon S3 to ensure secure data storage. We also recommend that you secure access to the Amazon S3 bucket by creating a restrictive bucket policy.
See also: AWS API Documentation
Request Syntax
response = client.create_resource_data_sync(
SyncName='string',
S3Destination={
'BucketName': 'string',
'Prefix': 'string',
'SyncFormat': 'JsonSerDe',
'Region': 'string',
'AWSKMSKeyARN': 'string',
'DestinationDataSharing': {
'DestinationDataSharingType': 'string'
}
},
SyncType='string',
SyncSource={
'SourceType': 'string',
'AwsOrganizationsSource': {
'OrganizationSourceType': 'string',
'OrganizationalUnits': [
{
'OrganizationalUnitId': 'string'
},
]
},
'SourceRegions': [
'string',
],
'IncludeFutureRegions': True|False,
'EnableAllOpsDataSources': True|False
}
)
[REQUIRED]
A name for the configuration.
Amazon S3 configuration details for the sync. This parameter is required if the SyncType
value is SyncToDestination.
The name of the S3 bucket where the aggregated data is stored.
An Amazon S3 prefix for the bucket.
A supported sync format. The following format is currently supported: JsonSerDe
The Amazon Web Services Region with the S3 bucket targeted by the resource data sync.
The ARN of an encryption key for a destination in Amazon S3. Must belong to the same Region as the destination S3 bucket.
Enables destination data sharing. By default, this field is null
.
The sharing data type. Only Organization
is supported.
SyncToDestination
to create a resource data sync that synchronizes data to an S3 bucket for Inventory. If you specify SyncToDestination
, you must provide a value for S3Destination
. Specify SyncFromSource
to synchronize data from a single account and multiple Regions, or multiple Amazon Web Services accounts and Amazon Web Services Regions, as listed in Organizations for Explorer. If you specify SyncFromSource
, you must provide a value for SyncSource
. The default value is SyncToDestination
.Specify information about the data sources to synchronize. This parameter is required if the SyncType
value is SyncFromSource.
The type of data source for the resource data sync. SourceType
is either AwsOrganizations
(if an organization is present in Organizations) or SingleAccountMultiRegions
.
Information about the AwsOrganizationsSource
resource data sync source. A sync source of this type can synchronize data from Organizations.
If an Amazon Web Services organization is present, this is either OrganizationalUnits
or EntireOrganization
. For OrganizationalUnits
, the data is aggregated from a set of organization units. For EntireOrganization
, the data is aggregated from the entire Amazon Web Services organization.
The Organizations organization units included in the sync.
The Organizations organizational unit data source for the sync.
The Organizations unit ID data source for the sync.
The SyncSource
Amazon Web Services Regions included in the resource data sync.
Whether to automatically synchronize and aggregate data from new Amazon Web Services Regions when those Regions come online.
When you create a resource data sync, if you choose one of the Organizations options, then Systems Manager automatically enables all OpsData sources in the selected Amazon Web Services Regions for all Amazon Web Services accounts in your organization (or in the selected organization units). For more information, see About multiple account and Region resource data syncs in the Amazon Web Services Systems Manager User Guide .
dict
Response Syntax
{}
Response Structure
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.ResourceDataSyncCountExceededException
SSM.Client.exceptions.ResourceDataSyncAlreadyExistsException
SSM.Client.exceptions.ResourceDataSyncInvalidConfigurationException
delete_activation
(**kwargs)¶Deletes an activation. You aren't required to delete an activation. If you delete an activation, you can no longer use it to register additional managed nodes. Deleting an activation doesn't de-register managed nodes. You must manually de-register managed nodes.
See also: AWS API Documentation
Request Syntax
response = client.delete_activation(
ActivationId='string'
)
[REQUIRED]
The ID of the activation that you want to delete.
{}
Response Structure
Exceptions
SSM.Client.exceptions.InvalidActivationId
SSM.Client.exceptions.InvalidActivation
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.TooManyUpdates
delete_association
(**kwargs)¶Disassociates the specified Amazon Web Services Systems Manager document (SSM document) from the specified managed node. If you created the association by using the Targets
parameter, then you must delete the association by using the association ID.
When you disassociate a document from a managed node, it doesn't change the configuration of the node. To change the configuration state of a managed node after you disassociate a document, you must create a new document with the desired configuration and associate it with the node.
See also: AWS API Documentation
Request Syntax
response = client.delete_association(
Name='string',
InstanceId='string',
AssociationId='string'
)
The managed node ID.
Note
InstanceId
has been deprecated. To specify a managed node ID for an association, use the Targets
parameter. Requests that include the parameter InstanceID
with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId
, you can't use the parameters AssociationName
, DocumentVersion
, MaxErrors
, MaxConcurrency
, OutputLocation
, or ScheduleExpression
. To use these parameters, you must use the Targets
parameter.
dict
Response Syntax
{}
Response Structure
Exceptions
SSM.Client.exceptions.AssociationDoesNotExist
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidDocument
SSM.Client.exceptions.InvalidInstanceId
SSM.Client.exceptions.TooManyUpdates
delete_document
(**kwargs)¶Deletes the Amazon Web Services Systems Manager document (SSM document) and all managed node associations to the document.
Before you delete the document, we recommend that you use DeleteAssociation to disassociate all managed nodes that are associated with the document.
See also: AWS API Documentation
Request Syntax
response = client.delete_document(
Name='string',
DocumentVersion='string',
VersionName='string',
Force=True|False
)
[REQUIRED]
The name of the document.
Force
flag before you can delete the document. For example, you must specify a Force
flag to delete a document of type ApplicationConfigurationSchema
. You can restrict access to the Force
flag in an Identity and Access Management (IAM) policy.dict
Response Syntax
{}
Response Structure
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidDocument
SSM.Client.exceptions.InvalidDocumentOperation
SSM.Client.exceptions.AssociatedInstances
delete_inventory
(**kwargs)¶Delete a custom inventory type or the data associated with a custom Inventory type. Deleting a custom inventory type is also referred to as deleting a custom inventory schema.
See also: AWS API Documentation
Request Syntax
response = client.delete_inventory(
TypeName='string',
SchemaDeleteOption='DisableSchema'|'DeleteSchema',
DryRun=True|False,
ClientToken='string'
)
[REQUIRED]
The name of the custom inventory type for which you want to delete either all previously collected data or the inventory type itself.
Use the SchemaDeleteOption
to delete a custom inventory type (schema). If you don't choose this option, the system only deletes existing inventory data associated with the custom inventory type. Choose one of the following options:
DisableSchema: If you choose this option, the system ignores all inventory data for the specified version, and any earlier versions. To enable this schema again, you must call the PutInventory
operation for a version greater than the disabled version.
DeleteSchema: This option deletes the specified custom type from the Inventory service. You can recreate the schema later, if you want.
DryRun
option.User-provided idempotency token.
This field is autopopulated if not provided.
dict
Response Syntax
{
'DeletionId': 'string',
'TypeName': 'string',
'DeletionSummary': {
'TotalCount': 123,
'RemainingCount': 123,
'SummaryItems': [
{
'Version': 'string',
'Count': 123,
'RemainingCount': 123
},
]
}
}
Response Structure
(dict) --
DeletionId (string) --
Every DeleteInventory
operation is assigned a unique ID. This option returns a unique ID. You can use this ID to query the status of a delete operation. This option is useful for ensuring that a delete operation has completed before you begin other operations.
TypeName (string) --
The name of the inventory data type specified in the request.
DeletionSummary (dict) --
A summary of the delete operation. For more information about this summary, see Deleting custom inventory in the Amazon Web Services Systems Manager User Guide .
TotalCount (integer) --
The total number of items to delete. This count doesn't change during the delete operation.
RemainingCount (integer) --
Remaining number of items to delete.
SummaryItems (list) --
A list of counts and versions for deleted items.
(dict) --
Either a count, remaining count, or a version number in a delete inventory summary.
Version (string) --
The inventory type version.
Count (integer) --
A count of the number of deleted items.
RemainingCount (integer) --
The remaining number of items to delete.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidTypeNameException
SSM.Client.exceptions.InvalidOptionException
SSM.Client.exceptions.InvalidDeleteInventoryParametersException
SSM.Client.exceptions.InvalidInventoryRequestException
delete_maintenance_window
(**kwargs)¶Deletes a maintenance window.
See also: AWS API Documentation
Request Syntax
response = client.delete_maintenance_window(
WindowId='string'
)
[REQUIRED]
The ID of the maintenance window to delete.
{
'WindowId': 'string'
}
Response Structure
The ID of the deleted maintenance window.
Exceptions
SSM.Client.exceptions.InternalServerError
delete_ops_metadata
(**kwargs)¶Delete OpsMetadata related to an application.
See also: AWS API Documentation
Request Syntax
response = client.delete_ops_metadata(
OpsMetadataArn='string'
)
[REQUIRED]
The Amazon Resource Name (ARN) of an OpsMetadata Object to delete.
{}
Response Structure
Exceptions
SSM.Client.exceptions.OpsMetadataNotFoundException
SSM.Client.exceptions.OpsMetadataInvalidArgumentException
SSM.Client.exceptions.InternalServerError
delete_parameter
(**kwargs)¶Delete a parameter from the system. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
See also: AWS API Documentation
Request Syntax
response = client.delete_parameter(
Name='string'
)
[REQUIRED]
The name of the parameter to delete.
{}
Response Structure
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.ParameterNotFound
delete_parameters
(**kwargs)¶Delete a list of parameters. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
See also: AWS API Documentation
Request Syntax
response = client.delete_parameters(
Names=[
'string',
]
)
[REQUIRED]
The names of the parameters to delete. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
{
'DeletedParameters': [
'string',
],
'InvalidParameters': [
'string',
]
}
Response Structure
The names of the deleted parameters.
The names of parameters that weren't deleted because the parameters aren't valid.
Exceptions
SSM.Client.exceptions.InternalServerError
delete_patch_baseline
(**kwargs)¶Deletes a patch baseline.
See also: AWS API Documentation
Request Syntax
response = client.delete_patch_baseline(
BaselineId='string'
)
[REQUIRED]
The ID of the patch baseline to delete.
{
'BaselineId': 'string'
}
Response Structure
The ID of the deleted patch baseline.
Exceptions
SSM.Client.exceptions.ResourceInUseException
SSM.Client.exceptions.InternalServerError
delete_resource_data_sync
(**kwargs)¶Deletes a resource data sync configuration. After the configuration is deleted, changes to data on managed nodes are no longer synced to or from the target. Deleting a sync configuration doesn't delete data.
See also: AWS API Documentation
Request Syntax
response = client.delete_resource_data_sync(
SyncName='string',
SyncType='string'
)
[REQUIRED]
The name of the configuration to delete.
dict
Response Syntax
{}
Response Structure
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.ResourceDataSyncNotFoundException
SSM.Client.exceptions.ResourceDataSyncInvalidConfigurationException
delete_resource_policy
(**kwargs)¶Deletes a Systems Manager resource policy. A resource policy helps you to define the IAM entity (for example, an Amazon Web Services account) that can manage your Systems Manager resources. Currently, OpsItemGroup
is the only resource that supports Systems Manager resource policies. The resource policy for OpsItemGroup
enables Amazon Web Services accounts to view and interact with OpsCenter operational work items (OpsItems).
See also: AWS API Documentation
Request Syntax
response = client.delete_resource_policy(
ResourceArn='string',
PolicyId='string',
PolicyHash='string'
)
[REQUIRED]
Amazon Resource Name (ARN) of the resource to which the policies are attached.
[REQUIRED]
The policy ID.
[REQUIRED]
ID of the current policy version. The hash helps to prevent multiple calls from attempting to overwrite a policy.
dict
Response Syntax
{}
Response Structure
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.ResourcePolicyInvalidParameterException
SSM.Client.exceptions.ResourcePolicyConflictException
deregister_managed_instance
(**kwargs)¶Removes the server or virtual machine from the list of registered servers. You can reregister the node again at any time. If you don't plan to use Run Command on the server, we suggest uninstalling SSM Agent first.
See also: AWS API Documentation
Request Syntax
response = client.deregister_managed_instance(
InstanceId='string'
)
[REQUIRED]
The ID assigned to the managed node when you registered it using the activation process.
{}
Response Structure
Exceptions
SSM.Client.exceptions.InvalidInstanceId
SSM.Client.exceptions.InternalServerError
deregister_patch_baseline_for_patch_group
(**kwargs)¶Removes a patch group from a patch baseline.
See also: AWS API Documentation
Request Syntax
response = client.deregister_patch_baseline_for_patch_group(
BaselineId='string',
PatchGroup='string'
)
[REQUIRED]
The ID of the patch baseline to deregister the patch group from.
[REQUIRED]
The name of the patch group that should be deregistered from the patch baseline.
dict
Response Syntax
{
'BaselineId': 'string',
'PatchGroup': 'string'
}
Response Structure
(dict) --
BaselineId (string) --
The ID of the patch baseline the patch group was deregistered from.
PatchGroup (string) --
The name of the patch group deregistered from the patch baseline.
Exceptions
SSM.Client.exceptions.InvalidResourceId
SSM.Client.exceptions.InternalServerError
deregister_target_from_maintenance_window
(**kwargs)¶Removes a target from a maintenance window.
See also: AWS API Documentation
Request Syntax
response = client.deregister_target_from_maintenance_window(
WindowId='string',
WindowTargetId='string',
Safe=True|False
)
[REQUIRED]
The ID of the maintenance window the target should be removed from.
[REQUIRED]
The ID of the target definition to remove.
dict
Response Syntax
{
'WindowId': 'string',
'WindowTargetId': 'string'
}
Response Structure
(dict) --
WindowId (string) --
The ID of the maintenance window the target was removed from.
WindowTargetId (string) --
The ID of the removed target definition.
Exceptions
SSM.Client.exceptions.DoesNotExistException
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.TargetInUseException
deregister_task_from_maintenance_window
(**kwargs)¶Removes a task from a maintenance window.
See also: AWS API Documentation
Request Syntax
response = client.deregister_task_from_maintenance_window(
WindowId='string',
WindowTaskId='string'
)
[REQUIRED]
The ID of the maintenance window the task should be removed from.
[REQUIRED]
The ID of the task to remove from the maintenance window.
dict
Response Syntax
{
'WindowId': 'string',
'WindowTaskId': 'string'
}
Response Structure
(dict) --
WindowId (string) --
The ID of the maintenance window the task was removed from.
WindowTaskId (string) --
The ID of the task removed from the maintenance window.
Exceptions
SSM.Client.exceptions.DoesNotExistException
SSM.Client.exceptions.InternalServerError
describe_activations
(**kwargs)¶Describes details about the activation, such as the date and time the activation was created, its expiration date, the Identity and Access Management (IAM) role assigned to the managed nodes in the activation, and the number of nodes registered by using this activation.
See also: AWS API Documentation
Request Syntax
response = client.describe_activations(
Filters=[
{
'FilterKey': 'ActivationIds'|'DefaultInstanceName'|'IamRole',
'FilterValues': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
A filter to view information about your activations.
Filter for the DescribeActivation API.
The name of the filter.
The filter values.
dict
Response Syntax
{
'ActivationList': [
{
'ActivationId': 'string',
'Description': 'string',
'DefaultInstanceName': 'string',
'IamRole': 'string',
'RegistrationLimit': 123,
'RegistrationsCount': 123,
'ExpirationDate': datetime(2015, 1, 1),
'Expired': True|False,
'CreatedDate': datetime(2015, 1, 1),
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
ActivationList (list) --
A list of activations for your Amazon Web Services account.
(dict) --
An activation registers one or more on-premises servers or virtual machines (VMs) with Amazon Web Services so that you can configure those servers or VMs using Run Command. A server or VM that has been registered with Amazon Web Services Systems Manager is called a managed node.
ActivationId (string) --
The ID created by Systems Manager when you submitted the activation.
Description (string) --
A user defined description of the activation.
DefaultInstanceName (string) --
A name for the managed node when it is created.
IamRole (string) --
The Identity and Access Management (IAM) role to assign to the managed node.
RegistrationLimit (integer) --
The maximum number of managed nodes that can be registered using this activation.
RegistrationsCount (integer) --
The number of managed nodes already registered with this activation.
ExpirationDate (datetime) --
The date when this activation can no longer be used to register managed nodes.
Expired (boolean) --
Whether or not the activation is expired.
CreatedDate (datetime) --
The date the activation was created.
Tags (list) --
Tags assigned to the activation.
(dict) --
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
Key (string) --
The name of the tag.
Value (string) --
The value of the tag.
NextToken (string) --
The token for the next set of items to return. Use this token to get the next set of results.
Exceptions
SSM.Client.exceptions.InvalidFilter
SSM.Client.exceptions.InvalidNextToken
SSM.Client.exceptions.InternalServerError
describe_association
(**kwargs)¶Describes the association for the specified target or managed node. If you created the association by using the Targets
parameter, then you must retrieve the association by using the association ID.
See also: AWS API Documentation
Request Syntax
response = client.describe_association(
Name='string',
InstanceId='string',
AssociationId='string',
AssociationVersion='string'
)
$LATEST
for this parameter, or omit this parameter. To view a list of all associations for a managed node, use ListAssociations. To get a list of versions for a specific association, use ListAssociationVersions.dict
Response Syntax
{
'AssociationDescription': {
'Name': 'string',
'InstanceId': 'string',
'AssociationVersion': 'string',
'Date': datetime(2015, 1, 1),
'LastUpdateAssociationDate': datetime(2015, 1, 1),
'Status': {
'Date': datetime(2015, 1, 1),
'Name': 'Pending'|'Success'|'Failed',
'Message': 'string',
'AdditionalInfo': 'string'
},
'Overview': {
'Status': 'string',
'DetailedStatus': 'string',
'AssociationStatusAggregatedCount': {
'string': 123
}
},
'DocumentVersion': 'string',
'AutomationTargetParameterName': 'string',
'Parameters': {
'string': [
'string',
]
},
'AssociationId': 'string',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'ScheduleExpression': 'string',
'OutputLocation': {
'S3Location': {
'OutputS3Region': 'string',
'OutputS3BucketName': 'string',
'OutputS3KeyPrefix': 'string'
}
},
'LastExecutionDate': datetime(2015, 1, 1),
'LastSuccessfulExecutionDate': datetime(2015, 1, 1),
'AssociationName': 'string',
'MaxErrors': 'string',
'MaxConcurrency': 'string',
'ComplianceSeverity': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'UNSPECIFIED',
'SyncCompliance': 'AUTO'|'MANUAL',
'ApplyOnlyAtCronInterval': True|False,
'CalendarNames': [
'string',
],
'TargetLocations': [
{
'Accounts': [
'string',
],
'Regions': [
'string',
],
'TargetLocationMaxConcurrency': 'string',
'TargetLocationMaxErrors': 'string',
'ExecutionRoleName': 'string',
'TargetLocationAlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
],
'ScheduleOffset': 123,
'TargetMaps': [
{
'string': [
'string',
]
},
],
'AlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
},
'TriggeredAlarms': [
{
'Name': 'string',
'State': 'UNKNOWN'|'ALARM'
},
]
}
}
Response Structure
(dict) --
AssociationDescription (dict) --
Information about the association.
Name (string) --
The name of the SSM document.
InstanceId (string) --
The managed node ID.
AssociationVersion (string) --
The association version.
Date (datetime) --
The date when the association was made.
LastUpdateAssociationDate (datetime) --
The date when the association was last updated.
Status (dict) --
The association status.
Date (datetime) --
The date when the status changed.
Name (string) --
The status.
Message (string) --
The reason for the status.
AdditionalInfo (string) --
A user-defined string.
Overview (dict) --
Information about the association.
Status (string) --
The status of the association. Status can be: Pending, Success, or Failed.
DetailedStatus (string) --
A detailed status of the association.
AssociationStatusAggregatedCount (dict) --
Returns the number of targets for the association status. For example, if you created an association with two managed nodes, and one of them was successful, this would return the count of managed nodes by status.
DocumentVersion (string) --
The document version.
AutomationTargetParameterName (string) --
Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a capability of Amazon Web Services Systems Manager.
Parameters (dict) --
A description of the parameters for a document.
AssociationId (string) --
The association ID.
Targets (list) --
The managed nodes targeted by the request.
(dict) --
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
Key (string) --
User-defined criteria for sending commands that target managed nodes that meet the criteria.
Values (list) --
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
ScheduleExpression (string) --
A cron expression that specifies a schedule when the association runs.
OutputLocation (dict) --
An S3 bucket where you want to store the output details of the request.
S3Location (dict) --
An S3 bucket where you want to store the results of this request.
OutputS3Region (string) --
The Amazon Web Services Region of the S3 bucket.
OutputS3BucketName (string) --
The name of the S3 bucket.
OutputS3KeyPrefix (string) --
The S3 bucket subfolder.
LastExecutionDate (datetime) --
The date on which the association was last run.
LastSuccessfulExecutionDate (datetime) --
The last date on which the association was successfully run.
AssociationName (string) --
The association name.
MaxErrors (string) --
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError
to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors
is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency
to 1 so that executions proceed one at a time.
MaxConcurrency (string) --
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency
associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency
.
ComplianceSeverity (string) --
The severity level that is assigned to the association.
SyncCompliance (string) --
The mode for generating association compliance. You can specify AUTO
or MANUAL
. In AUTO
mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is COMPLIANT
. If the association execution doesn't run successfully, the association is NON-COMPLIANT
.
In MANUAL
mode, you must specify the AssociationId
as a parameter for the PutComplianceItems API operation. In this case, compliance data isn't managed by State Manager, a capability of Amazon Web Services Systems Manager. It is managed by your direct call to the PutComplianceItems API operation.
