preview
We're still working on this feature, but we'd love for you to try it out!
This feature is currently provided as part of a preview program pursuant to our pre-release policies.
This page provides a comprehensive reference for aws systems manager actions available in the workflow automation actions catalog. These actions enable you to systems manager automation and document operations.
Prerequisites
Before using AWS actions in workflow automation, ensure you have:
- An AWS account with appropriate permissions.
- AWS credentials configured (IAM user credentials, IAM role ARN, or session credentials).
- The necessary IAM permissions for the specific AWS services you plan to use.
See Set up AWS credentials for information on how to create IAM users and IAM roles, and set up static and session AWS credentials for integration with workflow automation AWS actions.
Write an SSM document to the AWS account based on the aws credentials passed in the action input. See AWS Systems Manager Documentation
Input Field | Optionality | Type | Example |
|---|---|---|---|
awsRoleArn | Optional | String |
|
awsAccessKeyId | Optional | String |
|
awsSecretAccessKey | Optional | String |
|
awsSessionToken | Optional | String |
|
region | Required | String |
|
documentName | Required | String |
|
documentType | Optional | String |
Check valid values from here. |
documentFormat | Optional | String |
Check valid values from here. |
documentContent | Required | String | Check example |
override | Optional | Boolean |
When When |
selectors | Optional | list |
|
Output Field | Type | Description and example |
|---|---|---|
documentName | String |
|
documentVersion | String |
|
documentType | String |
|
documentStatus | String |
The value will be one of the statuses from here. |
success | Boolean |
|
errorMessage | String |
|
중요
- In action input, only
awsAccessKeyIdandawsSecretAccessKeycan be provided but they should be static credentials of an IAM user. - If session credentials are to be used,
awsAccessKeyId,awsSecretAccessKeyandawsSessionTokenmust be passed to action input. - The selectors to get the only specified parameters as output.
- Refer to AWS credentials for instructions.
Example 1: A simple SSM document to list all lambda function
schemaVersion: '0.3' description: List all Lambda function names. mainSteps: - name: ExecuteAwsApi action: aws:executeAwsApi isEnd: true inputs: Service: lambda Api: ListFunctions outputs: - Name: resultFunctionName Selector: $..FunctionName Type: StringList outputs: - ExecuteAwsApi.resultFunctionNameComplete autoflows definition with SSM listing lambda functions
name: aws-api
workflowInputs: key: type: String defaultValue: "${{ :secrets:11933347:USERNAME_AWS_ACCESS_KEY_ID }}" access: type: String defaultValue: "${{ :secrets:11933347:USERNAME_AWS_SECRET_ACCESS_KEY }}" token: type: String defaultValue: "${{ :secrets:11933347:USERNAME_AWS_SESSION_TOKEN }}" region: type: String defaultValue: us-east-2
steps: - name: createSsmDocument type: action action: aws.systemsManager.writeDocument version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} selectors: - name: documentName expression: '.documentName' - name: documentType expression: '.documentType' - name: documentStatus expression: '.documentStatus' - name: success expression: '.success' documentName: "LambdaListFunctionNames" documentContent: | schemaVersion: '0.3' description: List all Lambda function names. mainSteps: - name: ExecuteAwsApi action: aws:executeAwsApi isEnd: true inputs: Service: lambda Api: ListFunctions outputs: - Name: resultFunctionName Selector: $..FunctionName Type: StringList outputs: - ExecuteAwsApi.resultFunctionName
- name: generateIdempotencyToken type: action action: utils.uuid.generate version: 1
- name: start1 type: action action: aws.systemsManager.startAutomation version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} documentName: "${{ .steps.createSsmDocument.outputs.documentName }}" idempotencyToken: ${{ .steps.generateIdempotencyToken.outputs.uuid }}
- name: waitForCompletion type: action action: aws.systemsManager.waitForAutomationStatus version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} automationExecutionId: ${{ .steps.start1.outputs.automationExecutionId }} # Optional, default is Success and Failed automationExecutionStatuses: - "Success" - "Failed" timeout: 60
- name: hasCompleted type: switch switch: - condition: ${{ .steps.waitForCompletion.outputs.automationExecutionStatus == "Failed" }} next: displayError - condition: ${{ .steps.waitForCompletion.outputs.automationExecutionStatus == "Success" }} next: displaySuccess next: displayUnexpected
- name: displayUnexpected type: action action: newrelic.instrumentation.log version: 1 inputs: message: "Unexpected status ${{ .steps.waitForCompletion.outputs.automationExecutionStatus | tojson }}" next: cleanupSsmDocument
- name: displaySuccess type: action action: newrelic.instrumentation.log version: 1 inputs: message: "This is all the lambda function names on the region ${{ .workflowInputs.region }}:${{ .steps.waitForCompletion.outputs.automationExecutionOutputs.ExecuteAwsApi.resultFunctionName | join(\",\") }}" next: cleanupSsmDocument
- name: displayError type: action action: newrelic.instrumentation.log version: 1 inputs: message: "Error while executing document ${{ .steps.createSsmDocument.outputs.documentName }}, detail: ${{ .steps.waitForCompletion.outputs.errorMessage }}" next: cleanupSsmDocument
- name: cleanupSsmDocument type: action action: aws.systemsManager.deleteDocument version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} documentName: ${{ .steps.createSsmDocument.outputs.documentName }}Example 2: Execute a Python script
Using the AWS SystemsManager automation and document action, we can define a workflow definition that execute a python script.