By default, all associations use AUTO
mode.
ApplyOnlyAtCronInterval (boolean) --
By default, when you create a new associations, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don't want an association to run immediately after you create it. This parameter isn't supported for rate expressions.
CalendarNames (list) --
The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that change calendar is open. For more information, see Amazon Web Services Systems Manager Change Calendar.
TargetLocations (list) --
The combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association.
(dict) --
The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
Accounts (list) --
The Amazon Web Services accounts targeted by the current Automation execution.
Regions (list) --
The Amazon Web Services Regions targeted by the current Automation execution.
TargetLocationMaxConcurrency (string) --
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
TargetLocationMaxErrors (string) --
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
ExecutionRoleName (string) --
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole
.
TargetLocationAlarmConfiguration (dict) --
The details for the CloudWatch alarm you want to apply to an automation or command.
IgnorePollAlarmFailure (boolean) --
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
Alarms (list) --
The name of the CloudWatch alarm specified in the configuration.
(dict) --
A CloudWatch alarm you apply to an automation or command.
Name (string) --
The name of your CloudWatch alarm.
ScheduleOffset (integer) --
Number of days to wait after the scheduled day to run an association.
TargetMaps (list) --
A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.
AlarmConfiguration (dict) --
The details for the CloudWatch alarm you want to apply to an automation or command.
IgnorePollAlarmFailure (boolean) --
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
Alarms (list) --
The name of the CloudWatch alarm specified in the configuration.
(dict) --
A CloudWatch alarm you apply to an automation or command.
Name (string) --
The name of your CloudWatch alarm.
TriggeredAlarms (list) --
The CloudWatch alarm that was invoked during the association.
(dict) --
The details about the state of your CloudWatch alarm.
Name (string) --
The name of your CloudWatch alarm.
State (string) --
The state of your CloudWatch alarm.
Exceptions
SSM.Client.exceptions.AssociationDoesNotExist
SSM.Client.exceptions.InvalidAssociationVersion
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidDocument
SSM.Client.exceptions.InvalidInstanceId
describe_association_execution_targets
(**kwargs)¶Views information about a specific execution of a specific association.
See also: AWS API Documentation
Request Syntax
response = client.describe_association_execution_targets(
AssociationId='string',
ExecutionId='string',
Filters=[
{
'Key': 'Status'|'ResourceId'|'ResourceType',
'Value': 'string'
},
],
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The association ID that includes the execution for which you want to view details.
[REQUIRED]
The execution ID for which you want to view details.
Filters for the request. You can specify the following filters and values.
Status (EQUAL)
ResourceId (EQUAL)
ResourceType (EQUAL)
Filters for the association execution.
The key value used in the request.
The value specified for the key.
dict
Response Syntax
{
'AssociationExecutionTargets': [
{
'AssociationId': 'string',
'AssociationVersion': 'string',
'ExecutionId': 'string',
'ResourceId': 'string',
'ResourceType': 'string',
'Status': 'string',
'DetailedStatus': 'string',
'LastExecutionDate': datetime(2015, 1, 1),
'OutputSource': {
'OutputSourceId': 'string',
'OutputSourceType': 'string'
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
AssociationExecutionTargets (list) --
Information about the execution.
(dict) --
Includes information about the specified association execution.
AssociationId (string) --
The association ID.
AssociationVersion (string) --
The association version.
ExecutionId (string) --
The execution ID.
ResourceId (string) --
The resource ID, for example, the managed node ID where the association ran.
ResourceType (string) --
The resource type, for example, EC2.
Status (string) --
The association execution status.
DetailedStatus (string) --
Detailed information about the execution status.
LastExecutionDate (datetime) --
The date of the last execution.
OutputSource (dict) --
The location where the association details are saved.
OutputSourceId (string) --
The ID of the output source, for example the URL of an S3 bucket.
OutputSourceType (string) --
The type of source where the association execution details are stored, for example, Amazon S3.
NextToken (string) --
The token for the next set of items to return. Use this token to get the next set of results.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.AssociationDoesNotExist
SSM.Client.exceptions.InvalidNextToken
SSM.Client.exceptions.AssociationExecutionDoesNotExist
describe_association_executions
(**kwargs)¶Views all executions for a specific association ID.
See also: AWS API Documentation
Request Syntax
response = client.describe_association_executions(
AssociationId='string',
Filters=[
{
'Key': 'ExecutionId'|'Status'|'CreatedTime',
'Value': 'string',
'Type': 'EQUAL'|'LESS_THAN'|'GREATER_THAN'
},
],
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The association ID for which you want to view execution history details.
Filters for the request. You can specify the following filters and values.
ExecutionId (EQUAL)
Status (EQUAL)
CreatedTime (EQUAL, GREATER_THAN, LESS_THAN)
Filters used in the request.
The key value used in the request.
The value specified for the key.
The filter type specified in the request.
dict
Response Syntax
{
'AssociationExecutions': [
{
'AssociationId': 'string',
'AssociationVersion': 'string',
'ExecutionId': 'string',
'Status': 'string',
'DetailedStatus': 'string',
'CreatedTime': datetime(2015, 1, 1),
'LastExecutionDate': datetime(2015, 1, 1),
'ResourceCountByStatus': 'string',
'AlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
},
'TriggeredAlarms': [
{
'Name': 'string',
'State': 'UNKNOWN'|'ALARM'
},
]
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
AssociationExecutions (list) --
A list of the executions for the specified association ID.
(dict) --
Includes information about the specified association.
AssociationId (string) --
The association ID.
AssociationVersion (string) --
The association version.
ExecutionId (string) --
The execution ID for the association.
Status (string) --
The status of the association execution.
DetailedStatus (string) --
Detailed status information about the execution.
CreatedTime (datetime) --
The time the execution started.
LastExecutionDate (datetime) --
The date of the last execution.
ResourceCountByStatus (string) --
An aggregate status of the resources in the execution based on the status type.
AlarmConfiguration (dict) --
The details for the CloudWatch alarm you want to apply to an automation or command.
IgnorePollAlarmFailure (boolean) --
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
Alarms (list) --
The name of the CloudWatch alarm specified in the configuration.
(dict) --
A CloudWatch alarm you apply to an automation or command.
Name (string) --
The name of your CloudWatch alarm.
TriggeredAlarms (list) --
The CloudWatch alarms that were invoked by the association.
(dict) --
The details about the state of your CloudWatch alarm.
Name (string) --
The name of your CloudWatch alarm.
State (string) --
The state of your CloudWatch alarm.
NextToken (string) --
The token for the next set of items to return. Use this token to get the next set of results.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.AssociationDoesNotExist
SSM.Client.exceptions.InvalidNextToken
describe_automation_executions
(**kwargs)¶Provides details about all active and terminated Automation executions.
See also: AWS API Documentation
Request Syntax
response = client.describe_automation_executions(
Filters=[
{
'Key': 'DocumentNamePrefix'|'ExecutionStatus'|'ExecutionId'|'ParentExecutionId'|'CurrentAction'|'StartTimeBefore'|'StartTimeAfter'|'AutomationType'|'TagKey'|'TargetResourceGroup'|'AutomationSubtype'|'OpsItemId',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
Filters used to limit the scope of executions that are requested.
A filter used to match specific automation executions. This is used to limit the scope of Automation execution information returned.
One or more keys to limit the results.
The values used to limit the execution information associated with the filter's key.
dict
Response Syntax
{
'AutomationExecutionMetadataList': [
{
'AutomationExecutionId': 'string',
'DocumentName': 'string',
'DocumentVersion': 'string',
'AutomationExecutionStatus': 'Pending'|'InProgress'|'Waiting'|'Success'|'TimedOut'|'Cancelling'|'Cancelled'|'Failed'|'PendingApproval'|'Approved'|'Rejected'|'Scheduled'|'RunbookInProgress'|'PendingChangeCalendarOverride'|'ChangeCalendarOverrideApproved'|'ChangeCalendarOverrideRejected'|'CompletedWithSuccess'|'CompletedWithFailure',
'ExecutionStartTime': datetime(2015, 1, 1),
'ExecutionEndTime': datetime(2015, 1, 1),
'ExecutedBy': 'string',
'LogFile': 'string',
'Outputs': {
'string': [
'string',
]
},
'Mode': 'Auto'|'Interactive',
'ParentAutomationExecutionId': 'string',
'CurrentStepName': 'string',
'CurrentAction': 'string',
'FailureMessage': 'string',
'TargetParameterName': 'string',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'TargetMaps': [
{
'string': [
'string',
]
},
],
'ResolvedTargets': {
'ParameterValues': [
'string',
],
'Truncated': True|False
},
'MaxConcurrency': 'string',
'MaxErrors': 'string',
'Target': 'string',
'AutomationType': 'CrossAccount'|'Local',
'AlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
},
'TriggeredAlarms': [
{
'Name': 'string',
'State': 'UNKNOWN'|'ALARM'
},
],
'AutomationSubtype': 'ChangeRequest',
'ScheduledTime': datetime(2015, 1, 1),
'Runbooks': [
{
'DocumentName': 'string',
'DocumentVersion': 'string',
'Parameters': {
'string': [
'string',
]
},
'TargetParameterName': 'string',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'TargetMaps': [
{
'string': [
'string',
]
},
],
'MaxConcurrency': 'string',
'MaxErrors': 'string',
'TargetLocations': [
{
'Accounts': [
'string',
],
'Regions': [
'string',
],
'TargetLocationMaxConcurrency': 'string',
'TargetLocationMaxErrors': 'string',
'ExecutionRoleName': 'string',
'TargetLocationAlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
]
},
],
'OpsItemId': 'string',
'AssociationId': 'string',
'ChangeRequestName': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
AutomationExecutionMetadataList (list) --
The list of details about each automation execution which has occurred which matches the filter specification, if any.
(dict) --
Details about a specific Automation execution.
AutomationExecutionId (string) --
The execution ID.
DocumentName (string) --
The name of the Automation runbook used during execution.
DocumentVersion (string) --
The document version used during the execution.
AutomationExecutionStatus (string) --
The status of the execution.
ExecutionStartTime (datetime) --
The time the execution started.
ExecutionEndTime (datetime) --
The time the execution finished. This isn't populated if the execution is still in progress.
ExecutedBy (string) --
The IAM role ARN of the user who ran the automation.
LogFile (string) --
An S3 bucket where execution information is stored.
Outputs (dict) --
The list of execution outputs as defined in the Automation runbook.
Mode (string) --
The Automation execution mode.
ParentAutomationExecutionId (string) --
The execution ID of the parent automation.
CurrentStepName (string) --
The name of the step that is currently running.
CurrentAction (string) --
The action of the step that is currently running.
FailureMessage (string) --
The list of execution outputs as defined in the Automation runbook.
TargetParameterName (string) --
The list of execution outputs as defined in the Automation runbook.
Targets (list) --
The targets defined by the user when starting the automation.
(dict) --
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
Key (string) --
User-defined criteria for sending commands that target managed nodes that meet the criteria.
Values (list) --
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
TargetMaps (list) --
The specified key-value mapping of document parameters to target resources.
ResolvedTargets (dict) --
A list of targets that resolved during the execution.
ParameterValues (list) --
A list of parameter values sent to targets that resolved during the Automation execution.
Truncated (boolean) --
A boolean value indicating whether the resolved target list is truncated.
MaxConcurrency (string) --
The MaxConcurrency
value specified by the user when starting the automation.
MaxErrors (string) --
The MaxErrors
value specified by the user when starting the automation.
Target (string) --
The list of execution outputs as defined in the Automation runbook.
AutomationType (string) --
Use this filter with DescribeAutomationExecutions. Specify either Local or CrossAccount. CrossAccount is an Automation that runs in multiple Amazon Web Services Regions and Amazon Web Services accounts. For more information, see Running Automation workflows in multiple Amazon Web Services Regions and accounts in the Amazon Web Services Systems Manager User Guide .
AlarmConfiguration (dict) --
The details for the CloudWatch alarm applied to your automation.
IgnorePollAlarmFailure (boolean) --
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
Alarms (list) --
The name of the CloudWatch alarm specified in the configuration.
(dict) --
A CloudWatch alarm you apply to an automation or command.
Name (string) --
The name of your CloudWatch alarm.
TriggeredAlarms (list) --
The CloudWatch alarm that was invoked by the automation.
(dict) --
The details about the state of your CloudWatch alarm.
Name (string) --
The name of your CloudWatch alarm.
State (string) --
The state of your CloudWatch alarm.
AutomationSubtype (string) --
The subtype of the Automation operation. Currently, the only supported value is ChangeRequest
.
ScheduledTime (datetime) --
The date and time the Automation operation is scheduled to start.
Runbooks (list) --
Information about the Automation runbooks that are run during a runbook workflow in Change Manager.
Note
The Automation runbooks specified for the runbook workflow can't run until all required approvals for the change request have been received.
(dict) --
Information about an Automation runbook used in a runbook workflow in Change Manager.
Note
The Automation runbooks specified for the runbook workflow can't run until all required approvals for the change request have been received.
DocumentName (string) --
The name of the Automation runbook used in a runbook workflow.
DocumentVersion (string) --
The version of the Automation runbook used in a runbook workflow.
Parameters (dict) --
The key-value map of execution parameters, which were supplied when calling StartChangeRequestExecution
.
TargetParameterName (string) --
The name of the parameter used as the target resource for the rate-controlled runbook workflow. Required if you specify Targets
.
Targets (list) --
A key-value mapping to target resources that the runbook operation performs tasks on. Required if you specify TargetParameterName
.
(dict) --
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
Key (string) --
User-defined criteria for sending commands that target managed nodes that meet the criteria.
Values (list) --
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
TargetMaps (list) --
A key-value mapping of runbook parameters to target resources. Both Targets and TargetMaps can't be specified together.
MaxConcurrency (string) --
The MaxConcurrency
value specified by the user when the operation started, indicating the maximum number of resources that the runbook operation can run on at the same time.
MaxErrors (string) --
The MaxErrors
value specified by the user when the execution started, indicating the maximum number of errors that can occur during the operation before the updates are stopped or rolled back.
TargetLocations (list) --
Information about the Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Runbook operation.
(dict) --
The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
Accounts (list) --
The Amazon Web Services accounts targeted by the current Automation execution.
Regions (list) --
The Amazon Web Services Regions targeted by the current Automation execution.
TargetLocationMaxConcurrency (string) --
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
TargetLocationMaxErrors (string) --
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
ExecutionRoleName (string) --
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole
.
TargetLocationAlarmConfiguration (dict) --
The details for the CloudWatch alarm you want to apply to an automation or command.
IgnorePollAlarmFailure (boolean) --
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
Alarms (list) --
The name of the CloudWatch alarm specified in the configuration.
(dict) --
A CloudWatch alarm you apply to an automation or command.
Name (string) --
The name of your CloudWatch alarm.
OpsItemId (string) --
The ID of an OpsItem that is created to represent a Change Manager change request.
AssociationId (string) --
The ID of a State Manager association used in the Automation operation.
ChangeRequestName (string) --
The name of the Change Manager change request.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InvalidFilterKey
SSM.Client.exceptions.InvalidFilterValue
SSM.Client.exceptions.InvalidNextToken
SSM.Client.exceptions.InternalServerError
describe_automation_step_executions
(**kwargs)¶Information about all active and terminated step executions in an Automation workflow.
See also: AWS API Documentation
Request Syntax
response = client.describe_automation_step_executions(
AutomationExecutionId='string',
Filters=[
{
'Key': 'StartTimeBefore'|'StartTimeAfter'|'StepExecutionStatus'|'StepExecutionId'|'StepName'|'Action',
'Values': [
'string',
]
},
],
NextToken='string',
MaxResults=123,
ReverseOrder=True|False
)
[REQUIRED]
The Automation execution ID for which you want step execution descriptions.
One or more filters to limit the number of step executions returned by the request.
A filter to limit the amount of step execution information returned by the call.
One or more keys to limit the results. Valid filter keys include the following: StepName, Action, StepExecutionId, StepExecutionStatus, StartTimeBefore, StartTimeAfter.
The values of the filter key.
dict
Response Syntax
{
'StepExecutions': [
{
'StepName': 'string',
'Action': 'string',
'TimeoutSeconds': 123,
'OnFailure': 'string',
'MaxAttempts': 123,
'ExecutionStartTime': datetime(2015, 1, 1),
'ExecutionEndTime': datetime(2015, 1, 1),
'StepStatus': 'Pending'|'InProgress'|'Waiting'|'Success'|'TimedOut'|'Cancelling'|'Cancelled'|'Failed'|'PendingApproval'|'Approved'|'Rejected'|'Scheduled'|'RunbookInProgress'|'PendingChangeCalendarOverride'|'ChangeCalendarOverrideApproved'|'ChangeCalendarOverrideRejected'|'CompletedWithSuccess'|'CompletedWithFailure',
'ResponseCode': 'string',
'Inputs': {
'string': 'string'
},
'Outputs': {
'string': [
'string',
]
},
'Response': 'string',
'FailureMessage': 'string',
'FailureDetails': {
'FailureStage': 'string',
'FailureType': 'string',
'Details': {
'string': [
'string',
]
}
},
'StepExecutionId': 'string',
'OverriddenParameters': {
'string': [
'string',
]
},
'IsEnd': True|False,
'NextStep': 'string',
'IsCritical': True|False,
'ValidNextSteps': [
'string',
],
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'TargetLocation': {
'Accounts': [
'string',
],
'Regions': [
'string',
],
'TargetLocationMaxConcurrency': 'string',
'TargetLocationMaxErrors': 'string',
'ExecutionRoleName': 'string',
'TargetLocationAlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
'TriggeredAlarms': [
{
'Name': 'string',
'State': 'UNKNOWN'|'ALARM'
},
]
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
StepExecutions (list) --
A list of details about the current state of all steps that make up an execution.
(dict) --
Detailed information about an the execution state of an Automation step.
StepName (string) --
The name of this execution step.
Action (string) --
The action this step performs. The action determines the behavior of the step.
TimeoutSeconds (integer) --
The timeout seconds of the step.
OnFailure (string) --
The action to take if the step fails. The default value is Abort
.
MaxAttempts (integer) --
The maximum number of tries to run the action of the step. The default value is 1
.
ExecutionStartTime (datetime) --
If a step has begun execution, this contains the time the step started. If the step is in Pending status, this field isn't populated.
ExecutionEndTime (datetime) --
If a step has finished execution, this contains the time the execution ended. If the step hasn't yet concluded, this field isn't populated.
StepStatus (string) --
The execution status for this step.
ResponseCode (string) --
The response code returned by the execution of the step.
Inputs (dict) --
Fully-resolved values passed into the step before execution.
Outputs (dict) --
Returned values from the execution of the step.
Response (string) --
A message associated with the response code for an execution.
FailureMessage (string) --
If a step failed, this message explains why the execution failed.
FailureDetails (dict) --
Information about the Automation failure.
FailureStage (string) --
The stage of the Automation execution when the failure occurred. The stages include the following: InputValidation, PreVerification, Invocation, PostVerification.
FailureType (string) --
The type of Automation failure. Failure types include the following: Action, Permission, Throttling, Verification, Internal.
Details (dict) --
Detailed information about the Automation step failure.
StepExecutionId (string) --
The unique ID of a step execution.
OverriddenParameters (dict) --
A user-specified list of parameters to override when running a step.
IsEnd (boolean) --
The flag which can be used to end automation no matter whether the step succeeds or fails.
NextStep (string) --
The next step after the step succeeds.
IsCritical (boolean) --
The flag which can be used to help decide whether the failure of current step leads to the Automation failure.
ValidNextSteps (list) --
Strategies used when step fails, we support Continue and Abort. Abort will fail the automation when the step fails. Continue will ignore the failure of current step and allow automation to run the next step. With conditional branching, we add step:stepName to support the automation to go to another specific step.
Targets (list) --
The targets for the step execution.
(dict) --
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
Key (string) --
User-defined criteria for sending commands that target managed nodes that meet the criteria.
Values (list) --
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
TargetLocation (dict) --
The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
Accounts (list) --
The Amazon Web Services accounts targeted by the current Automation execution.
Regions (list) --
The Amazon Web Services Regions targeted by the current Automation execution.
TargetLocationMaxConcurrency (string) --
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
TargetLocationMaxErrors (string) --
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
ExecutionRoleName (string) --
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole
.
TargetLocationAlarmConfiguration (dict) --
The details for the CloudWatch alarm you want to apply to an automation or command.
IgnorePollAlarmFailure (boolean) --
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
Alarms (list) --
The name of the CloudWatch alarm specified in the configuration.
(dict) --
A CloudWatch alarm you apply to an automation or command.
Name (string) --
The name of your CloudWatch alarm.
TriggeredAlarms (list) --
The CloudWatch alarms that were invoked by the automation.
(dict) --
The details about the state of your CloudWatch alarm.
Name (string) --
The name of your CloudWatch alarm.
State (string) --
The state of your CloudWatch alarm.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.AutomationExecutionNotFoundException
SSM.Client.exceptions.InvalidNextToken
SSM.Client.exceptions.InvalidFilterKey
SSM.Client.exceptions.InvalidFilterValue
SSM.Client.exceptions.InternalServerError
describe_available_patches
(**kwargs)¶Lists all patches eligible to be included in a patch baseline.
See also: AWS API Documentation
Request Syntax
response = client.describe_available_patches(
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
Each element in the array is a structure containing a key-value pair.
Windows Server
Supported keys for Windows Server managed node patches include the following:
PATCH_SET
Sample values: OS
| APPLICATION
PRODUCT
Sample values: WindowsServer2012
| Office 2010
| MicrosoftDefenderAntivirus
PRODUCT_FAMILY
Sample values: Windows
| Office
MSRC_SEVERITY
Sample values: ServicePacks
| Important
| Moderate
CLASSIFICATION
Sample values: ServicePacks
| SecurityUpdates
| DefinitionUpdates
PATCH_ID
Sample values: KB123456
| KB4516046
Linux
Warning
When specifying filters for Linux patches, you must specify a key-pair for PRODUCT
. For example, using the Command Line Interface (CLI), the following command fails:
aws ssm describe-available-patches --filters Key=CVE_ID,Values=CVE-2018-3615
However, the following command succeeds:
aws ssm describe-available-patches --filters Key=PRODUCT,Values=AmazonLinux2018.03 Key=CVE_ID,Values=CVE-2018-3615
Supported keys for Linux managed node patches include the following:
PRODUCT
Sample values: AmazonLinux2018.03
| AmazonLinux2.0
NAME
Sample values: kernel-headers
| samba-python
| php
SEVERITY
Sample values: Critical
| Important
| Medium
| Low
EPOCH
Sample values: 0
| 1
VERSION
Sample values: 78.6.1
| 4.10.16
RELEASE
Sample values: 9.56.amzn1
| 1.amzn2
ARCH
Sample values: i686
| x86_64
REPOSITORY
Sample values: Core
| Updates
ADVISORY_ID
Sample values: ALAS-2018-1058
| ALAS2-2021-1594
CVE_ID
Sample values: CVE-2018-3615
| CVE-2020-1472
BUGZILLA_ID
Sample values: 1463241
Defines a filter used in Patch Manager APIs. Supported filter keys depend on the API operation that includes the filter. Patch Manager API operations that use PatchOrchestratorFilter
include the following:
The key for the filter.
The value for the filter.
dict
Response Syntax
{
'Patches': [
{
'Id': 'string',
'ReleaseDate': datetime(2015, 1, 1),
'Title': 'string',
'Description': 'string',
'ContentUrl': 'string',
'Vendor': 'string',
'ProductFamily': 'string',
'Product': 'string',
'Classification': 'string',
'MsrcSeverity': 'string',
'KbNumber': 'string',
'MsrcNumber': 'string',
'Language': 'string',
'AdvisoryIds': [
'string',
],
'BugzillaIds': [
'string',
],
'CVEIds': [
'string',
],
'Name': 'string',
'Epoch': 123,
'Version': 'string',
'Release': 'string',
'Arch': 'string',
'Severity': 'string',
'Repository': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Patches (list) --
An array of patches. Each entry in the array is a patch structure.
(dict) --
Represents metadata about a patch.
Id (string) --
The ID of the patch. Applies to Windows patches only.
Note
This ID isn't the same as the Microsoft Knowledge Base ID.
ReleaseDate (datetime) --
The date the patch was released.
Title (string) --
The title of the patch.
Description (string) --
The description of the patch.
ContentUrl (string) --
The URL where more information can be obtained about the patch.
Vendor (string) --
The name of the vendor providing the patch.
ProductFamily (string) --
The product family the patch is applicable for. For example, Windows
or Amazon Linux 2
.
Product (string) --
The specific product the patch is applicable for. For example, WindowsServer2016
or AmazonLinux2018.03
.
Classification (string) --
The classification of the patch. For example, SecurityUpdates
, Updates
, or CriticalUpdates
.
MsrcSeverity (string) --
The severity of the patch, such as Critical
, Important
, or Moderate
. Applies to Windows patches only.
KbNumber (string) --
The Microsoft Knowledge Base ID of the patch. Applies to Windows patches only.
MsrcNumber (string) --
The ID of the Microsoft Security Response Center (MSRC) bulletin the patch is related to. For example, MS14-045
. Applies to Windows patches only.
Language (string) --
The language of the patch if it's language-specific.
AdvisoryIds (list) --
The Advisory ID of the patch. For example, RHSA-2020:3779
. Applies to Linux-based managed nodes only.
BugzillaIds (list) --
The Bugzilla ID of the patch. For example, 1600646
. Applies to Linux-based managed nodes only.
CVEIds (list) --
The Common Vulnerabilities and Exposures (CVE) ID of the patch. For example, CVE-2011-3192
. Applies to Linux-based managed nodes only.
Name (string) --
The name of the patch. Applies to Linux-based managed nodes only.
Epoch (integer) --
The epoch of the patch. For example in pkg-example-EE-20180914-2.2.amzn1.noarch
, the epoch value is 20180914-2
. Applies to Linux-based managed nodes only.
Version (string) --
The version number of the patch. For example, in example-pkg-1.710.10-2.7.abcd.x86_64
, the version number is indicated by -1
. Applies to Linux-based managed nodes only.
Release (string) --
The particular release of a patch. For example, in pkg-example-EE-20180914-2.2.amzn1.noarch
, the release is 2.amaz1
. Applies to Linux-based managed nodes only.
Arch (string) --
The architecture of the patch. For example, in example-pkg-0.710.10-2.7.abcd.x86_64
, the architecture is indicated by x86_64
. Applies to Linux-based managed nodes only.
Severity (string) --
The severity level of the patch. For example, CRITICAL
or MODERATE
.
Repository (string) --
The source patch repository for the operating system and version, such as trusty-security
for Ubuntu Server 14.04 LTE and focal-security
for Ubuntu Server 20.04 LTE. Applies to Linux-based managed nodes only.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
describe_document
(**kwargs)¶Describes the specified Amazon Web Services Systems Manager document (SSM document).
See also: AWS API Documentation
Request Syntax
response = client.describe_document(
Name='string',
DocumentVersion='string',
VersionName='string'
)
[REQUIRED]
The name of the SSM document.
dict
Response Syntax
{
'Document': {
'Sha1': 'string',
'Hash': 'string',
'HashType': 'Sha256'|'Sha1',
'Name': 'string',
'DisplayName': 'string',
'VersionName': 'string',
'Owner': 'string',
'CreatedDate': datetime(2015, 1, 1),
'Status': 'Creating'|'Active'|'Updating'|'Deleting'|'Failed',
'StatusInformation': 'string',
'DocumentVersion': 'string',
'Description': 'string',
'Parameters': [
{
'Name': 'string',
'Type': 'String'|'StringList',
'Description': 'string',
'DefaultValue': 'string'
},
],
'PlatformTypes': [
'Windows'|'Linux'|'MacOS',
],
'DocumentType': 'Command'|'Policy'|'Automation'|'Session'|'Package'|'ApplicationConfiguration'|'ApplicationConfigurationSchema'|'DeploymentStrategy'|'ChangeCalendar'|'Automation.ChangeTemplate'|'ProblemAnalysis'|'ProblemAnalysisTemplate'|'CloudFormation'|'ConformancePackTemplate',
'SchemaVersion': 'string',
'LatestVersion': 'string',
'DefaultVersion': 'string',
'DocumentFormat': 'YAML'|'JSON'|'TEXT',
'TargetType': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'AttachmentsInformation': [
{
'Name': 'string'
},
],
'Requires': [
{
'Name': 'string',
'Version': 'string'
},
],
'Author': 'string',
'ReviewInformation': [
{
'ReviewedTime': datetime(2015, 1, 1),
'Status': 'APPROVED'|'NOT_REVIEWED'|'PENDING'|'REJECTED',
'Reviewer': 'string'
},
],
'ApprovedVersion': 'string',
'PendingReviewVersion': 'string',
'ReviewStatus': 'APPROVED'|'NOT_REVIEWED'|'PENDING'|'REJECTED',
'Category': [
'string',
],
'CategoryEnum': [
'string',
]
}
}
Response Structure
(dict) --
Document (dict) --
Information about the SSM document.
Sha1 (string) --
The SHA1 hash of the document, which you can use for verification.
Hash (string) --
The Sha256 or Sha1 hash created by the system when the document was created.
Note
Sha1 hashes have been deprecated.
HashType (string) --
The hash type of the document. Valid values include Sha256
or Sha1
.
Note
Sha1 hashes have been deprecated.
Name (string) --
The name of the SSM document.
DisplayName (string) --
The friendly name of the SSM document. This value can differ for each version of the document. If you want to update this value, see UpdateDocument.
VersionName (string) --
The version of the artifact associated with the document.
Owner (string) --
The Amazon Web Services user account that created the document.
CreatedDate (datetime) --
The date when the document was created.
Status (string) --
The status of the SSM document.
StatusInformation (string) --
A message returned by Amazon Web Services Systems Manager that explains the Status
value. For example, a Failed
status might be explained by the StatusInformation
message, "The specified S3 bucket doesn't exist. Verify that the URL of the S3 bucket is correct."
DocumentVersion (string) --
The document version.
Description (string) --
A description of the document.
Parameters (list) --
A description of the parameters for a document.
(dict) --
Parameters specified in a System Manager document that run on the server when the command is run.
Name (string) --
The name of the parameter.
Type (string) --
The type of parameter. The type can be either String or StringList.
Description (string) --
A description of what the parameter does, how to use it, the default value, and whether or not the parameter is optional.
DefaultValue (string) --
If specified, the default values for the parameters. Parameters without a default value are required. Parameters with a default value are optional.
PlatformTypes (list) --
The list of operating system (OS) platforms compatible with this SSM document.
DocumentType (string) --
The type of document.
SchemaVersion (string) --
The schema version.
LatestVersion (string) --
The latest version of the document.
DefaultVersion (string) --
The default version.
DocumentFormat (string) --
The document format, either JSON or YAML.
TargetType (string) --
The target type which defines the kinds of resources the document can run on. For example, /AWS::EC2::Instance
. For a list of valid resource types, see Amazon Web Services resource and property types reference in the CloudFormation User Guide .
Tags (list) --
The tags, or metadata, that have been applied to the document.
(dict) --
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
Key (string) --
The name of the tag.
Value (string) --
The value of the tag.
AttachmentsInformation (list) --
Details about the document attachments, including names, locations, sizes, and so on.
(dict) --
An attribute of an attachment, such as the attachment name.
Name (string) --
The name of the attachment.
Requires (list) --
A list of SSM documents required by a document. For example, an ApplicationConfiguration
document requires an ApplicationConfigurationSchema
document.
(dict) --
An SSM document required by the current document.
Name (string) --
The name of the required SSM document. The name can be an Amazon Resource Name (ARN).
Version (string) --
The document version required by the current document.
Author (string) --
The user in your organization who created the document.
ReviewInformation (list) --
Details about the review of a document.
(dict) --
Information about the result of a document review request.
ReviewedTime (datetime) --
The time that the reviewer took action on the document review request.
Status (string) --
The current status of the document review request.
Reviewer (string) --
The reviewer assigned to take action on the document review request.
ApprovedVersion (string) --
The version of the document currently approved for use in the organization.
PendingReviewVersion (string) --
The version of the document that is currently under review.
ReviewStatus (string) --
The current status of the review.
Category (list) --
The classification of a document to help you identify and categorize its use.
CategoryEnum (list) --
The value that identifies a document's category.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidDocument
SSM.Client.exceptions.InvalidDocumentVersion
describe_document_permission
(**kwargs)¶Describes the permissions for a Amazon Web Services Systems Manager document (SSM document). If you created the document, you are the owner. If a document is shared, it can either be shared privately (by specifying a user's Amazon Web Services account ID) or publicly (All ).
See also: AWS API Documentation
Request Syntax
response = client.describe_document_permission(
Name='string',
PermissionType='Share',
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The name of the document for which you are the owner.
[REQUIRED]
The permission type for the document. The permission type can be Share .
dict
Response Syntax
{
'AccountIds': [
'string',
],
'AccountSharingInfoList': [
{
'AccountId': 'string',
'SharedDocumentVersion': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
AccountIds (list) --
The account IDs that have permission to use this document. The ID can be either an Amazon Web Services account or All .
AccountSharingInfoList (list) --
A list of Amazon Web Services accounts where the current document is shared and the version shared with each account.
(dict) --
Information includes the Amazon Web Services account ID where the current document is shared and the version shared with that account.
AccountId (string) --
The Amazon Web Services account ID where the current document is shared.
SharedDocumentVersion (string) --
The version of the current document shared with the account.
NextToken (string) --
The token for the next set of items to return. Use this token to get the next set of results.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidDocument
SSM.Client.exceptions.InvalidNextToken
SSM.Client.exceptions.InvalidPermissionType
SSM.Client.exceptions.InvalidDocumentOperation
describe_effective_instance_associations
(**kwargs)¶All associations for the managed node(s).
See also: AWS API Documentation
Request Syntax
response = client.describe_effective_instance_associations(
InstanceId='string',
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The managed node ID for which you want to view all associations.
dict
Response Syntax
{
'Associations': [
{
'AssociationId': 'string',
'InstanceId': 'string',
'Content': 'string',
'AssociationVersion': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Associations (list) --
The associations for the requested managed node.
(dict) --
One or more association documents on the managed node.
AssociationId (string) --
The association ID.
InstanceId (string) --
The managed node ID.
Content (string) --
The content of the association document for the managed node(s).
AssociationVersion (string) --
Version information for the association on the managed node.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidInstanceId
SSM.Client.exceptions.InvalidNextToken
describe_effective_patches_for_patch_baseline
(**kwargs)¶Retrieves the current effective patches (the patch and the approval state) for the specified patch baseline. Applies to patch baselines for Windows only.
See also: AWS API Documentation
Request Syntax
response = client.describe_effective_patches_for_patch_baseline(
BaselineId='string',
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The ID of the patch baseline to retrieve the effective patches for.
dict
Response Syntax
{
'EffectivePatches': [
{
'Patch': {
'Id': 'string',
'ReleaseDate': datetime(2015, 1, 1),
'Title': 'string',
'Description': 'string',
'ContentUrl': 'string',
'Vendor': 'string',
'ProductFamily': 'string',
'Product': 'string',
'Classification': 'string',
'MsrcSeverity': 'string',
'KbNumber': 'string',
'MsrcNumber': 'string',
'Language': 'string',
'AdvisoryIds': [
'string',
],
'BugzillaIds': [
'string',
],
'CVEIds': [
'string',
],
'Name': 'string',
'Epoch': 123,
'Version': 'string',
'Release': 'string',
'Arch': 'string',
'Severity': 'string',
'Repository': 'string'
},
'PatchStatus': {
'DeploymentStatus': 'APPROVED'|'PENDING_APPROVAL'|'EXPLICIT_APPROVED'|'EXPLICIT_REJECTED',
'ComplianceLevel': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'INFORMATIONAL'|'UNSPECIFIED',
'ApprovalDate': datetime(2015, 1, 1)
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
EffectivePatches (list) --
An array of patches and patch status.
(dict) --
The EffectivePatch
structure defines metadata about a patch along with the approval state of the patch in a particular patch baseline. The approval state includes information about whether the patch is currently approved, due to be approved by a rule, explicitly approved, or explicitly rejected and the date the patch was or will be approved.
Patch (dict) --
Provides metadata for a patch, including information such as the KB ID, severity, classification and a URL for where more information can be obtained about the patch.
Id (string) --
The ID of the patch. Applies to Windows patches only.
Note
This ID isn't the same as the Microsoft Knowledge Base ID.
ReleaseDate (datetime) --
The date the patch was released.
Title (string) --
The title of the patch.
Description (string) --
The description of the patch.
ContentUrl (string) --
The URL where more information can be obtained about the patch.
Vendor (string) --
The name of the vendor providing the patch.
ProductFamily (string) --
The product family the patch is applicable for. For example, Windows
or Amazon Linux 2
.
Product (string) --
The specific product the patch is applicable for. For example, WindowsServer2016
or AmazonLinux2018.03
.
Classification (string) --
The classification of the patch. For example, SecurityUpdates
, Updates
, or CriticalUpdates
.
MsrcSeverity (string) --
The severity of the patch, such as Critical
, Important
, or Moderate
. Applies to Windows patches only.
KbNumber (string) --
The Microsoft Knowledge Base ID of the patch. Applies to Windows patches only.
MsrcNumber (string) --
The ID of the Microsoft Security Response Center (MSRC) bulletin the patch is related to. For example, MS14-045
. Applies to Windows patches only.
Language (string) --
The language of the patch if it's language-specific.
AdvisoryIds (list) --
The Advisory ID of the patch. For example, RHSA-2020:3779
. Applies to Linux-based managed nodes only.
BugzillaIds (list) --
The Bugzilla ID of the patch. For example, 1600646
. Applies to Linux-based managed nodes only.
CVEIds (list) --
The Common Vulnerabilities and Exposures (CVE) ID of the patch. For example, CVE-2011-3192
. Applies to Linux-based managed nodes only.
Name (string) --
The name of the patch. Applies to Linux-based managed nodes only.
Epoch (integer) --
The epoch of the patch. For example in pkg-example-EE-20180914-2.2.amzn1.noarch
, the epoch value is 20180914-2
. Applies to Linux-based managed nodes only.
Version (string) --
The version number of the patch. For example, in example-pkg-1.710.10-2.7.abcd.x86_64
, the version number is indicated by -1
. Applies to Linux-based managed nodes only.
Release (string) --
The particular release of a patch. For example, in pkg-example-EE-20180914-2.2.amzn1.noarch
, the release is 2.amaz1
. Applies to Linux-based managed nodes only.
Arch (string) --
The architecture of the patch. For example, in example-pkg-0.710.10-2.7.abcd.x86_64
, the architecture is indicated by x86_64
. Applies to Linux-based managed nodes only.
Severity (string) --
The severity level of the patch. For example, CRITICAL
or MODERATE
.
Repository (string) --
The source patch repository for the operating system and version, such as trusty-security
for Ubuntu Server 14.04 LTE and focal-security
for Ubuntu Server 20.04 LTE. Applies to Linux-based managed nodes only.
PatchStatus (dict) --
The status of the patch in a patch baseline. This includes information about whether the patch is currently approved, due to be approved by a rule, explicitly approved, or explicitly rejected and the date the patch was or will be approved.
DeploymentStatus (string) --
The approval status of a patch.
ComplianceLevel (string) --
The compliance severity level for a patch.
ApprovalDate (datetime) --
The date the patch was approved (or will be approved if the status is PENDING_APPROVAL
).
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InvalidResourceId
SSM.Client.exceptions.DoesNotExistException
SSM.Client.exceptions.UnsupportedOperatingSystem
SSM.Client.exceptions.InternalServerError
describe_instance_associations_status
(**kwargs)¶The status of the associations for the managed node(s).
See also: AWS API Documentation
Request Syntax
response = client.describe_instance_associations_status(
InstanceId='string',
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The managed node IDs for which you want association status information.
dict
Response Syntax
{
'InstanceAssociationStatusInfos': [
{
'AssociationId': 'string',
'Name': 'string',
'DocumentVersion': 'string',
'AssociationVersion': 'string',
'InstanceId': 'string',
'ExecutionDate': datetime(2015, 1, 1),
'Status': 'string',
'DetailedStatus': 'string',
'ExecutionSummary': 'string',
'ErrorCode': 'string',
'OutputUrl': {
'S3OutputUrl': {
'OutputUrl': 'string'
}
},
'AssociationName': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
InstanceAssociationStatusInfos (list) --
Status information about the association.
(dict) --
Status information about the association.
AssociationId (string) --
The association ID.
Name (string) --
The name of the association.
DocumentVersion (string) --
The association document versions.
AssociationVersion (string) --
The version of the association applied to the managed node.
InstanceId (string) --
The managed node ID where the association was created.
ExecutionDate (datetime) --
The date the association ran.
Status (string) --
Status information about the association.
DetailedStatus (string) --
Detailed status information about the association.
ExecutionSummary (string) --
Summary information about association execution.
ErrorCode (string) --
An error code returned by the request to create the association.
OutputUrl (dict) --
A URL for an S3 bucket where you want to store the results of this request.
S3OutputUrl (dict) --
The URL of S3 bucket where you want to store the results of this request.
OutputUrl (string) --
A URL for an S3 bucket where you want to store the results of this request.
AssociationName (string) --
The name of the association applied to the managed node.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidInstanceId
SSM.Client.exceptions.InvalidNextToken
describe_instance_information
(**kwargs)¶Describes one or more of your managed nodes, including information about the operating system platform, the version of SSM Agent installed on the managed node, node status, and so on.
If you specify one or more managed node IDs, it returns information for those managed nodes. If you don't specify node IDs, it returns information for all your managed nodes. If you specify a node ID that isn't valid or a node that you don't own, you receive an error.
Note
The IamRole
field for this API operation is the Identity and Access Management (IAM) role assigned to on-premises managed nodes. This call doesn't return the IAM role for EC2 instances.
See also: AWS API Documentation
Request Syntax
response = client.describe_instance_information(
InstanceInformationFilterList=[
{
'key': 'InstanceIds'|'AgentVersion'|'PingStatus'|'PlatformTypes'|'ActivationIds'|'IamRole'|'ResourceType'|'AssociationStatus',
'valueSet': [
'string',
]
},
],
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
This is a legacy method. We recommend that you don't use this method. Instead, use the Filters
data type. Filters
enables you to return node information by filtering based on tags applied to managed nodes.
Note
Attempting to use InstanceInformationFilterList
and Filters
leads to an exception error.
Describes a filter for a specific list of managed nodes. You can filter node information by using tags. You specify tags by using a key-value mapping.
Use this operation instead of the DescribeInstanceInformationRequest$InstanceInformationFilterList method. The InstanceInformationFilterList
method is a legacy method and doesn't support tags.
The name of the filter.
The filter values.
One or more filters. Use a filter to return a more specific list of managed nodes. You can filter based on tags applied to your managed nodes. Use this Filters
data type instead of InstanceInformationFilterList
, which is deprecated.
The filters to describe or get information about your managed nodes.
The filter key name to describe your managed nodes.
Valid filter key values: ActivationIds | AgentVersion | AssociationStatus | IamRole | InstanceIds | PingStatus | PlatformTypes | ResourceType | SourceIds | SourceTypes | "tag-key" | "tag: {keyname}
AssociationStatus
filter key: Success | Pending | FailedPingStatus
filter key: Online | ConnectionLost | Inactive (deprecated)PlatformType
filter key: Windows | Linux | MacOSResourceType
filter key: EC2Instance | ManagedInstanceSourceType
filter key: AWS::EC2::Instance | AWS::SSM::ManagedInstance | AWS::IoT::ThingKey=tag-key,Values=Purpose
| Key=tag:Purpose,Values=Test
.The filter values.
dict
Response Syntax
{
'InstanceInformationList': [
{
'InstanceId': 'string',
'PingStatus': 'Online'|'ConnectionLost'|'Inactive',
'LastPingDateTime': datetime(2015, 1, 1),
'AgentVersion': 'string',
'IsLatestVersion': True|False,
'PlatformType': 'Windows'|'Linux'|'MacOS',
'PlatformName': 'string',
'PlatformVersion': 'string',
'ActivationId': 'string',
'IamRole': 'string',
'RegistrationDate': datetime(2015, 1, 1),
'ResourceType': 'ManagedInstance'|'Document'|'EC2Instance',
'Name': 'string',
'IPAddress': 'string',
'ComputerName': 'string',
'AssociationStatus': 'string',
'LastAssociationExecutionDate': datetime(2015, 1, 1),
'LastSuccessfulAssociationExecutionDate': datetime(2015, 1, 1),
'AssociationOverview': {
'DetailedStatus': 'string',
'InstanceAssociationStatusAggregatedCount': {
'string': 123
}
},
'SourceId': 'string',
'SourceType': 'AWS::EC2::Instance'|'AWS::IoT::Thing'|'AWS::SSM::ManagedInstance'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
InstanceInformationList (list) --
The managed node information list.
(dict) --
Describes a filter for a specific list of managed nodes.
InstanceId (string) --
The managed node ID.
PingStatus (string) --
Connection status of SSM Agent.
Note
The status Inactive
has been deprecated and is no longer in use.
LastPingDateTime (datetime) --
The date and time when the agent last pinged the Systems Manager service.
AgentVersion (string) --
The version of SSM Agent running on your Linux managed node.
IsLatestVersion (boolean) --
Indicates whether the latest version of SSM Agent is running on your Linux managed node. This field doesn't indicate whether or not the latest version is installed on Windows managed nodes, because some older versions of Windows Server use the EC2Config service to process Systems Manager requests.
PlatformType (string) --
The operating system platform type.
PlatformName (string) --
The name of the operating system platform running on your managed node.
PlatformVersion (string) --
The version of the OS platform running on your managed node.
ActivationId (string) --
The activation ID created by Amazon Web Services Systems Manager when the server or virtual machine (VM) was registered.
IamRole (string) --
The Identity and Access Management (IAM) role assigned to the on-premises Systems Manager managed node. This call doesn't return the IAM role for Amazon Elastic Compute Cloud (Amazon EC2) instances. To retrieve the IAM role for an EC2 instance, use the Amazon EC2 DescribeInstances
operation. For information, see DescribeInstances in the Amazon EC2 API Reference or describe-instances in the Amazon Web Services CLI Command Reference .
RegistrationDate (datetime) --
The date the server or VM was registered with Amazon Web Services as a managed node.
ResourceType (string) --
The type of instance. Instances are either EC2 instances or managed instances.
Name (string) --
The name assigned to an on-premises server, edge device, or virtual machine (VM) when it is activated as a Systems Manager managed node. The name is specified as the DefaultInstanceName
property using the CreateActivation command. It is applied to the managed node by specifying the Activation Code and Activation ID when you install SSM Agent on the node, as explained in Install SSM Agent for a hybrid environment (Linux) and Install SSM Agent for a hybrid environment (Windows). To retrieve the Name
tag of an EC2 instance, use the Amazon EC2 DescribeInstances
operation. For information, see DescribeInstances in the Amazon EC2 API Reference or describe-instances in the Amazon Web Services CLI Command Reference .
IPAddress (string) --
The IP address of the managed node.
ComputerName (string) --
The fully qualified host name of the managed node.
AssociationStatus (string) --
The status of the association.
LastAssociationExecutionDate (datetime) --
The date the association was last run.
LastSuccessfulAssociationExecutionDate (datetime) --
The last date the association was successfully run.
AssociationOverview (dict) --
Information about the association.
DetailedStatus (string) --
Detailed status information about the aggregated associations.
InstanceAssociationStatusAggregatedCount (dict) --
The number of associations for the managed node(s).
SourceId (string) --
The ID of the source resource. For IoT Greengrass devices, SourceId
is the Thing name.
SourceType (string) --
The type of the source resource. For IoT Greengrass devices, SourceType
is AWS::IoT::Thing
.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidInstanceId
SSM.Client.exceptions.InvalidNextToken
SSM.Client.exceptions.InvalidInstanceInformationFilterValue
SSM.Client.exceptions.InvalidFilterKey
describe_instance_patch_states
(**kwargs)¶Retrieves the high-level patch state of one or more managed nodes.
See also: AWS API Documentation
Request Syntax
response = client.describe_instance_patch_states(
InstanceIds=[
'string',
],
NextToken='string',
MaxResults=123
)
[REQUIRED]
The ID of the managed node for which patch state information should be retrieved.
dict
Response Syntax
{
'InstancePatchStates': [
{
'InstanceId': 'string',
'PatchGroup': 'string',
'BaselineId': 'string',
'SnapshotId': 'string',
'InstallOverrideList': 'string',
'OwnerInformation': 'string',
'InstalledCount': 123,
'InstalledOtherCount': 123,
'InstalledPendingRebootCount': 123,
'InstalledRejectedCount': 123,
'MissingCount': 123,
'FailedCount': 123,
'UnreportedNotApplicableCount': 123,
'NotApplicableCount': 123,
'OperationStartTime': datetime(2015, 1, 1),
'OperationEndTime': datetime(2015, 1, 1),
'Operation': 'Scan'|'Install',
'LastNoRebootInstallOperationTime': datetime(2015, 1, 1),
'RebootOption': 'RebootIfNeeded'|'NoReboot',
'CriticalNonCompliantCount': 123,
'SecurityNonCompliantCount': 123,
'OtherNonCompliantCount': 123
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
InstancePatchStates (list) --
The high-level patch state for the requested managed nodes.
(dict) --
Defines the high-level patch compliance state for a managed node, providing information about the number of installed, missing, not applicable, and failed patches along with metadata about the operation when this information was gathered for the managed node.
InstanceId (string) --
The ID of the managed node the high-level patch compliance information was collected for.
PatchGroup (string) --
The name of the patch group the managed node belongs to.
BaselineId (string) --
The ID of the patch baseline used to patch the managed node.
SnapshotId (string) --
The ID of the patch baseline snapshot used during the patching operation when this compliance data was collected.
InstallOverrideList (string) --
An https URL or an Amazon Simple Storage Service (Amazon S3) path-style URL to a list of patches to be installed. This patch installation list, which you maintain in an S3 bucket in YAML format and specify in the SSM document AWS-RunPatchBaseline
, overrides the patches specified by the default patch baseline.
For more information about the InstallOverrideList
parameter, see About the AWS-RunPatchBaseline SSM document in the Amazon Web Services Systems Manager User Guide .
OwnerInformation (string) --
Placeholder information. This field will always be empty in the current release of the service.
InstalledCount (integer) --
The number of patches from the patch baseline that are installed on the managed node.
InstalledOtherCount (integer) --
The number of patches not specified in the patch baseline that are installed on the managed node.
InstalledPendingRebootCount (integer) --
The number of patches installed by Patch Manager since the last time the managed node was rebooted.
InstalledRejectedCount (integer) --
The number of patches installed on a managed node that are specified in a RejectedPatches
list. Patches with a status of InstalledRejected
were typically installed before they were added to a RejectedPatches
list.
Note
If ALLOW_AS_DEPENDENCY
is the specified option for RejectedPatchesAction
, the value of InstalledRejectedCount
will always be 0
(zero).
MissingCount (integer) --
The number of patches from the patch baseline that are applicable for the managed node but aren't currently installed.
FailedCount (integer) --
The number of patches from the patch baseline that were attempted to be installed during the last patching operation, but failed to install.
UnreportedNotApplicableCount (integer) --
The number of patches beyond the supported limit of NotApplicableCount
that aren't reported by name to Inventory. Inventory is a capability of Amazon Web Services Systems Manager.
NotApplicableCount (integer) --
The number of patches from the patch baseline that aren't applicable for the managed node and therefore aren't installed on the node. This number may be truncated if the list of patch names is very large. The number of patches beyond this limit are reported in UnreportedNotApplicableCount
.
OperationStartTime (datetime) --
The time the most recent patching operation was started on the managed node.
OperationEndTime (datetime) --
The time the most recent patching operation completed on the managed node.
Operation (string) --
The type of patching operation that was performed: or
SCAN
assesses the patch compliance state.INSTALL
installs missing patches.LastNoRebootInstallOperationTime (datetime) --
The time of the last attempt to patch the managed node with NoReboot
specified as the reboot option.
RebootOption (string) --
Indicates the reboot option specified in the patch baseline.
Note
Reboot options apply to Install
operations only. Reboots aren't attempted for Patch Manager Scan
operations.
RebootIfNeeded
: Patch Manager tries to reboot the managed node if it installed any patches, or if any patches are detected with a status of InstalledPendingReboot
.NoReboot
: Patch Manager attempts to install missing packages without trying to reboot the system. Patches installed with this option are assigned a status of InstalledPendingReboot
. These patches might not be in effect until a reboot is performed.CriticalNonCompliantCount (integer) --
The number of patches per node that are specified as Critical
for compliance reporting in the patch baseline aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required managed node reboot. The status of these managed nodes is NON_COMPLIANT
.
SecurityNonCompliantCount (integer) --
The number of patches per node that are specified as Security
in a patch advisory aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required managed node reboot. The status of these managed nodes is NON_COMPLIANT
.
OtherNonCompliantCount (integer) --
The number of patches per node that are specified as other than Critical
or Security
but aren't compliant with the patch baseline. The status of these managed nodes is NON_COMPLIANT
.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidNextToken
describe_instance_patch_states_for_patch_group
(**kwargs)¶Retrieves the high-level patch state for the managed nodes in the specified patch group.
See also: AWS API Documentation
Request Syntax
response = client.describe_instance_patch_states_for_patch_group(
PatchGroup='string',
Filters=[
{
'Key': 'string',
'Values': [
'string',
],
'Type': 'Equal'|'NotEqual'|'LessThan'|'GreaterThan'
},
],
NextToken='string',
MaxResults=123
)
[REQUIRED]
The name of the patch group for which the patch state information should be retrieved.
Each entry in the array is a structure containing:
Defines a filter used in DescribeInstancePatchStatesForPatchGroup to scope down the information returned by the API.
Example : To filter for all managed nodes in a patch group having more than three patches with aFailedCount
status, use the following for the filter:
Key
: FailedCount
Type
: GreaterThan
Values
: 3
The key for the filter. Supported values include the following:
InstalledCount
InstalledOtherCount
InstalledPendingRebootCount
InstalledRejectedCount
MissingCount
FailedCount
UnreportedNotApplicableCount
NotApplicableCount
The value for the filter. Must be an integer greater than or equal to 0.
The type of comparison that should be performed for the value.
dict
Response Syntax
{
'InstancePatchStates': [
{
'InstanceId': 'string',
'PatchGroup': 'string',
'BaselineId': 'string',
'SnapshotId': 'string',
'InstallOverrideList': 'string',
'OwnerInformation': 'string',
'InstalledCount': 123,
'InstalledOtherCount': 123,
'InstalledPendingRebootCount': 123,
'InstalledRejectedCount': 123,
'MissingCount': 123,
'FailedCount': 123,
'UnreportedNotApplicableCount': 123,
'NotApplicableCount': 123,
'OperationStartTime': datetime(2015, 1, 1),
'OperationEndTime': datetime(2015, 1, 1),
'Operation': 'Scan'|'Install',
'LastNoRebootInstallOperationTime': datetime(2015, 1, 1),
'RebootOption': 'RebootIfNeeded'|'NoReboot',
'CriticalNonCompliantCount': 123,
'SecurityNonCompliantCount': 123,
'OtherNonCompliantCount': 123
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
InstancePatchStates (list) --
The high-level patch state for the requested managed nodes.
(dict) --
Defines the high-level patch compliance state for a managed node, providing information about the number of installed, missing, not applicable, and failed patches along with metadata about the operation when this information was gathered for the managed node.
InstanceId (string) --
The ID of the managed node the high-level patch compliance information was collected for.
PatchGroup (string) --
The name of the patch group the managed node belongs to.
BaselineId (string) --
The ID of the patch baseline used to patch the managed node.
SnapshotId (string) --
The ID of the patch baseline snapshot used during the patching operation when this compliance data was collected.
InstallOverrideList (string) --
An https URL or an Amazon Simple Storage Service (Amazon S3) path-style URL to a list of patches to be installed. This patch installation list, which you maintain in an S3 bucket in YAML format and specify in the SSM document AWS-RunPatchBaseline
, overrides the patches specified by the default patch baseline.
For more information about the InstallOverrideList
parameter, see About the AWS-RunPatchBaseline SSM document in the Amazon Web Services Systems Manager User Guide .
OwnerInformation (string) --
Placeholder information. This field will always be empty in the current release of the service.
InstalledCount (integer) --
The number of patches from the patch baseline that are installed on the managed node.
InstalledOtherCount (integer) --
The number of patches not specified in the patch baseline that are installed on the managed node.
InstalledPendingRebootCount (integer) --
The number of patches installed by Patch Manager since the last time the managed node was rebooted.
InstalledRejectedCount (integer) --
The number of patches installed on a managed node that are specified in a RejectedPatches
list. Patches with a status of InstalledRejected
were typically installed before they were added to a RejectedPatches
list.
Note
If ALLOW_AS_DEPENDENCY
is the specified option for RejectedPatchesAction
, the value of InstalledRejectedCount
will always be 0
(zero).
MissingCount (integer) --
The number of patches from the patch baseline that are applicable for the managed node but aren't currently installed.
FailedCount (integer) --
The number of patches from the patch baseline that were attempted to be installed during the last patching operation, but failed to install.
UnreportedNotApplicableCount (integer) --
The number of patches beyond the supported limit of NotApplicableCount
that aren't reported by name to Inventory. Inventory is a capability of Amazon Web Services Systems Manager.
NotApplicableCount (integer) --
The number of patches from the patch baseline that aren't applicable for the managed node and therefore aren't installed on the node. This number may be truncated if the list of patch names is very large. The number of patches beyond this limit are reported in UnreportedNotApplicableCount
.
OperationStartTime (datetime) --
The time the most recent patching operation was started on the managed node.
OperationEndTime (datetime) --
The time the most recent patching operation completed on the managed node.
Operation (string) --
The type of patching operation that was performed: or
SCAN
assesses the patch compliance state.INSTALL
installs missing patches.LastNoRebootInstallOperationTime (datetime) --
The time of the last attempt to patch the managed node with NoReboot
specified as the reboot option.
RebootOption (string) --
Indicates the reboot option specified in the patch baseline.
Note
Reboot options apply to Install
operations only. Reboots aren't attempted for Patch Manager Scan
operations.
RebootIfNeeded
: Patch Manager tries to reboot the managed node if it installed any patches, or if any patches are detected with a status of InstalledPendingReboot
.NoReboot
: Patch Manager attempts to install missing packages without trying to reboot the system. Patches installed with this option are assigned a status of InstalledPendingReboot
. These patches might not be in effect until a reboot is performed.CriticalNonCompliantCount (integer) --
The number of patches per node that are specified as Critical
for compliance reporting in the patch baseline aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required managed node reboot. The status of these managed nodes is NON_COMPLIANT
.
SecurityNonCompliantCount (integer) --
The number of patches per node that are specified as Security
in a patch advisory aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required managed node reboot. The status of these managed nodes is NON_COMPLIANT
.
OtherNonCompliantCount (integer) --
The number of patches per node that are specified as other than Critical
or Security
but aren't compliant with the patch baseline. The status of these managed nodes is NON_COMPLIANT
.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidFilter
SSM.Client.exceptions.InvalidNextToken
describe_instance_patches
(**kwargs)¶Retrieves information about the patches on the specified managed node and their state relative to the patch baseline being used for the node.
See also: AWS API Documentation
Request Syntax
response = client.describe_instance_patches(
InstanceId='string',
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
NextToken='string',
MaxResults=123
)
[REQUIRED]
The ID of the managed node whose patch state information should be retrieved.
Each element in the array is a structure containing a key-value pair.
Supported keys for DescribeInstancePatches
include the following:
Classification
Sample values: Security
| SecurityUpdates
KBId
Sample values: KB4480056
| java-1.7.0-openjdk.x86_64
Severity
Sample values: Important
| Medium
| Low
State
Sample values: Installed
| InstalledOther
| InstalledPendingReboot
Defines a filter used in Patch Manager APIs. Supported filter keys depend on the API operation that includes the filter. Patch Manager API operations that use PatchOrchestratorFilter
include the following:
The key for the filter.
The value for the filter.
dict
Response Syntax
{
'Patches': [
{
'Title': 'string',
'KBId': 'string',
'Classification': 'string',
'Severity': 'string',
'State': 'INSTALLED'|'INSTALLED_OTHER'|'INSTALLED_PENDING_REBOOT'|'INSTALLED_REJECTED'|'MISSING'|'NOT_APPLICABLE'|'FAILED',
'InstalledTime': datetime(2015, 1, 1),
'CVEIds': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Patches (list) --
Each entry in the array is a structure containing:
(dict) --
Information about the state of a patch on a particular managed node as it relates to the patch baseline used to patch the node.
Title (string) --
The title of the patch.
KBId (string) --
The operating system-specific ID of the patch.
Classification (string) --
The classification of the patch, such as SecurityUpdates
, Updates
, and CriticalUpdates
.
Severity (string) --
The severity of the patch such as Critical
, Important
, and Moderate
.
State (string) --
The state of the patch on the managed node, such as INSTALLED or FAILED.
For descriptions of each patch state, see About patch compliance in the Amazon Web Services Systems Manager User Guide .
InstalledTime (datetime) --
The date/time the patch was installed on the managed node. Not all operating systems provide this level of information.
CVEIds (string) --
The IDs of one or more Common Vulnerabilities and Exposure (CVE) issues that are resolved by the patch.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidInstanceId
SSM.Client.exceptions.InvalidFilter
SSM.Client.exceptions.InvalidNextToken
describe_inventory_deletions
(**kwargs)¶Describes a specific delete inventory operation.
See also: AWS API Documentation
Request Syntax
response = client.describe_inventory_deletions(
DeletionId='string',
NextToken='string',
MaxResults=123
)
DeleteInventory
operation.dict
Response Syntax
{
'InventoryDeletions': [
{
'DeletionId': 'string',
'TypeName': 'string',
'DeletionStartTime': datetime(2015, 1, 1),
'LastStatus': 'InProgress'|'Complete',
'LastStatusMessage': 'string',
'DeletionSummary': {
'TotalCount': 123,
'RemainingCount': 123,
'SummaryItems': [
{
'Version': 'string',
'Count': 123,
'RemainingCount': 123
},
]
},
'LastStatusUpdateTime': datetime(2015, 1, 1)
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
InventoryDeletions (list) --
A list of status items for deleted inventory.
(dict) --
Status information returned by the DeleteInventory
operation.
DeletionId (string) --
The deletion ID returned by the DeleteInventory
operation.
TypeName (string) --
The name of the inventory data type.
DeletionStartTime (datetime) --
The UTC timestamp when the delete operation started.
LastStatus (string) --
The status of the operation. Possible values are InProgress and Complete.
LastStatusMessage (string) --
Information about the status.
DeletionSummary (dict) --
Information about the delete operation. For more information about this summary, see Understanding the delete inventory summary in the Amazon Web Services Systems Manager User Guide .
TotalCount (integer) --
The total number of items to delete. This count doesn't change during the delete operation.
RemainingCount (integer) --
Remaining number of items to delete.
SummaryItems (list) --
A list of counts and versions for deleted items.
(dict) --
Either a count, remaining count, or a version number in a delete inventory summary.
Version (string) --
The inventory type version.
Count (integer) --
A count of the number of deleted items.
RemainingCount (integer) --
The remaining number of items to delete.
LastStatusUpdateTime (datetime) --
The UTC timestamp of when the last status report.
NextToken (string) --
The token for the next set of items to return. Use this token to get the next set of results.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidDeletionIdException
SSM.Client.exceptions.InvalidNextToken
describe_maintenance_window_execution_task_invocations
(**kwargs)¶Retrieves the individual task executions (one per target) for a particular task run as part of a maintenance window execution.
See also: AWS API Documentation
Request Syntax
response = client.describe_maintenance_window_execution_task_invocations(
WindowExecutionId='string',
TaskId='string',
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The ID of the maintenance window execution the task is part of.
[REQUIRED]
The ID of the specific task in the maintenance window task that should be retrieved.
Optional filters used to scope down the returned task invocations. The supported filter key is STATUS
with the corresponding values PENDING
, IN_PROGRESS
, SUCCESS
, FAILED
, TIMED_OUT
, CANCELLING
, and CANCELLED
.
Filter used in the request. Supported filter keys depend on the API operation that includes the filter. API operations that use MaintenanceWindowFilter>
include the following:
The name of the filter.
The filter values.
dict
Response Syntax
{
'WindowExecutionTaskInvocationIdentities': [
{
'WindowExecutionId': 'string',
'TaskExecutionId': 'string',
'InvocationId': 'string',
'ExecutionId': 'string',
'TaskType': 'RUN_COMMAND'|'AUTOMATION'|'STEP_FUNCTIONS'|'LAMBDA',
'Parameters': 'string',
'Status': 'PENDING'|'IN_PROGRESS'|'SUCCESS'|'FAILED'|'TIMED_OUT'|'CANCELLING'|'CANCELLED'|'SKIPPED_OVERLAPPING',
'StatusDetails': 'string',
'StartTime': datetime(2015, 1, 1),
'EndTime': datetime(2015, 1, 1),
'OwnerInformation': 'string',
'WindowTargetId': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
WindowExecutionTaskInvocationIdentities (list) --
Information about the task invocation results per invocation.
(dict) --
Describes the information about a task invocation for a particular target as part of a task execution performed as part of a maintenance window execution.
WindowExecutionId (string) --
The ID of the maintenance window execution that ran the task.
TaskExecutionId (string) --
The ID of the specific task execution in the maintenance window execution.
InvocationId (string) --
The ID of the task invocation.
ExecutionId (string) --
The ID of the action performed in the service that actually handled the task invocation. If the task type is RUN_COMMAND
, this value is the command ID.
TaskType (string) --
The task type.
Parameters (string) --
The parameters that were provided for the invocation when it was run.
Status (string) --
The status of the task invocation.
StatusDetails (string) --
The details explaining the status of the task invocation. Not available for all status values.
StartTime (datetime) --
The time the invocation started.
EndTime (datetime) --
The time the invocation finished.
OwnerInformation (string) --
User-provided value that was specified when the target was registered with the maintenance window. This was also included in any Amazon CloudWatch Events events raised during the task invocation.
WindowTargetId (string) --
The ID of the target definition in this maintenance window the invocation was performed for.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.DoesNotExistException
SSM.Client.exceptions.InternalServerError
describe_maintenance_window_execution_tasks
(**kwargs)¶For a given maintenance window execution, lists the tasks that were run.
See also: AWS API Documentation
Request Syntax
response = client.describe_maintenance_window_execution_tasks(
WindowExecutionId='string',
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The ID of the maintenance window execution whose task executions should be retrieved.
Optional filters used to scope down the returned tasks. The supported filter key is STATUS
with the corresponding values PENDING
, IN_PROGRESS
, SUCCESS
, FAILED
, TIMED_OUT
, CANCELLING
, and CANCELLED
.
Filter used in the request. Supported filter keys depend on the API operation that includes the filter. API operations that use MaintenanceWindowFilter>
include the following:
The name of the filter.
The filter values.
dict
Response Syntax
{
'WindowExecutionTaskIdentities': [
{
'WindowExecutionId': 'string',
'TaskExecutionId': 'string',
'Status': 'PENDING'|'IN_PROGRESS'|'SUCCESS'|'FAILED'|'TIMED_OUT'|'CANCELLING'|'CANCELLED'|'SKIPPED_OVERLAPPING',
'StatusDetails': 'string',
'StartTime': datetime(2015, 1, 1),
'EndTime': datetime(2015, 1, 1),
'TaskArn': 'string',
'TaskType': 'RUN_COMMAND'|'AUTOMATION'|'STEP_FUNCTIONS'|'LAMBDA',
'AlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
},
'TriggeredAlarms': [
{
'Name': 'string',
'State': 'UNKNOWN'|'ALARM'
},
]
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
WindowExecutionTaskIdentities (list) --
Information about the task executions.
(dict) --
Information about a task execution performed as part of a maintenance window execution.
WindowExecutionId (string) --
The ID of the maintenance window execution that ran the task.
TaskExecutionId (string) --
The ID of the specific task execution in the maintenance window execution.
Status (string) --
The status of the task execution.
StatusDetails (string) --
The details explaining the status of the task execution. Not available for all status values.
StartTime (datetime) --
The time the task execution started.
EndTime (datetime) --
The time the task execution finished.
TaskArn (string) --
The Amazon Resource Name (ARN) of the task that ran.
TaskType (string) --
The type of task that ran.
AlarmConfiguration (dict) --
The details for the CloudWatch alarm applied to your maintenance window task.
IgnorePollAlarmFailure (boolean) --
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
Alarms (list) --
The name of the CloudWatch alarm specified in the configuration.
(dict) --
A CloudWatch alarm you apply to an automation or command.
Name (string) --
The name of your CloudWatch alarm.
TriggeredAlarms (list) --
The CloudWatch alarm that was invoked by the maintenance window task.
(dict) --
The details about the state of your CloudWatch alarm.
Name (string) --
The name of your CloudWatch alarm.
State (string) --
The state of your CloudWatch alarm.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.DoesNotExistException
SSM.Client.exceptions.InternalServerError
describe_maintenance_window_executions
(**kwargs)¶Lists the executions of a maintenance window. This includes information about when the maintenance window was scheduled to be active, and information about tasks registered and run with the maintenance window.
See also: AWS API Documentation
Request Syntax
response = client.describe_maintenance_window_executions(
WindowId='string',
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The ID of the maintenance window whose executions should be retrieved.
Each entry in the array is a structure containing:
ExecutedBefore
and ExecutedAfter
.2021-11-04T05:00:00Z
.Filter used in the request. Supported filter keys depend on the API operation that includes the filter. API operations that use MaintenanceWindowFilter>
include the following:
The name of the filter.
The filter values.
dict
Response Syntax
{
'WindowExecutions': [
{
'WindowId': 'string',
'WindowExecutionId': 'string',
'Status': 'PENDING'|'IN_PROGRESS'|'SUCCESS'|'FAILED'|'TIMED_OUT'|'CANCELLING'|'CANCELLED'|'SKIPPED_OVERLAPPING',
'StatusDetails': 'string',
'StartTime': datetime(2015, 1, 1),
'EndTime': datetime(2015, 1, 1)
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
WindowExecutions (list) --
Information about the maintenance window executions.
(dict) --
Describes the information about an execution of a maintenance window.
WindowId (string) --
The ID of the maintenance window.
WindowExecutionId (string) --
The ID of the maintenance window execution.
Status (string) --
The status of the execution.
StatusDetails (string) --
The details explaining the status. Not available for all status values.
StartTime (datetime) --
The time the execution started.
EndTime (datetime) --
The time the execution finished.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
describe_maintenance_window_schedule
(**kwargs)¶Retrieves information about upcoming executions of a maintenance window.
See also: AWS API Documentation
Request Syntax
response = client.describe_maintenance_window_schedule(
WindowId='string',
Targets=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
ResourceType='INSTANCE'|'RESOURCE_GROUP',
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
The managed node ID or key-value pair to retrieve information about.
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
User-defined criteria for sending commands that target managed nodes that meet the criteria.
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
INSTANCE
.Filters used to limit the range of results. For example, you can limit maintenance window executions to only those scheduled before or after a certain date and time.
Defines a filter used in Patch Manager APIs. Supported filter keys depend on the API operation that includes the filter. Patch Manager API operations that use PatchOrchestratorFilter
include the following:
The key for the filter.
The value for the filter.
dict
Response Syntax
{
'ScheduledWindowExecutions': [
{
'WindowId': 'string',
'Name': 'string',
'ExecutionTime': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
ScheduledWindowExecutions (list) --
Information about maintenance window executions scheduled for the specified time range.
(dict) --
Information about a scheduled execution for a maintenance window.
WindowId (string) --
The ID of the maintenance window to be run.
Name (string) --
The name of the maintenance window to be run.
ExecutionTime (string) --
The time, in ISO-8601 Extended format, that the maintenance window is scheduled to be run.
NextToken (string) --
The token for the next set of items to return. (You use this token in the next call.)
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.DoesNotExistException
describe_maintenance_window_targets
(**kwargs)¶Lists the targets registered with the maintenance window.
See also: AWS API Documentation
Request Syntax
response = client.describe_maintenance_window_targets(
WindowId='string',
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The ID of the maintenance window whose targets should be retrieved.
Optional filters that can be used to narrow down the scope of the returned window targets. The supported filter keys are Type
, WindowTargetId
, and OwnerInformation
.
Filter used in the request. Supported filter keys depend on the API operation that includes the filter. API operations that use MaintenanceWindowFilter>
include the following:
The name of the filter.
The filter values.
dict
Response Syntax
{
'Targets': [
{
'WindowId': 'string',
'WindowTargetId': 'string',
'ResourceType': 'INSTANCE'|'RESOURCE_GROUP',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'OwnerInformation': 'string',
'Name': 'string',
'Description': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Targets (list) --
Information about the targets in the maintenance window.
(dict) --
The target registered with the maintenance window.
WindowId (string) --
The ID of the maintenance window to register the target with.
WindowTargetId (string) --
The ID of the target.
ResourceType (string) --
The type of target that is being registered with the maintenance window.
Targets (list) --
The targets, either managed nodes or tags.
Specify managed nodes using the following format:
Key=instanceids,Values=<instanceid1>,<instanceid2>
Tags are specified using the following format:
Key=<tag name>,Values=<tag value>
.
(dict) --
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
Key (string) --
User-defined criteria for sending commands that target managed nodes that meet the criteria.
Values (list) --
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
OwnerInformation (string) --
A user-provided value that will be included in any Amazon CloudWatch Events events that are raised while running tasks for these targets in this maintenance window.
Name (string) --
The name for the maintenance window target.
Description (string) --
A description for the target.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.DoesNotExistException
SSM.Client.exceptions.InternalServerError
describe_maintenance_window_tasks
(**kwargs)¶Lists the tasks in a maintenance window.
Note
For maintenance window tasks without a specified target, you can't supply values for --max-errors
and --max-concurrency
. Instead, the system inserts a placeholder value of 1
, which may be reported in the response to this command. These values don't affect the running of your task and can be ignored.
See also: AWS API Documentation
Request Syntax
response = client.describe_maintenance_window_tasks(
WindowId='string',
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The ID of the maintenance window whose tasks should be retrieved.
Optional filters used to narrow down the scope of the returned tasks. The supported filter keys are WindowTaskId
, TaskArn
, Priority
, and TaskType
.
Filter used in the request. Supported filter keys depend on the API operation that includes the filter. API operations that use MaintenanceWindowFilter>
include the following:
The name of the filter.
The filter values.
dict
Response Syntax
{
'Tasks': [
{
'WindowId': 'string',
'WindowTaskId': 'string',
'TaskArn': 'string',
'Type': 'RUN_COMMAND'|'AUTOMATION'|'STEP_FUNCTIONS'|'LAMBDA',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'TaskParameters': {
'string': {
'Values': [
'string',
]
}
},
'Priority': 123,
'LoggingInfo': {
'S3BucketName': 'string',
'S3KeyPrefix': 'string',
'S3Region': 'string'
},
'ServiceRoleArn': 'string',
'MaxConcurrency': 'string',
'MaxErrors': 'string',
'Name': 'string',
'Description': 'string',
'CutoffBehavior': 'CONTINUE_TASK'|'CANCEL_TASK',
'AlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Tasks (list) --
Information about the tasks in the maintenance window.
(dict) --
Information about a task defined for a maintenance window.
WindowId (string) --
The ID of the maintenance window where the task is registered.
WindowTaskId (string) --
The task ID.
TaskArn (string) --
The resource that the task uses during execution. For RUN_COMMAND
and AUTOMATION
task types, TaskArn
is the Amazon Web Services Systems Manager (SSM document) name or ARN. For LAMBDA
tasks, it's the function name or ARN. For STEP_FUNCTIONS
tasks, it's the state machine ARN.
Type (string) --
The type of task.
Targets (list) --
The targets (either managed nodes or tags). Managed nodes are specified using Key=instanceids,Values=<instanceid1>,<instanceid2>
. Tags are specified using Key=<tag name>,Values=<tag value>
.
(dict) --
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
Key (string) --
User-defined criteria for sending commands that target managed nodes that meet the criteria.
Values (list) --
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
TaskParameters (dict) --
The parameters that should be passed to the task when it is run.
Note
TaskParameters
has been deprecated. To specify parameters to pass to a task when it runs, instead use the Parameters
option in the TaskInvocationParameters
structure. For information about how Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.
(string) --
(dict) --
Defines the values for a task parameter.
Values (list) --
This field contains an array of 0 or more strings, each 1 to 255 characters in length.
Priority (integer) --
The priority of the task in the maintenance window. The lower the number, the higher the priority. Tasks that have the same priority are scheduled in parallel.
LoggingInfo (dict) --
Information about an S3 bucket to write task-level logs to.
Note
LoggingInfo
has been deprecated. To specify an Amazon Simple Storage Service (Amazon S3) bucket to contain logs, instead use the OutputS3BucketName
and OutputS3KeyPrefix
options in the TaskInvocationParameters
structure. For information about how Amazon Web Services Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.
S3BucketName (string) --
The name of an S3 bucket where execution logs are stored.
S3KeyPrefix (string) --
(Optional) The S3 bucket subfolder.
S3Region (string) --
The Amazon Web Services Region where the S3 bucket is located.
ServiceRoleArn (string) --
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for maintenance window Run Command tasks.
MaxConcurrency (string) --
The maximum number of targets this task can be run for, in parallel.
Note
Although this element is listed as "Required: No", a value can be omitted only when you are registering or updating a targetless task You must provide a value in all other cases.
For maintenance window tasks without a target specified, you can't supply a value for this option. Instead, the system inserts a placeholder value of 1
. This value doesn't affect the running of your task.
MaxErrors (string) --
The maximum number of errors allowed before this task stops being scheduled.
Note
Although this element is listed as "Required: No", a value can be omitted only when you are registering or updating a targetless task You must provide a value in all other cases.
For maintenance window tasks without a target specified, you can't supply a value for this option. Instead, the system inserts a placeholder value of 1
. This value doesn't affect the running of your task.
Name (string) --
The task name.
Description (string) --
A description of the task.
CutoffBehavior (string) --
The specification for whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached.
AlarmConfiguration (dict) --
The details for the CloudWatch alarm applied to your maintenance window task.
IgnorePollAlarmFailure (boolean) --
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
Alarms (list) --
The name of the CloudWatch alarm specified in the configuration.
(dict) --
A CloudWatch alarm you apply to an automation or command.
Name (string) --
The name of your CloudWatch alarm.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.DoesNotExistException
SSM.Client.exceptions.InternalServerError
describe_maintenance_windows
(**kwargs)¶Retrieves the maintenance windows in an Amazon Web Services account.
See also: AWS API Documentation
Request Syntax
response = client.describe_maintenance_windows(
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
Optional filters used to narrow down the scope of the returned maintenance windows. Supported filter keys are Name
and Enabled
. For example, Name=MyMaintenanceWindow
and Enabled=True
.
Filter used in the request. Supported filter keys depend on the API operation that includes the filter. API operations that use MaintenanceWindowFilter>
include the following:
The name of the filter.
The filter values.
dict
Response Syntax
{
'WindowIdentities': [
{
'WindowId': 'string',
'Name': 'string',
'Description': 'string',
'Enabled': True|False,
'Duration': 123,
'Cutoff': 123,
'Schedule': 'string',
'ScheduleTimezone': 'string',
'ScheduleOffset': 123,
'EndDate': 'string',
'StartDate': 'string',
'NextExecutionTime': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
WindowIdentities (list) --
Information about the maintenance windows.
(dict) --
Information about the maintenance window.
WindowId (string) --
The ID of the maintenance window.
Name (string) --
The name of the maintenance window.
Description (string) --
A description of the maintenance window.
Enabled (boolean) --
Indicates whether the maintenance window is enabled.
Duration (integer) --
The duration of the maintenance window in hours.
Cutoff (integer) --
The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution.
Schedule (string) --
The schedule of the maintenance window in the form of a cron or rate expression.
ScheduleTimezone (string) --
The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format.
ScheduleOffset (integer) --
The number of days to wait to run a maintenance window after the scheduled cron expression date and time.
EndDate (string) --
The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive.
StartDate (string) --
The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active.
NextExecutionTime (string) --
The next time the maintenance window will actually run, taking into account any specified times for the maintenance window to become active or inactive.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
describe_maintenance_windows_for_target
(**kwargs)¶Retrieves information about the maintenance window targets or tasks that a managed node is associated with.
See also: AWS API Documentation
Request Syntax
response = client.describe_maintenance_windows_for_target(
Targets=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
ResourceType='INSTANCE'|'RESOURCE_GROUP',
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The managed node ID or key-value pair to retrieve information about.
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
User-defined criteria for sending commands that target managed nodes that meet the criteria.
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
[REQUIRED]
The type of resource you want to retrieve information about. For example, INSTANCE
.
dict
Response Syntax
{
'WindowIdentities': [
{
'WindowId': 'string',
'Name': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
WindowIdentities (list) --
Information about the maintenance window targets and tasks a managed node is associated with.
(dict) --
The maintenance window to which the specified target belongs.
WindowId (string) --
The ID of the maintenance window.
Name (string) --
The name of the maintenance window.
NextToken (string) --
The token for the next set of items to return. (You use this token in the next call.)
Exceptions
SSM.Client.exceptions.InternalServerError
describe_ops_items
(**kwargs)¶Query a set of OpsItems. You must have permission in Identity and Access Management (IAM) to query a list of OpsItems. For more information, see Getting started with OpsCenter in the Amazon Web Services Systems Manager User Guide .
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see OpsCenter in the Amazon Web Services Systems Manager User Guide .
See also: AWS API Documentation
Request Syntax
response = client.describe_ops_items(
OpsItemFilters=[
{
'Key': 'Status'|'CreatedBy'|'Source'|'Priority'|'Title'|'OpsItemId'|'CreatedTime'|'LastModifiedTime'|'ActualStartTime'|'ActualEndTime'|'PlannedStartTime'|'PlannedEndTime'|'OperationalData'|'OperationalDataKey'|'OperationalDataValue'|'ResourceId'|'AutomationId'|'Category'|'Severity'|'OpsItemType'|'ChangeRequestByRequesterArn'|'ChangeRequestByRequesterName'|'ChangeRequestByApproverArn'|'ChangeRequestByApproverName'|'ChangeRequestByTemplate'|'ChangeRequestByTargetsResourceGroup'|'InsightByType'|'AccountId',
'Values': [
'string',
],
'Operator': 'Equal'|'Contains'|'GreaterThan'|'LessThan'
},
],
MaxResults=123,
NextToken='string'
)
One or more filters to limit the response.
*The Equals operator for Title matches the first 100 characters. If you specify more than 100 characters, they system returns an error that the filter value exceeds the length limit.
**If you filter the response by using the OperationalData operator, specify a key-value pair by using the following JSON format: {"key":"key_name","value":"a_value"}
Describes an OpsItem filter.
The name of the filter.
The filter value.
The operator used by the filter call.
dict
Response Syntax
{
'NextToken': 'string',
'OpsItemSummaries': [
{
'CreatedBy': 'string',
'CreatedTime': datetime(2015, 1, 1),
'LastModifiedBy': 'string',
'LastModifiedTime': datetime(2015, 1, 1),
'Priority': 123,
'Source': 'string',
'Status': 'Open'|'InProgress'|'Resolved'|'Pending'|'TimedOut'|'Cancelling'|'Cancelled'|'Failed'|'CompletedWithSuccess'|'CompletedWithFailure'|'Scheduled'|'RunbookInProgress'|'PendingChangeCalendarOverride'|'ChangeCalendarOverrideApproved'|'ChangeCalendarOverrideRejected'|'PendingApproval'|'Approved'|'Rejected'|'Closed',
'OpsItemId': 'string',
'Title': 'string',
'OperationalData': {
'string': {
'Value': 'string',
'Type': 'SearchableString'|'String'
}
},
'Category': 'string',
'Severity': 'string',
'OpsItemType': 'string',
'ActualStartTime': datetime(2015, 1, 1),
'ActualEndTime': datetime(2015, 1, 1),
'PlannedStartTime': datetime(2015, 1, 1),
'PlannedEndTime': datetime(2015, 1, 1)
},
]
}
Response Structure
(dict) --
NextToken (string) --
The token for the next set of items to return. Use this token to get the next set of results.
OpsItemSummaries (list) --
A list of OpsItems.
(dict) --
A count of OpsItems.
CreatedBy (string) --
The Amazon Resource Name (ARN) of the IAM entity that created the OpsItem.
CreatedTime (datetime) --
The date and time the OpsItem was created.
LastModifiedBy (string) --
The Amazon Resource Name (ARN) of the IAM entity that created the OpsItem.
LastModifiedTime (datetime) --
The date and time the OpsItem was last updated.
Priority (integer) --
The importance of this OpsItem in relation to other OpsItems in the system.
Source (string) --
The impacted Amazon Web Services resource.
Status (string) --
The OpsItem status. Status can be Open
, In Progress
, or Resolved
.
OpsItemId (string) --
The ID of the OpsItem.
Title (string) --
A short heading that describes the nature of the OpsItem and the impacted resource.
OperationalData (dict) --
Operational data is custom data that provides useful reference details about the OpsItem.
(string) --
(dict) --
An object that defines the value of the key and its type in the OperationalData map.
Value (string) --
The value of the OperationalData key.
Type (string) --
The type of key-value pair. Valid types include SearchableString
and String
.
Category (string) --
A list of OpsItems by category.
Severity (string) --
A list of OpsItems by severity.
OpsItemType (string) --
The type of OpsItem. Systems Manager supports the following types of OpsItems:
/aws/issue
This type of OpsItem is used for default OpsItems created by OpsCenter./aws/changerequest
This type of OpsItem is used by Change Manager for reviewing and approving or rejecting change requests./aws/insights
This type of OpsItem is used by OpsCenter for aggregating and reporting on duplicate OpsItems.ActualStartTime (datetime) --
The time a runbook workflow started. Currently reported only for the OpsItem type /aws/changerequest
.
ActualEndTime (datetime) --
The time a runbook workflow ended. Currently reported only for the OpsItem type /aws/changerequest
.
PlannedStartTime (datetime) --
The time specified in a change request for a runbook workflow to start. Currently supported only for the OpsItem type /aws/changerequest
.
PlannedEndTime (datetime) --
The time specified in a change request for a runbook workflow to end. Currently supported only for the OpsItem type /aws/changerequest
.
Exceptions
SSM.Client.exceptions.InternalServerError
describe_parameters
(**kwargs)¶Get information about a parameter.
Request results are returned on a best-effort basis. If you specify MaxResults
in the request, the response includes information up to the limit specified. The number of items returned, however, can be between zero and the value of MaxResults
. If the service reaches an internal limit while processing the results, it stops the operation and returns the matching values up to that point and a NextToken
. You can specify the NextToken
in a subsequent call to get the next set of results.
Warning
If you change the KMS key alias for the KMS key used to encrypt a parameter, then you must also update the key alias the parameter uses to reference KMS. Otherwise, DescribeParameters
retrieves whatever the original key alias was referencing.
See also: AWS API Documentation
Request Syntax
response = client.describe_parameters(
Filters=[
{
'Key': 'Name'|'Type'|'KeyId',
'Values': [
'string',
]
},
],
ParameterFilters=[
{
'Key': 'string',
'Option': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
This data type is deprecated. Instead, use ParameterFilters
.
This data type is deprecated. Instead, use ParameterStringFilter.
The name of the filter.
The filter values.
Filters to limit the request results.
One or more filters. Use a filter to return a more specific list of results.
The name of the filter.
The ParameterStringFilter
object is used by the DescribeParameters and GetParametersByPath API operations. However, not all of the pattern values listed for Key
can be used with both operations.
For DescribeParameters
, all of the listed patterns are valid except Label
.
For GetParametersByPath
, the following patterns listed for Key
aren't valid: tag
, DataType
, Name
, Path
, and Tier
.
For examples of Amazon Web Services CLI commands demonstrating valid parameter filter constructions, see Searching for Systems Manager parameters in the Amazon Web Services Systems Manager User Guide .
For all filters used with DescribeParameters, valid options include Equals
and BeginsWith
. The Name
filter additionally supports the Contains
option. (Exception: For filters using the key Path
, valid options include Recursive
and OneLevel
.)
For filters used with GetParametersByPath, valid options include Equals
and BeginsWith
. (Exception: For filters using Label
as the Key name, the only valid option is Equals
.)
The value you want to search for.
dict
Response Syntax
{
'Parameters': [
{
'Name': 'string',
'Type': 'String'|'StringList'|'SecureString',
'KeyId': 'string',
'LastModifiedDate': datetime(2015, 1, 1),
'LastModifiedUser': 'string',
'Description': 'string',
'AllowedPattern': 'string',
'Version': 123,
'Tier': 'Standard'|'Advanced'|'Intelligent-Tiering',
'Policies': [
{
'PolicyText': 'string',
'PolicyType': 'string',
'PolicyStatus': 'string'
},
],
'DataType': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Parameters (list) --
Parameters returned by the request.
(dict) --
Metadata includes information like the ARN of the last user and the date/time the parameter was last used.
Name (string) --
The parameter name.
Type (string) --
The type of parameter. Valid parameter types include the following: String
, StringList
, and SecureString
.
KeyId (string) --
The ID of the query key used for this parameter.
LastModifiedDate (datetime) --
Date the parameter was last changed or updated.
LastModifiedUser (string) --
Amazon Resource Name (ARN) of the Amazon Web Services user who last changed the parameter.
Description (string) --
Description of the parameter actions.
AllowedPattern (string) --
A parameter name can include only the following letters and symbols.
Version (integer) --
The parameter version.
Tier (string) --
The parameter tier.
Policies (list) --
A list of policies associated with a parameter.
(dict) --
One or more policies assigned to a parameter.
PolicyText (string) --
The JSON text of the policy.
PolicyType (string) --
The type of policy. Parameter Store, a capability of Amazon Web Services Systems Manager, supports the following policy types: Expiration, ExpirationNotification, and NoChangeNotification.
PolicyStatus (string) --
The status of the policy. Policies report the following statuses: Pending (the policy hasn't been enforced or applied yet), Finished (the policy was applied), Failed (the policy wasn't applied), or InProgress (the policy is being applied now).
DataType (string) --
The data type of the parameter, such as text
or aws:ec2:image
. The default is text
.
NextToken (string) --
The token to use when requesting the next set of items.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidFilterKey
SSM.Client.exceptions.InvalidFilterOption
SSM.Client.exceptions.InvalidFilterValue
SSM.Client.exceptions.InvalidNextToken
describe_patch_baselines
(**kwargs)¶Lists the patch baselines in your Amazon Web Services account.
See also: AWS API Documentation
Request Syntax
response = client.describe_patch_baselines(
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
Each element in the array is a structure containing a key-value pair.
Supported keys for DescribePatchBaselines
include the following:
NAME_PREFIX
Sample values: AWS-
| My-
OWNER
Sample values: AWS
| Self
OPERATING_SYSTEM
Sample values: AMAZON_LINUX
| SUSE
| WINDOWS
Defines a filter used in Patch Manager APIs. Supported filter keys depend on the API operation that includes the filter. Patch Manager API operations that use PatchOrchestratorFilter
include the following:
The key for the filter.
The value for the filter.
dict
Response Syntax
{
'BaselineIdentities': [
{
'BaselineId': 'string',
'BaselineName': 'string',
'OperatingSystem': 'WINDOWS'|'AMAZON_LINUX'|'AMAZON_LINUX_2'|'AMAZON_LINUX_2022'|'UBUNTU'|'REDHAT_ENTERPRISE_LINUX'|'SUSE'|'CENTOS'|'ORACLE_LINUX'|'DEBIAN'|'MACOS'|'RASPBIAN'|'ROCKY_LINUX',
'BaselineDescription': 'string',
'DefaultBaseline': True|False
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
BaselineIdentities (list) --
An array of PatchBaselineIdentity
elements.
(dict) --
Defines the basic information about a patch baseline.
BaselineId (string) --
The ID of the patch baseline.
BaselineName (string) --
The name of the patch baseline.
OperatingSystem (string) --
Defines the operating system the patch baseline applies to. The default value is WINDOWS
.
BaselineDescription (string) --
The description of the patch baseline.
DefaultBaseline (boolean) --
Whether this is the default baseline. Amazon Web Services Systems Manager supports creating multiple default patch baselines. For example, you can create a default patch baseline for each operating system.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
describe_patch_group_state
(**kwargs)¶Returns high-level aggregated patch compliance state information for a patch group.
See also: AWS API Documentation
Request Syntax
response = client.describe_patch_group_state(
PatchGroup='string'
)
[REQUIRED]
The name of the patch group whose patch snapshot should be retrieved.
{
'Instances': 123,
'InstancesWithInstalledPatches': 123,
'InstancesWithInstalledOtherPatches': 123,
'InstancesWithInstalledPendingRebootPatches': 123,
'InstancesWithInstalledRejectedPatches': 123,
'InstancesWithMissingPatches': 123,
'InstancesWithFailedPatches': 123,
'InstancesWithNotApplicablePatches': 123,
'InstancesWithUnreportedNotApplicablePatches': 123,
'InstancesWithCriticalNonCompliantPatches': 123,
'InstancesWithSecurityNonCompliantPatches': 123,
'InstancesWithOtherNonCompliantPatches': 123
}
Response Structure
The number of managed nodes in the patch group.
The number of managed nodes with installed patches.
The number of managed nodes with patches installed that aren't defined in the patch baseline.
The number of managed nodes with patches installed by Patch Manager that haven't been rebooted after the patch installation. The status of these managed nodes is NON_COMPLIANT
.
The number of managed nodes with patches installed that are specified in a RejectedPatches
list. Patches with a status of INSTALLED_REJECTED
were typically installed before they were added to a RejectedPatches
list.
Note
If ALLOW_AS_DEPENDENCY
is the specified option for RejectedPatchesAction
, the value of InstancesWithInstalledRejectedPatches
will always be 0
(zero).
The number of managed nodes with missing patches from the patch baseline.
The number of managed nodes with patches from the patch baseline that failed to install.
The number of managed nodes with patches that aren't applicable.
The number of managed nodes with NotApplicable
patches beyond the supported limit, which aren't reported by name to Inventory. Inventory is a capability of Amazon Web Services Systems Manager.
The number of managed nodes where patches that are specified as Critical
for compliance reporting in the patch baseline aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required managed node reboot. The status of these managed nodes is NON_COMPLIANT
.
The number of managed nodes where patches that are specified as Security
in a patch advisory aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required managed node reboot. The status of these managed nodes is NON_COMPLIANT
.
The number of managed nodes with patches installed that are specified as other than Critical
or Security
but aren't compliant with the patch baseline. The status of these managed nodes is NON_COMPLIANT
.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidNextToken
describe_patch_groups
(**kwargs)¶Lists all patch groups that have been registered with patch baselines.
See also: AWS API Documentation
Request Syntax
response = client.describe_patch_groups(
MaxResults=123,
Filters=[
{
'Key': 'string',
'Values': [
'string',
]
},
],
NextToken='string'
)
Each element in the array is a structure containing a key-value pair.
Supported keys for DescribePatchGroups
include the following:
NAME_PREFIX
Sample values: AWS-
| My-
.OPERATING_SYSTEM
Sample values: AMAZON_LINUX
| SUSE
| WINDOWS
Defines a filter used in Patch Manager APIs. Supported filter keys depend on the API operation that includes the filter. Patch Manager API operations that use PatchOrchestratorFilter
include the following:
The key for the filter.
The value for the filter.
dict
Response Syntax
{
'Mappings': [
{
'PatchGroup': 'string',
'BaselineIdentity': {
'BaselineId': 'string',
'BaselineName': 'string',
'OperatingSystem': 'WINDOWS'|'AMAZON_LINUX'|'AMAZON_LINUX_2'|'AMAZON_LINUX_2022'|'UBUNTU'|'REDHAT_ENTERPRISE_LINUX'|'SUSE'|'CENTOS'|'ORACLE_LINUX'|'DEBIAN'|'MACOS'|'RASPBIAN'|'ROCKY_LINUX',
'BaselineDescription': 'string',
'DefaultBaseline': True|False
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Mappings (list) --
Each entry in the array contains:
PatchGroup
: string (between 1 and 256 characters. Regex: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$)
PatchBaselineIdentity
: A PatchBaselineIdentity
element.(dict) --
The mapping between a patch group and the patch baseline the patch group is registered with.
PatchGroup (string) --
The name of the patch group registered with the patch baseline.
BaselineIdentity (dict) --
The patch baseline the patch group is registered with.
BaselineId (string) --
The ID of the patch baseline.
BaselineName (string) --
The name of the patch baseline.
OperatingSystem (string) --
Defines the operating system the patch baseline applies to. The default value is WINDOWS
.
BaselineDescription (string) --
The description of the patch baseline.
DefaultBaseline (boolean) --
Whether this is the default baseline. Amazon Web Services Systems Manager supports creating multiple default patch baselines. For example, you can create a default patch baseline for each operating system.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
describe_patch_properties
(**kwargs)¶Lists the properties of available patches organized by product, product family, classification, severity, and other properties of available patches. You can use the reported properties in the filters you specify in requests for operations such as CreatePatchBaseline, UpdatePatchBaseline, DescribeAvailablePatches, and DescribePatchBaselines.
The following section lists the properties that can be used in filters for each major operating system type:
AMAZON_LINUX
Valid properties: PRODUCT
| CLASSIFICATION
| SEVERITY
AMAZON_LINUX_2
Valid properties: PRODUCT
| CLASSIFICATION
| SEVERITY
CENTOS
Valid properties: PRODUCT
| CLASSIFICATION
| SEVERITY
DEBIAN
Valid properties: PRODUCT
| PRIORITY
MACOS
Valid properties: PRODUCT
| CLASSIFICATION
ORACLE_LINUX
Valid properties: PRODUCT
| CLASSIFICATION
| SEVERITY
REDHAT_ENTERPRISE_LINUX
Valid properties: PRODUCT
| CLASSIFICATION
| SEVERITY
SUSE
Valid properties: PRODUCT
| CLASSIFICATION
| SEVERITY
UBUNTU
Valid properties: PRODUCT
| PRIORITY
WINDOWS
Valid properties: PRODUCT
| PRODUCT_FAMILY
| CLASSIFICATION
| MSRC_SEVERITY
See also: AWS API Documentation
Request Syntax
response = client.describe_patch_properties(
OperatingSystem='WINDOWS'|'AMAZON_LINUX'|'AMAZON_LINUX_2'|'AMAZON_LINUX_2022'|'UBUNTU'|'REDHAT_ENTERPRISE_LINUX'|'SUSE'|'CENTOS'|'ORACLE_LINUX'|'DEBIAN'|'MACOS'|'RASPBIAN'|'ROCKY_LINUX',
Property='PRODUCT'|'PRODUCT_FAMILY'|'CLASSIFICATION'|'MSRC_SEVERITY'|'PRIORITY'|'SEVERITY',
PatchSet='OS'|'APPLICATION',
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The operating system type for which to list patches.
[REQUIRED]
The patch property for which you want to view patch details.
dict
Response Syntax
{
'Properties': [
{
'string': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Properties (list) --
A list of the properties for patches matching the filter request parameters.
NextToken (string) --
The token for the next set of items to return. (You use this token in the next call.)
Exceptions
SSM.Client.exceptions.InternalServerError
describe_sessions
(**kwargs)¶Retrieves a list of all active sessions (both connected and disconnected) or terminated sessions from the past 30 days.
See also: AWS API Documentation
Request Syntax
response = client.describe_sessions(
State='Active'|'History',
MaxResults=123,
NextToken='string',
Filters=[
{
'key': 'InvokedAfter'|'InvokedBefore'|'Target'|'Owner'|'Status'|'SessionId',
'value': 'string'
},
]
)
[REQUIRED]
The session status to retrieve a list of sessions for. For example, "Active".
One or more filters to limit the type of sessions returned by the request.
Describes a filter for Session Manager information.
The name of the filter.
The filter value. Valid values for each filter key are as follows:
dict
Response Syntax
{
'Sessions': [
{
'SessionId': 'string',
'Target': 'string',
'Status': 'Connected'|'Connecting'|'Disconnected'|'Terminated'|'Terminating'|'Failed',
'StartDate': datetime(2015, 1, 1),
'EndDate': datetime(2015, 1, 1),
'DocumentName': 'string',
'Owner': 'string',
'Reason': 'string',
'Details': 'string',
'OutputUrl': {
'S3OutputUrl': 'string',
'CloudWatchOutputUrl': 'string'
},
'MaxSessionDuration': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Sessions (list) --
A list of sessions meeting the request parameters.
(dict) --
Information about a Session Manager connection to a managed node.
SessionId (string) --
The ID of the session.
Target (string) --
The managed node that the Session Manager session connected to.
Status (string) --
The status of the session. For example, "Connected" or "Terminated".
StartDate (datetime) --
The date and time, in ISO-8601 Extended format, when the session began.
EndDate (datetime) --
The date and time, in ISO-8601 Extended format, when the session was terminated.
DocumentName (string) --
The name of the Session Manager SSM document used to define the parameters and plugin settings for the session. For example, SSM-SessionManagerRunShell
.
Owner (string) --
The ID of the Amazon Web Services user account that started the session.
Reason (string) --
The reason for connecting to the instance.
Details (string) --
Reserved for future use.
OutputUrl (dict) --
Reserved for future use.
S3OutputUrl (string) --
Reserved for future use.
CloudWatchOutputUrl (string) --
Reserved for future use.
MaxSessionDuration (string) --
The maximum duration of a session before it terminates.
NextToken (string) --
The token for the next set of items to return. (You received this token from a previous call.)
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidFilterKey
SSM.Client.exceptions.InvalidNextToken
Deletes the association between an OpsItem and a related item. For example, this API operation can delete an Incident Manager incident from an OpsItem. Incident Manager is a capability of Amazon Web Services Systems Manager.
See also: AWS API Documentation
Request Syntax
response = client.disassociate_ops_item_related_item(
OpsItemId='string',
AssociationId='string'
)
[REQUIRED]
The ID of the OpsItem for which you want to delete an association between the OpsItem and a related item.
[REQUIRED]
The ID of the association for which you want to delete an association between the OpsItem and a related item.
dict
Response Syntax
{}
Response Structure
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.OpsItemRelatedItemAssociationNotFoundException
SSM.Client.exceptions.OpsItemNotFoundException
SSM.Client.exceptions.OpsItemInvalidParameterException
get_automation_execution
(**kwargs)¶Get detailed information about a particular Automation execution.
See also: AWS API Documentation
Request Syntax
response = client.get_automation_execution(
AutomationExecutionId='string'
)
[REQUIRED]
The unique identifier for an existing automation execution to examine. The execution ID is returned by StartAutomationExecution when the execution of an Automation runbook is initiated.
{
'AutomationExecution': {
'AutomationExecutionId': 'string',
'DocumentName': 'string',
'DocumentVersion': 'string',
'ExecutionStartTime': datetime(2015, 1, 1),
'ExecutionEndTime': datetime(2015, 1, 1),
'AutomationExecutionStatus': 'Pending'|'InProgress'|'Waiting'|'Success'|'TimedOut'|'Cancelling'|'Cancelled'|'Failed'|'PendingApproval'|'Approved'|'Rejected'|'Scheduled'|'RunbookInProgress'|'PendingChangeCalendarOverride'|'ChangeCalendarOverrideApproved'|'ChangeCalendarOverrideRejected'|'CompletedWithSuccess'|'CompletedWithFailure',
'StepExecutions': [
{
'StepName': 'string',
'Action': 'string',
'TimeoutSeconds': 123,
'OnFailure': 'string',
'MaxAttempts': 123,
'ExecutionStartTime': datetime(2015, 1, 1),
'ExecutionEndTime': datetime(2015, 1, 1),
'StepStatus': 'Pending'|'InProgress'|'Waiting'|'Success'|'TimedOut'|'Cancelling'|'Cancelled'|'Failed'|'PendingApproval'|'Approved'|'Rejected'|'Scheduled'|'RunbookInProgress'|'PendingChangeCalendarOverride'|'ChangeCalendarOverrideApproved'|'ChangeCalendarOverrideRejected'|'CompletedWithSuccess'|'CompletedWithFailure',
'ResponseCode': 'string',
'Inputs': {
'string': 'string'
},
'Outputs': {
'string': [
'string',
]
},
'Response': 'string',
'FailureMessage': 'string',
'FailureDetails': {
'FailureStage': 'string',
'FailureType': 'string',
'Details': {
'string': [
'string',
]
}
},
'StepExecutionId': 'string',
'OverriddenParameters': {
'string': [
'string',
]
},
'IsEnd': True|False,
'NextStep': 'string',
'IsCritical': True|False,
'ValidNextSteps': [
'string',
],
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'TargetLocation': {
'Accounts': [
'string',
],
'Regions': [
'string',
],
'TargetLocationMaxConcurrency': 'string',
'TargetLocationMaxErrors': 'string',
'ExecutionRoleName': 'string',
'TargetLocationAlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
'TriggeredAlarms': [
{
'Name': 'string',
'State': 'UNKNOWN'|'ALARM'
},
]
},
],
'StepExecutionsTruncated': True|False,
'Parameters': {
'string': [
'string',
]
},
'Outputs': {
'string': [
'string',
]
},
'FailureMessage': 'string',
'Mode': 'Auto'|'Interactive',
'ParentAutomationExecutionId': 'string',
'ExecutedBy': 'string',
'CurrentStepName': 'string',
'CurrentAction': 'string',
'TargetParameterName': 'string',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'TargetMaps': [
{
'string': [
'string',
]
},
],
'ResolvedTargets': {
'ParameterValues': [
'string',
],
'Truncated': True|False
},
'MaxConcurrency': 'string',
'MaxErrors': 'string',
'Target': 'string',
'TargetLocations': [
{
'Accounts': [
'string',
],
'Regions': [
'string',
],
'TargetLocationMaxConcurrency': 'string',
'TargetLocationMaxErrors': 'string',
'ExecutionRoleName': 'string',
'TargetLocationAlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
],
'ProgressCounters': {
'TotalSteps': 123,
'SuccessSteps': 123,
'FailedSteps': 123,
'CancelledSteps': 123,
'TimedOutSteps': 123
},
'AlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
},
'TriggeredAlarms': [
{
'Name': 'string',
'State': 'UNKNOWN'|'ALARM'
},
],
'AutomationSubtype': 'ChangeRequest',
'ScheduledTime': datetime(2015, 1, 1),
'Runbooks': [
{
'DocumentName': 'string',
'DocumentVersion': 'string',
'Parameters': {
'string': [
'string',
]
},
'TargetParameterName': 'string',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'TargetMaps': [
{
'string': [
'string',
]
},
],
'MaxConcurrency': 'string',
'MaxErrors': 'string',
'TargetLocations': [
{
'Accounts': [
'string',
],
'Regions': [
'string',
],
'TargetLocationMaxConcurrency': 'string',
'TargetLocationMaxErrors': 'string',
'ExecutionRoleName': 'string',
'TargetLocationAlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
}
},
]
},
],
'OpsItemId': 'string',
'AssociationId': 'string',
'ChangeRequestName': 'string'
}
}
Response Structure
Detailed information about the current state of an automation execution.
The execution ID.
The name of the Automation runbook used during the execution.
The version of the document to use during execution.
The time the execution started.
The time the execution finished.
The execution status of the Automation.
A list of details about the current state of all steps that comprise an execution. An Automation runbook contains a list of steps that are run in order.
Detailed information about an the execution state of an Automation step.
The name of this execution step.
The action this step performs. The action determines the behavior of the step.
The timeout seconds of the step.
The action to take if the step fails. The default value is Abort
.
The maximum number of tries to run the action of the step. The default value is 1
.
If a step has begun execution, this contains the time the step started. If the step is in Pending status, this field isn't populated.
If a step has finished execution, this contains the time the execution ended. If the step hasn't yet concluded, this field isn't populated.
The execution status for this step.
The response code returned by the execution of the step.
Fully-resolved values passed into the step before execution.
Returned values from the execution of the step.
A message associated with the response code for an execution.
If a step failed, this message explains why the execution failed.
Information about the Automation failure.
The stage of the Automation execution when the failure occurred. The stages include the following: InputValidation, PreVerification, Invocation, PostVerification.
The type of Automation failure. Failure types include the following: Action, Permission, Throttling, Verification, Internal.
Detailed information about the Automation step failure.
The unique ID of a step execution.
A user-specified list of parameters to override when running a step.
The flag which can be used to end automation no matter whether the step succeeds or fails.
The next step after the step succeeds.
The flag which can be used to help decide whether the failure of current step leads to the Automation failure.
Strategies used when step fails, we support Continue and Abort. Abort will fail the automation when the step fails. Continue will ignore the failure of current step and allow automation to run the next step. With conditional branching, we add step:stepName to support the automation to go to another specific step.
The targets for the step execution.
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
User-defined criteria for sending commands that target managed nodes that meet the criteria.
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services Regions targeted by the current Automation execution.
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole
.
The details for the CloudWatch alarm you want to apply to an automation or command.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
The CloudWatch alarms that were invoked by the automation.
The details about the state of your CloudWatch alarm.
The name of your CloudWatch alarm.
The state of your CloudWatch alarm.
A boolean value that indicates if the response contains the full list of the Automation step executions. If true, use the DescribeAutomationStepExecutions API operation to get the full list of step executions.
The key-value map of execution parameters, which were supplied when calling StartAutomationExecution.
The list of execution outputs as defined in the Automation runbook.
A message describing why an execution has failed, if the status is set to Failed.
The automation execution mode.
The AutomationExecutionId of the parent automation.
The Amazon Resource Name (ARN) of the user who ran the automation.
The name of the step that is currently running.
The action of the step that is currently running.
The parameter name.
The specified targets.
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
User-defined criteria for sending commands that target managed nodes that meet the criteria.
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
The specified key-value mapping of document parameters to target resources.
A list of resolved targets in the rate control execution.
A list of parameter values sent to targets that resolved during the Automation execution.
A boolean value indicating whether the resolved target list is truncated.
The MaxConcurrency
value specified by the user when the execution started.
The MaxErrors value specified by the user when the execution started.
The target of the execution.
The combination of Amazon Web Services Regions and/or Amazon Web Services accounts where you want to run the Automation.
The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services Regions targeted by the current Automation execution.
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole
.
The details for the CloudWatch alarm you want to apply to an automation or command.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
An aggregate of step execution statuses displayed in the Amazon Web Services Systems Manager console for a multi-Region and multi-account Automation execution.
The total number of steps run in all specified Amazon Web Services Regions and Amazon Web Services accounts for the current Automation execution.
The total number of steps that successfully completed in all specified Amazon Web Services Regions and Amazon Web Services accounts for the current Automation execution.
The total number of steps that failed to run in all specified Amazon Web Services Regions and Amazon Web Services accounts for the current Automation execution.
The total number of steps that the system cancelled in all specified Amazon Web Services Regions and Amazon Web Services accounts for the current Automation execution.
The total number of steps that timed out in all specified Amazon Web Services Regions and Amazon Web Services accounts for the current Automation execution.
The details for the CloudWatch alarm applied to your automation.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
The CloudWatch alarm that was invoked by the automation.
The details about the state of your CloudWatch alarm.
The name of your CloudWatch alarm.
The state of your CloudWatch alarm.
The subtype of the Automation operation. Currently, the only supported value is ChangeRequest
.
The date and time the Automation operation is scheduled to start.
Information about the Automation runbooks that are run as part of a runbook workflow.
Note
The Automation runbooks specified for the runbook workflow can't run until all required approvals for the change request have been received.
Information about an Automation runbook used in a runbook workflow in Change Manager.
Note
The Automation runbooks specified for the runbook workflow can't run until all required approvals for the change request have been received.
The name of the Automation runbook used in a runbook workflow.
The version of the Automation runbook used in a runbook workflow.
The key-value map of execution parameters, which were supplied when calling StartChangeRequestExecution
.
The name of the parameter used as the target resource for the rate-controlled runbook workflow. Required if you specify Targets
.
A key-value mapping to target resources that the runbook operation performs tasks on. Required if you specify TargetParameterName
.
An array of search criteria that targets managed nodes using a key-value pair that you specify.
Note
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide .
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Key=resource-groups:Name,Values=<resource-group-name>
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.Key=ResourceGroup,Values=MyResourceGroup
Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.For more information about how to send commands that target managed nodes using Key,Value
parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide .
User-defined criteria for sending commands that target managed nodes that meet the criteria.
User-defined criteria that maps to Key
. For example, if you specified tag:ServerRole
, you could specify value:WebServer
to run a command on instances that include EC2 tags of ServerRole,WebServer
.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
A key-value mapping of runbook parameters to target resources. Both Targets and TargetMaps can't be specified together.
The MaxConcurrency
value specified by the user when the operation started, indicating the maximum number of resources that the runbook operation can run on at the same time.
The MaxErrors
value specified by the user when the execution started, indicating the maximum number of errors that can occur during the operation before the updates are stopped or rolled back.
Information about the Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Runbook operation.
The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services accounts targeted by the current Automation execution.
The Amazon Web Services Regions targeted by the current Automation execution.
The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.
The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole
.
The details for the CloudWatch alarm you want to apply to an automation or command.
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
The name of the CloudWatch alarm specified in the configuration.
A CloudWatch alarm you apply to an automation or command.
The name of your CloudWatch alarm.
The ID of an OpsItem that is created to represent a Change Manager change request.
The ID of a State Manager association used in the Automation operation.
The name of the Change Manager change request.
Exceptions
SSM.Client.exceptions.AutomationExecutionNotFoundException
SSM.Client.exceptions.InternalServerError
get_calendar_state
(**kwargs)¶Gets the state of a Amazon Web Services Systems Manager change calendar at the current time or a specified time. If you specify a time, GetCalendarState
returns the state of the calendar at that specific time, and returns the next time that the change calendar state will transition. If you don't specify a time, GetCalendarState
uses the current time. Change Calendar entries have two possible states: OPEN
or CLOSED
.
If you specify more than one calendar in a request, the command returns the status of OPEN
only if all calendars in the request are open. If one or more calendars in the request are closed, the status returned is CLOSED
.
For more information about Change Calendar, a capability of Amazon Web Services Systems Manager, see Amazon Web Services Systems Manager Change Calendar in the Amazon Web Services Systems Manager User Guide .
See also: AWS API Documentation
Request Syntax
response = client.get_calendar_state(
CalendarNames=[
'string',
],
AtTime='string'
)
[REQUIRED]
The names or Amazon Resource Names (ARNs) of the Systems Manager documents (SSM documents) that represent the calendar entries for which you want to get the state.
AtTime
, the current time is used.dict
Response Syntax
{
'State': 'OPEN'|'CLOSED',
'AtTime': 'string',
'NextTransitionTime': 'string'
}
Response Structure
(dict) --
State (string) --
The state of the calendar. An OPEN
calendar indicates that actions are allowed to proceed, and a CLOSED
calendar indicates that actions aren't allowed to proceed.
AtTime (string) --
The time, as an ISO 8601 string, that you specified in your command. If you don't specify a time, GetCalendarState
uses the current time.
NextTransitionTime (string) --
The time, as an ISO 8601 string, that the calendar state will change. If the current calendar state is OPEN
, NextTransitionTime
indicates when the calendar state changes to CLOSED
, and vice-versa.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidDocument
SSM.Client.exceptions.InvalidDocumentType
SSM.Client.exceptions.UnsupportedCalendarException
get_command_invocation
(**kwargs)¶Returns detailed information about command execution for an invocation or plugin.
GetCommandInvocation
only gives the execution status of a plugin in a document. To get the command execution status on a specific managed node, use ListCommandInvocations. To get the command execution status across managed nodes, use ListCommands.
See also: AWS API Documentation
Request Syntax
response = client.get_command_invocation(
CommandId='string',
InstanceId='string',
PluginName='string'
)
[REQUIRED]
(Required) The parent command ID of the invocation plugin.
[REQUIRED]
(Required) The ID of the managed node targeted by the command. A managed node can be an Amazon Elastic Compute Cloud (Amazon EC2) instance, edge device, and on-premises server or VM in your hybrid environment that is configured for Amazon Web Services Systems Manager.
The name of the step for which you want detailed results. If the document contains only one step, you can omit the name and details for that step. If the document contains more than one step, you must specify the name of the step for which you want to view details. Be sure to specify the name of the step, not the name of a plugin like aws:RunShellScript
.
To find the PluginName
, check the document content and find the name of the step you want details for. Alternatively, use ListCommandInvocations with the CommandId
and Details
parameters. The PluginName
is the Name
attribute of the CommandPlugin
object in the CommandPlugins
list.
dict
Response Syntax
{
'CommandId': 'string',
'InstanceId': 'string',
'Comment': 'string',
'DocumentName': 'string',
'DocumentVersion': 'string',
'PluginName': 'string',
'ResponseCode': 123,
'ExecutionStartDateTime': 'string',
'ExecutionElapsedTime': 'string',
'ExecutionEndDateTime': 'string',
'Status': 'Pending'|'InProgress'|'Delayed'|'Success'|'Cancelled'|'TimedOut'|'Failed'|'Cancelling',
'StatusDetails': 'string',
'StandardOutputContent': 'string',
'StandardOutputUrl': 'string',
'StandardErrorContent': 'string',
'StandardErrorUrl': 'string',
'CloudWatchOutputConfig': {
'CloudWatchLogGroupName': 'string',
'CloudWatchOutputEnabled': True|False
}
}
Response Structure
(dict) --
CommandId (string) --
The parent command ID of the invocation plugin.
InstanceId (string) --
The ID of the managed node targeted by the command. A managed node can be an Amazon Elastic Compute Cloud (Amazon EC2) instance, edge device, or on-premises server or VM in your hybrid environment that is configured for Amazon Web Services Systems Manager.
Comment (string) --
The comment text for the command.
DocumentName (string) --
The name of the document that was run. For example, AWS-RunShellScript
.
DocumentVersion (string) --
The Systems Manager document (SSM document) version used in the request.
PluginName (string) --
The name of the plugin, or step name , for which details are reported. For example, aws:RunShellScript
is a plugin.
ResponseCode (integer) --
The error level response code for the plugin script. If the response code is -1
, then the command hasn't started running on the managed node, or it wasn't received by the node.
ExecutionStartDateTime (string) --
The date and time the plugin started running. Date and time are written in ISO 8601 format. For example, June 7, 2017 is represented as 2017-06-7. The following sample Amazon Web Services CLI command uses the InvokedBefore
filter.
aws ssm list-commands --filters key=InvokedBefore,value=2017-06-07T00:00:00Z
If the plugin hasn't started to run, the string is empty.
ExecutionElapsedTime (string) --
Duration since ExecutionStartDateTime
.
ExecutionEndDateTime (string) --
The date and time the plugin finished running. Date and time are written in ISO 8601 format. For example, June 7, 2017 is represented as 2017-06-7. The following sample Amazon Web Services CLI command uses the InvokedAfter
filter.
aws ssm list-commands --filters key=InvokedAfter,value=2017-06-07T00:00:00Z
If the plugin hasn't started to run, the string is empty.
Status (string) --
The status of this invocation plugin. This status can be different than StatusDetails
.
StatusDetails (string) --
A detailed status of the command execution for an invocation. StatusDetails
includes more information than Status
because it includes states resulting from error and concurrency control parameters. StatusDetails
can show different results than Status
. For more information about these statuses, see Understanding command statuses in the Amazon Web Services Systems Manager User Guide . StatusDetails
can be one of the following values:
MaxErrors
limit, but they do contribute to whether the parent command status is Success or Incomplete. This is a terminal state.MaxErrors
limit of the parent command. This is a terminal state.MaxErrors
limit of the parent command. This is a terminal state.MaxErrors
limit and don't contribute to whether the parent command status is Success or Incomplete. This is a terminal state.MaxErrors
limit and subsequent command invocations were canceled by the system. This is a terminal state.StandardOutputContent (string) --
The first 24,000 characters written by the plugin to stdout
. If the command hasn't finished running, if ExecutionStatus
is neither Succeeded nor Failed, then this string is empty.
StandardOutputUrl (string) --
The URL for the complete text written by the plugin to stdout
in Amazon Simple Storage Service (Amazon S3). If an S3 bucket wasn't specified, then this string is empty.
StandardErrorContent (string) --
The first 8,000 characters written by the plugin to stderr
. If the command hasn't finished running, then this string is empty.
StandardErrorUrl (string) --
The URL for the complete text written by the plugin to stderr
. If the command hasn't finished running, then this string is empty.
CloudWatchOutputConfig (dict) --
Amazon CloudWatch Logs information where Systems Manager sent the command output.
CloudWatchLogGroupName (string) --
The name of the CloudWatch Logs log group where you want to send command output. If you don't specify a group name, Amazon Web Services Systems Manager automatically creates a log group for you. The log group uses the following naming format:
aws/ssm/SystemsManagerDocumentName
CloudWatchOutputEnabled (boolean) --
Enables Systems Manager to send command output to CloudWatch Logs.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidCommandId
SSM.Client.exceptions.InvalidInstanceId
SSM.Client.exceptions.InvalidPluginName
SSM.Client.exceptions.InvocationDoesNotExist
get_connection_status
(**kwargs)¶Retrieves the Session Manager connection status for a managed node to determine whether it is running and ready to receive Session Manager connections.
See also: AWS API Documentation
Request Syntax
response = client.get_connection_status(
Target='string'
)
[REQUIRED]
The managed node ID.
{
'Target': 'string',
'Status': 'Connected'|'NotConnected'
}
Response Structure
The ID of the managed node to check connection status.
The status of the connection to the managed node. For example, 'Connected' or 'Not Connected'.
Exceptions
SSM.Client.exceptions.InternalServerError
get_default_patch_baseline
(**kwargs)¶Retrieves the default patch baseline. Amazon Web Services Systems Manager supports creating multiple default patch baselines. For example, you can create a default patch baseline for each operating system.
If you don't specify an operating system value, the default patch baseline for Windows is returned.
See also: AWS API Documentation
Request Syntax
response = client.get_default_patch_baseline(
OperatingSystem='WINDOWS'|'AMAZON_LINUX'|'AMAZON_LINUX_2'|'AMAZON_LINUX_2022'|'UBUNTU'|'REDHAT_ENTERPRISE_LINUX'|'SUSE'|'CENTOS'|'ORACLE_LINUX'|'DEBIAN'|'MACOS'|'RASPBIAN'|'ROCKY_LINUX'
)
{
'BaselineId': 'string',
'OperatingSystem': 'WINDOWS'|'AMAZON_LINUX'|'AMAZON_LINUX_2'|'AMAZON_LINUX_2022'|'UBUNTU'|'REDHAT_ENTERPRISE_LINUX'|'SUSE'|'CENTOS'|'ORACLE_LINUX'|'DEBIAN'|'MACOS'|'RASPBIAN'|'ROCKY_LINUX'
}
Response Structure
The ID of the default patch baseline.
The operating system for the returned patch baseline.
Exceptions
SSM.Client.exceptions.InternalServerError
get_deployable_patch_snapshot_for_instance
(**kwargs)¶Retrieves the current snapshot for the patch baseline the managed node uses. This API is primarily used by the AWS-RunPatchBaseline
Systems Manager document (SSM document).
Note
If you run the command locally, such as with the Command Line Interface (CLI), the system attempts to use your local Amazon Web Services credentials and the operation fails. To avoid this, you can run the command in the Amazon Web Services Systems Manager console. Use Run Command, a capability of Amazon Web Services Systems Manager, with an SSM document that enables you to target a managed node with a script or command. For example, run the command using the AWS-RunShellScript
document or the AWS-RunPowerShellScript
document.
See also: AWS API Documentation
Request Syntax
response = client.get_deployable_patch_snapshot_for_instance(
InstanceId='string',
SnapshotId='string',
BaselineOverride={
'OperatingSystem': 'WINDOWS'|'AMAZON_LINUX'|'AMAZON_LINUX_2'|'AMAZON_LINUX_2022'|'UBUNTU'|'REDHAT_ENTERPRISE_LINUX'|'SUSE'|'CENTOS'|'ORACLE_LINUX'|'DEBIAN'|'MACOS'|'RASPBIAN'|'ROCKY_LINUX',
'GlobalFilters': {
'PatchFilters': [
{
'Key': 'ARCH'|'ADVISORY_ID'|'BUGZILLA_ID'|'PATCH_SET'|'PRODUCT'|'PRODUCT_FAMILY'|'CLASSIFICATION'|'CVE_ID'|'EPOCH'|'MSRC_SEVERITY'|'NAME'|'PATCH_ID'|'SECTION'|'PRIORITY'|'REPOSITORY'|'RELEASE'|'SEVERITY'|'SECURITY'|'VERSION',
'Values': [
'string',
]
},
]
},
'ApprovalRules': {
'PatchRules': [
{
'PatchFilterGroup': {
'PatchFilters': [
{
'Key': 'ARCH'|'ADVISORY_ID'|'BUGZILLA_ID'|'PATCH_SET'|'PRODUCT'|'PRODUCT_FAMILY'|'CLASSIFICATION'|'CVE_ID'|'EPOCH'|'MSRC_SEVERITY'|'NAME'|'PATCH_ID'|'SECTION'|'PRIORITY'|'REPOSITORY'|'RELEASE'|'SEVERITY'|'SECURITY'|'VERSION',
'Values': [
'string',
]
},
]
},
'ComplianceLevel': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'INFORMATIONAL'|'UNSPECIFIED',
'ApproveAfterDays': 123,
'ApproveUntilDate': 'string',
'EnableNonSecurity': True|False
},
]
},
'ApprovedPatches': [
'string',
],
'ApprovedPatchesComplianceLevel': 'CRITICAL'|'HIGH'|'MEDIUM'|'LOW'|'INFORMATIONAL'|'UNSPECIFIED',
'RejectedPatches': [
'string',
],
'RejectedPatchesAction': 'ALLOW_AS_DEPENDENCY'|'BLOCK',
'ApprovedPatchesEnableNonSecurity': True|False,
'Sources': [
{
'Name': 'string',
'Products': [
'string',
],
'Configuration': 'string'
},
]
}
)
[REQUIRED]
The ID of the managed node for which the appropriate patch snapshot should be retrieved.
[REQUIRED]
The snapshot ID provided by the user when running AWS-RunPatchBaseline
.
Defines the basic information about a patch baseline override.
The operating system rule used by the patch baseline override.
A set of patch filters, typically used for approval rules.
The set of patch filters that make up the group.
Defines which patches should be included in a patch baseline.
A patch filter consists of a key and a set of values. The filter key is a patch property. For example, the available filter keys for WINDOWS
are PATCH_SET
, PRODUCT
, PRODUCT_FAMILY
, CLASSIFICATION
, and MSRC_SEVERITY
.
The filter values define a matching criterion for the patch property indicated by the key. For example, if the filter key is PRODUCT
and the filter values are ["Office 2013", "Office 2016"]
, then the filter accepts all patches where product name is either "Office 2013" or "Office 2016". The filter values can be exact values for the patch property given as a key, or a wildcard (*), which matches all values.
You can view lists of valid values for the patch properties by running the DescribePatchProperties
command. For information about which patch properties can be used with each major operating system, see DescribePatchProperties.
The key for the filter.
Run the DescribePatchProperties command to view lists of valid keys for each operating system type.
The value for the filter key.
Run the DescribePatchProperties command to view lists of valid values for each key based on operating system type.
A set of rules defining the approval rules for a patch baseline.
The rules that make up the rule group.
Defines an approval rule for a patch baseline.
The patch filter group that defines the criteria for the rule.
The set of patch filters that make up the group.
Defines which patches should be included in a patch baseline.
A patch filter consists of a key and a set of values. The filter key is a patch property. For example, the available filter keys for WINDOWS
are PATCH_SET
, PRODUCT
, PRODUCT_FAMILY
, CLASSIFICATION
, and MSRC_SEVERITY
.
The filter values define a matching criterion for the patch property indicated by the key. For example, if the filter key is PRODUCT
and the filter values are ["Office 2013", "Office 2016"]
, then the filter accepts all patches where product name is either "Office 2013" or "Office 2016". The filter values can be exact values for the patch property given as a key, or a wildcard (*), which matches all values.
You can view lists of valid values for the patch properties by running the DescribePatchProperties
command. For information about which patch properties can be used with each major operating system, see DescribePatchProperties.
The key for the filter.
Run the DescribePatchProperties command to view lists of valid keys for each operating system type.
The value for the filter key.
Run the DescribePatchProperties command to view lists of valid values for each key based on operating system type.
A compliance severity level for all approved patches in a patch baseline.
The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of 7
means that patches are approved seven days after they are released. Not supported on Debian Server or Ubuntu Server.
The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Not supported on Debian Server or Ubuntu Server.
Enter dates in the format YYYY-MM-DD
. For example, 2021-12-31
.
For managed nodes identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository. The default value is false
. Applies to Linux managed nodes only.
A list of explicitly approved patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide .
Defines the compliance level for approved patches. When an approved patch is reported as missing, this value describes the severity of the compliance violation.
A list of explicitly rejected patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide .
The action for Patch Manager to take on patches included in the RejectedPackages
list. A patch can be allowed only if it is a dependency of another package, or blocked entirely along with packages that include it as a dependency.
Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes. The default value is false
. Applies to Linux managed nodes only.
Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
Information about the patches to use to update the managed nodes, including target operating systems and source repository. Applies to Linux managed nodes only.
The name specified to identify the patch source.
The specific operating system versions a patch repository applies to, such as "Ubuntu16.04", "AmazonLinux2016.09", "RedhatEnterpriseLinux7.2" or "Suse12.7". For lists of supported product values, see PatchFilter.
The value of the yum repo configuration. For example:
[main]
name=MyCustomRepository
baseurl=https://my-custom-repository
enabled=1
Note
For information about other options available for your yum repository configuration, see dnf.conf(5).
dict
Response Syntax
{
'InstanceId': 'string',
'SnapshotId': 'string',
'SnapshotDownloadUrl': 'string',
'Product': 'string'
}
Response Structure
(dict) --
InstanceId (string) --
The managed node ID.
SnapshotId (string) --
The user-defined snapshot ID.
SnapshotDownloadUrl (string) --
A pre-signed Amazon Simple Storage Service (Amazon S3) URL that can be used to download the patch snapshot.
Product (string) --
Returns the specific operating system (for example Windows Server 2012 or Amazon Linux 2015.09) on the managed node for the specified patch snapshot.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.UnsupportedOperatingSystem
SSM.Client.exceptions.UnsupportedFeatureRequiredException
get_document
(**kwargs)¶Gets the contents of the specified Amazon Web Services Systems Manager document (SSM document).
See also: AWS API Documentation
Request Syntax
response = client.get_document(
Name='string',
VersionName='string',
DocumentVersion='string',
DocumentFormat='YAML'|'JSON'|'TEXT'
)
[REQUIRED]
The name of the SSM document.
dict
Response Syntax
{
'Name': 'string',
'CreatedDate': datetime(2015, 1, 1),
'DisplayName': 'string',
'VersionName': 'string',
'DocumentVersion': 'string',
'Status': 'Creating'|'Active'|'Updating'|'Deleting'|'Failed',
'StatusInformation': 'string',
'Content': 'string',
'DocumentType': 'Command'|'Policy'|'Automation'|'Session'|'Package'|'ApplicationConfiguration'|'ApplicationConfigurationSchema'|'DeploymentStrategy'|'ChangeCalendar'|'Automation.ChangeTemplate'|'ProblemAnalysis'|'ProblemAnalysisTemplate'|'CloudFormation'|'ConformancePackTemplate',
'DocumentFormat': 'YAML'|'JSON'|'TEXT',
'Requires': [
{
'Name': 'string',
'Version': 'string'
},
],
'AttachmentsContent': [
{
'Name': 'string',
'Size': 123,
'Hash': 'string',
'HashType': 'Sha256',
'Url': 'string'
},
],
'ReviewStatus': 'APPROVED'|'NOT_REVIEWED'|'PENDING'|'REJECTED'
}
Response Structure
(dict) --
Name (string) --
The name of the SSM document.
CreatedDate (datetime) --
The date the SSM document was created.
DisplayName (string) --
The friendly name of the SSM document. This value can differ for each version of the document. If you want to update this value, see UpdateDocument.
VersionName (string) --
The version of the artifact associated with the document. For example, "Release 12, Update 6". This value is unique across all versions of a document, and can't be changed.
DocumentVersion (string) --
The document version.
Status (string) --
The status of the SSM document, such as Creating
, Active
, Updating
, Failed
, and Deleting
.
StatusInformation (string) --
A message returned by Amazon Web Services Systems Manager that explains the Status
value. For example, a Failed
status might be explained by the StatusInformation
message, "The specified S3 bucket doesn't exist. Verify that the URL of the S3 bucket is correct."
Content (string) --
The contents of the SSM document.
DocumentType (string) --
The document type.
DocumentFormat (string) --
The document format, either JSON or YAML.
Requires (list) --
A list of SSM documents required by a document. For example, an ApplicationConfiguration
document requires an ApplicationConfigurationSchema
document.
(dict) --
An SSM document required by the current document.
Name (string) --
The name of the required SSM document. The name can be an Amazon Resource Name (ARN).
Version (string) --
The document version required by the current document.
AttachmentsContent (list) --
A description of the document attachments, including names, locations, sizes, and so on.
(dict) --
A structure that includes attributes that describe a document attachment.
Name (string) --
The name of an attachment.
Size (integer) --
The size of an attachment in bytes.
Hash (string) --
The cryptographic hash value of the document content.
HashType (string) --
The hash algorithm used to calculate the hash value.
Url (string) --
The URL location of the attachment content.
ReviewStatus (string) --
The current review status of a new custom Systems Manager document (SSM document) created by a member of your organization, or of the latest version of an existing SSM document.
Only one version of an SSM document can be in the APPROVED state at a time. When a new version is approved, the status of the previous version changes to REJECTED.
Only one version of an SSM document can be in review, or PENDING, at a time.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidDocument
SSM.Client.exceptions.InvalidDocumentVersion
get_inventory
(**kwargs)¶Query inventory information. This includes managed node status, such as Stopped
or Terminated
.
See also: AWS API Documentation
Request Syntax
response = client.get_inventory(
Filters=[
{
'Key': 'string',
'Values': [
'string',
],
'Type': 'Equal'|'NotEqual'|'BeginWith'|'LessThan'|'GreaterThan'|'Exists'
},
],
Aggregators=[
{
'Expression': 'string',
'Aggregators': {'... recursive ...'},
'Groups': [
{
'Name': 'string',
'Filters': [
{
'Key': 'string',
'Values': [
'string',
],
'Type': 'Equal'|'NotEqual'|'BeginWith'|'LessThan'|'GreaterThan'|'Exists'
},
]
},
]
},
],
ResultAttributes=[
{
'TypeName': 'string'
},
],
NextToken='string',
MaxResults=123
)
One or more filters. Use a filter to return a more specific list of results.
One or more filters. Use a filter to return a more specific list of results.
The name of the filter key.
Inventory filter values. Example: inventory filter where managed node IDs are specified as values Key=AWS:InstanceInformation.InstanceId,Values= i-a12b3c4d5e6g, i-1a2b3c4d5e6,Type=Equal
.
The type of filter.
Note
The Exists
filter must be used with aggregators. For more information, see Aggregating inventory data in the Amazon Web Services Systems Manager User Guide .
Returns counts of inventory types based on one or more expressions. For example, if you aggregate by using an expression that uses the AWS:InstanceInformation.PlatformType
type, you can see a count of how many Windows and Linux managed nodes exist in your inventoried fleet.
Specifies the inventory type and attribute for the aggregation execution.
The inventory type and attribute name for aggregation.
Nested aggregators to further refine aggregation for an inventory type.
A user-defined set of one or more filters on which to aggregate inventory data. Groups return a count of resources that match and don't match the specified criteria.
A user-defined set of one or more filters on which to aggregate inventory data. Groups return a count of resources that match and don't match the specified criteria.
The name of the group.
Filters define the criteria for the group. The matchingCount
field displays the number of resources that match the criteria. The notMatchingCount
field displays the number of resources that don't match the criteria.
One or more filters. Use a filter to return a more specific list of results.
The name of the filter key.
Inventory filter values. Example: inventory filter where managed node IDs are specified as values Key=AWS:InstanceInformation.InstanceId,Values= i-a12b3c4d5e6g, i-1a2b3c4d5e6,Type=Equal
.
The type of filter.
Note
The Exists
filter must be used with aggregators. For more information, see Aggregating inventory data in the Amazon Web Services Systems Manager User Guide .
The list of inventory item types to return.
The inventory item result attribute.
Name of the inventory item type. Valid value: AWS:InstanceInformation
. Default Value: AWS:InstanceInformation
.
dict
Response Syntax
{
'Entities': [
{
'Id': 'string',
'Data': {
'string': {
'TypeName': 'string',
'SchemaVersion': 'string',
'CaptureTime': 'string',
'ContentHash': 'string',
'Content': [
{
'string': 'string'
},
]
}
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Entities (list) --
Collection of inventory entities such as a collection of managed node inventory.
(dict) --
Inventory query results.
Id (string) --
ID of the inventory result entity. For example, for managed node inventory the result will be the managed node ID. For EC2 instance inventory, the result will be the instance ID.
Data (dict) --
The data section in the inventory result entity JSON.
(string) --
(dict) --
The inventory result item.
TypeName (string) --
The name of the inventory result item type.
SchemaVersion (string) --
The schema version for the inventory result item/
CaptureTime (string) --
The time inventory item data was captured.
ContentHash (string) --
MD5 hash of the inventory item type contents. The content hash is used to determine whether to update inventory information. The PutInventory API doesn't update the inventory item type contents if the MD5 hash hasn't changed since last update.
Content (list) --
Contains all the inventory data of the item type. Results include attribute names and values.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidFilter
SSM.Client.exceptions.InvalidInventoryGroupException
SSM.Client.exceptions.InvalidNextToken
SSM.Client.exceptions.InvalidTypeNameException
SSM.Client.exceptions.InvalidAggregatorException
SSM.Client.exceptions.InvalidResultAttributeException
get_inventory_schema
(**kwargs)¶Return a list of inventory type names for the account, or return a list of attribute names for a specific Inventory item type.
See also: AWS API Documentation
Request Syntax
response = client.get_inventory_schema(
TypeName='string',
NextToken='string',
MaxResults=123,
Aggregator=True|False,
SubType=True|False
)
AWS:InstanceInformation
type, because it supports aggregation based on the PlatformName
, PlatformType
, and PlatformVersion
attributes.dict
Response Syntax
{
'Schemas': [
{
'TypeName': 'string',
'Version': 'string',
'Attributes': [
{
'Name': 'string',
'DataType': 'string'|'number'
},
],
'DisplayName': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Schemas (list) --
Inventory schemas returned by the request.
(dict) --
The inventory item schema definition. Users can use this to compose inventory query filters.
TypeName (string) --
The name of the inventory type. Default inventory item type names start with Amazon Web Services. Custom inventory type names will start with Custom. Default inventory item types include the following: AWS:AWSComponent
, AWS:Application
, AWS:InstanceInformation
, AWS:Network
, and AWS:WindowsUpdate
.
Version (string) --
The schema version for the inventory item.
Attributes (list) --
The schema attributes for inventory. This contains data type and attribute name.
(dict) --
Attributes are the entries within the inventory item content. It contains name and value.
Name (string) --
Name of the inventory item attribute.
DataType (string) --
The data type of the inventory item attribute.
DisplayName (string) --
The alias name of the inventory type. The alias name is used for display purposes.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Exceptions
SSM.Client.exceptions.InternalServerError
SSM.Client.exceptions.InvalidTypeNameException
SSM.Client.exceptions.InvalidNextToken
get_maintenance_window
(**kwargs)¶Retrieves a maintenance window.
See also: AWS API Documentation
Request Syntax
response = client.get_maintenance_window(
WindowId='string'
)
[REQUIRED]
The ID of the maintenance window for which you want to retrieve information.
{
'WindowId': 'string',
'Name': 'string',
'Description': 'string',
'StartDate': 'string',
'EndDate': 'string',
'Schedule': 'string',
'ScheduleTimezone': 'string',
'ScheduleOffset': 123,
'NextExecutionTime': 'string',
'Duration': 123,
'Cutoff': 123,
'AllowUnassociatedTargets': True|False,
'Enabled': True|False,
'CreatedDate': datetime(2015, 1, 1),
'ModifiedDate': datetime(2015, 1, 1)
}
Response Structure
The ID of the created maintenance window.
The name of the maintenance window.
The description of the maintenance window.
The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. The maintenance window won't run before this specified time.
The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive. The maintenance window won't run after this specified time.
The schedule of the maintenance window in the form of a cron or rate expression.
The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format. For example: "America/Los_Angeles", "UTC", or "Asia/Seoul". For more information, see the Time Zone Database on the IANA website.
The number of days to wait to run a maintenance window after the scheduled cron expression date and time.
The next time the maintenance window will actually run, taking into account any specified times for the maintenance window to become active or inactive.
The duration of the maintenance window in hours.
The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution.
Whether targets must be registered with the maintenance window before tasks can be defined for those targets.
Indicates whether the maintenance window is enabled.
The date the maintenance window was created.
The date the maintenance window was last modified.
Exceptions
SSM.Client.exceptions.DoesNotExistException
SSM.Client.exceptions.InternalServerError
get_maintenance_window_execution
(**kwargs)¶Retrieves details about a specific a maintenance window execution.
See also: AWS API Documentation
Request Syntax
response = client.get_maintenance_window_execution(
WindowExecutionId='string'
)
[REQUIRED]
The ID of the maintenance window execution that includes the task.
{
'WindowExecutionId': 'string',
'TaskIds': [
'string',
],
'Status': 'PENDING'|'IN_PROGRESS'|'SUCCESS'|'FAILED'|'TIMED_OUT'|'CANCELLING'|'CANCELLED'|'SKIPPED_OVERLAPPING',
'StatusDetails': 'string',
'StartTime': datetime(2015, 1, 1),
'EndTime': datetime(2015, 1, 1)
}
Response Structure
The ID of the maintenance window execution.
The ID of the task executions from the maintenance window execution.
The status of the maintenance window execution.
The details explaining the status. Not available for all status values.
The time the maintenance window started running.
The time the maintenance window finished running.
Exceptions
SSM.Client.exceptions.DoesNotExistException
SSM.Client.exceptions.InternalServerError
get_maintenance_window_execution_task
(**kwargs)¶Retrieves the details about a specific task run as part of a maintenance window execution.
See also: AWS API Documentation
Request Syntax
response = client.get_maintenance_window_execution_task(
WindowExecutionId='string',
TaskId='string'
)
[REQUIRED]
The ID of the maintenance window execution that includes the task.
[REQUIRED]
The ID of the specific task execution in the maintenance window task that should be retrieved.
dict
Response Syntax
{
'WindowExecutionId': 'string',
'TaskExecutionId': 'string',
'TaskArn': 'string',
'ServiceRole': 'string',
'Type': 'RUN_COMMAND'|'AUTOMATION'|'STEP_FUNCTIONS'|'LAMBDA',
'TaskParameters': [
{
'string': {
'Values': [
'string',
]
}
},
],
'Priority': 123,
'MaxConcurrency': 'string',
'MaxErrors': 'string',
'Status': 'PENDING'|'IN_PROGRESS'|'SUCCESS'|'FAILED'|'TIMED_OUT'|'CANCELLING'|'CANCELLED'|'SKIPPED_OVERLAPPING',
'StatusDetails': 'string',
'StartTime': datetime(2015, 1, 1),
'EndTime': datetime(2015, 1, 1),
'AlarmConfiguration': {
'IgnorePollAlarmFailure': True|False,
'Alarms': [
{
'Name': 'string'
},
]
},
'TriggeredAlarms': [
{
'Name': 'string',
'State': 'UNKNOWN'|'ALARM'
},
]
}
Response Structure
(dict) --
WindowExecutionId (string) --
The ID of the maintenance window execution that includes the task.
TaskExecutionId (string) --
The ID of the specific task execution in the maintenance window task that was retrieved.
TaskArn (string) --
The Amazon Resource Name (ARN) of the task that ran.
ServiceRole (string) --
The role that was assumed when running the task.
Type (string) --
The type of task that was run.
TaskParameters (list) --
The parameters passed to the task when it was run.
Note
TaskParameters
has been deprecated. To specify parameters to pass to a task when it runs, instead use the Parameters
option in the TaskInvocationParameters
structure. For information about how Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.
The map has the following format:
Key
: string, between 1 and 255 charactersValue
: an array of strings, each between 1 and 255 characters(dict) --
(string) --
(dict) --
Defines the values for a task parameter.
Values (list) --
This field contains an array of 0 or more strings, each 1 to 255 characters in length.
Priority (integer) --
The priority of the task.
MaxConcurrency (string) --
The defined maximum number of task executions that could be run in parallel.
MaxErrors (string) --
The defined maximum number of task execution errors allowed before scheduling of the task execution would have been stopped.
Status (string) --
The status of the task.
StatusDetails (string) --
The details explaining the status. Not available for all status values.
StartTime (datetime) --
The time the task execution started.
EndTime (datetime) --
The time the task execution completed.
AlarmConfiguration (dict) --
The details for the CloudWatch alarm you applied to your maintenance window task.
IgnorePollAlarmFailure (boolean) --
If you specify true
for this value, your automation or command continue to run even if we can't gather information about the state of your CloudWatch alarm. The default value is false
.
Alarms (list) --
The name of the CloudWatch alarm specified in the configuration.
(dict) --
A CloudWatch alarm you apply to an automation or command.
Name (string) --
The name of your CloudWatch alarm.
TriggeredAlarms (list) --
The CloudWatch alarms that were invoked by the maintenance window task.
(dict) --
The details about the state of your CloudWatch alarm.
Name (string) --
The name of your CloudWatch alarm.
State (string) --
The state of your CloudWatch alarm.
Exceptions
SSM.Client.exceptions.DoesNotExistException
SSM.Client.exceptions.InternalServerError
get_maintenance_window_execution_task_invocation
(**kwargs)¶Retrieves information about a specific task running on a specific target.
See also: AWS API Documentation
Request Syntax
response = client.get_maintenance_window_execution_task_invocation(
WindowExecutionId='string',
TaskId='string',
InvocationId='string'
)
[REQUIRED]
The ID of the maintenance window execution for which the task is a part.
[REQUIRED]
The ID of the specific task in the maintenance window task that should be retrieved.
[REQUIRED]
The invocation ID to retrieve.
dict
Response Syntax
{
'WindowExecutionId': 'string',
'TaskExecutionId': 'string',
'InvocationId': 'string',
'ExecutionId': 'string',
'TaskType': 'RUN_COMMAND'|'AUTOMATION'|'STEP_FUNCTIONS'|'LAMBDA',
'Parameters': 'string',
'Status': 'PENDING'|'IN_PROGRESS'|'SUCCESS'|'FAILED'|'TIMED_OUT'|'CANCELLING'|'CANCELLED'|'SKIPPED_OVERLAPPING',
'StatusDetails': 'string',
'StartTime': datetime(2015, 1, 1),
'EndTime': datetime(2015, 1, 1),
'OwnerInformation': 'string',
'WindowTargetId': 'string'
}
Response Structure
(dict) --
WindowExecutionId (string) --
The maintenance window execution ID.
TaskExecutionId (string) --
The task execution ID.
InvocationId (string) --
The invocation ID.
ExecutionId (string) --
The execution ID.
TaskType (string) --
Retrieves the task type for a maintenance window.
Parameters (string) --
The parameters used at the time that the task ran.
Status (string) --
The task status for an invocation.
StatusDetails (string) --
The details explaining the status. Details are only available for certain status values.
StartTime (datetime) --
The time that the task started running on the target.
EndTime (datetime) --
The time that the task finished running on the target.
OwnerInformation (string) --
User-provided value to be included in any Amazon CloudWatch Events or Amazon EventBridge events raised while running tasks for these targets in this maintenance window.
WindowTargetId (string) --
The maintenance window target ID.
Exceptions
SSM.Client.exceptions.DoesNotExistException
SSM.Client.exceptions.InternalServerError
get_maintenance_window_task
(**kwargs)¶Retrieves the details of a maintenance window task.
Note
For maintenance window tasks without a specified target, you can't supply values for --max-errors
and --max-concurrency
. Instead, the system inserts a placeholder value of 1
, which may be reported in the response to this command. These values don't affect the running of your task and can be ignored.
To retrieve a list of tasks in a maintenance window, instead use the DescribeMaintenanceWindowTasks command.
See also: AWS API Documentation
Request Syntax
response = client.get_maintenance_window_task(
WindowId='string',
WindowTaskId='string'
)
[REQUIRED]
The maintenance window ID that includes the task to retrieve.
[REQUIRED]
The maintenance window task ID to retrieve.
dict
Response Syntax
{
'WindowId': 'string',
'WindowTaskId': 'string',
'Targets': [
{
'Key': 'string',
'Values': [
'string',
]
},
],
'TaskArn': 'string',
'ServiceRoleArn': 'string',
'TaskType': 'RUN_COMMAND'|'AUTOMATION'|'STEP_FUNCTIONS'|'LAMBDA',
'TaskParameters': {
'string': {
'Values': [
'string',
]
}
},
'TaskInvocationParameters': {
'RunCommand': {
'Comment': 'string',
'CloudWatchOutputConfig': {
'CloudWatchLogGroupName': 'string',
'CloudWatchOutputEnabled': True|False
},
'DocumentHash': 'string',
'DocumentHashType': 'Sha256'|'Sha1',
'DocumentVersion': 'string',
'NotificationConfig': {
'NotificationArn': 'string',
'NotificationEvents': [
'All'|'InProgress'|'Success'|'TimedOut'|'Cancelled'|'Failed',
],
'NotificationType': 'Command'|'Invocation'
},
'OutputS3BucketName': 'string',
'OutputS3KeyPrefix': 'string',
'Parameters': {
'string': [
'string',
]
},
'ServiceRoleArn': 'string',
'TimeoutSeconds': 123
},
'Automation': {
'DocumentVersion': 'string',
'Parameters': {