Here is a short example illustrating with a simple Hello World application.
schemaVersion: '0.3' description: "Run a Python script that says 'Hello' to the username passed as input and capture the output." parameters: Username: type: String description: "The username to greet." default: "User" mainSteps: - action: aws:executeScript name: pythonStep inputs: Runtime: python3.8 Handler: script_handler Script: | def script_handler(event, context): username = event['username'] return f'Hello {username}' InputPayload: username: "{{ Username }}" outputs: - Name: scriptOutput Type: String Selector: $.Payload outputs: - pythonStep.scriptOutputThis can then be used in the workflow below:
name: aws-python-script
workflowInputs: key: type: String defaultValue: "${{ :secrets:11933347:USERNAME_AWS_ACCESS_KEY_ID }}" access: type: String defaultValue: "${{ :secrets:11933347:USERNAME_AWS_SECRET_ACCESS_KEY }}" token: type: String defaultValue: "${{ :secrets:11933347:USERNAME_AWS_SESSION_TOKEN }}" region: type: String defaultValue: us-west-2 name: type: String defaultValue: ExecuteHelloPythonScript username: type: String defaultValue: World!
steps: - name: generateIdempotencyToken type: action action: utils.uuid.generate version: 1
- name: createSsmDocument type: action action: aws.systemsManager.writeDocument version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} documentName: ${{ .workflowInputs.name }} documentContent: | schemaVersion: '0.3' description: "Run a Python script that says 'Hello' to the username passed as input and capture the output." parameters: Username: type: String description: "The username to greet." default: "User" mainSteps: - action: aws:executeScript name: pythonStep inputs: Runtime: python3.8 Handler: script_handler Script: | def script_handler(event, context): username = event['username'] return f'Hello {username}' InputPayload: username: "{{ Username }}" outputs: - Name: scriptOutput Type: String Selector: $.Payload outputs: - pythonStep.scriptOutput
- name: start1 type: action action: aws.systemsManager.startAutomation version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} documentName: "${{ .steps.createSsmDocument.outputs.documentName }}" idempotencyToken: ${{ .steps.generateIdempotencyToken.outputs.uuid }} parameters: Username: ${{ .workflowInputs.username }}
- name: waitForCompletion type: action action: aws.systemsManager.waitForAutomationStatus version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} automationExecutionId: ${{ .steps.start1.outputs.automationExecutionId }} # Optional, default is Success and Failed automationExecutionStatuses: - "Success" - "Failed" timeout: 300
- name: hasCompleted type: switch switch: - condition: ${{ .steps.waitForCompletion.outputs.automationExecutionStatus == "Failed" }} next: displayError - condition: ${{ .steps.waitForCompletion.outputs.automationExecutionStatus == "Success" }} next: displaySuccess next: displayUnexpected
- name: displayUnexpected type: action action: newrelic.instrumentation.log version: 1 inputs: message: "Unexpected status ${{ .steps.waitForCompletion.outputs.automationExecutionStatus | tojson }}" next: cleanupSsmDocument
- name: displaySuccess type: action action: newrelic.instrumentation.log version: 1 inputs: message: "This is the results of the automation that was run on the region ${{ .workflowInputs.region }}:${{ .steps.waitForCompletion.outputs.automationExecutionOutputs.pythonStep.scriptOutput | tojson }}" next: cleanupSsmDocument
- name: displayError type: action action: newrelic.instrumentation.log version: 1 inputs: message: "Error while executing document ${{ .steps.createSsmDocument.outputs.documentName }}, detail: ${{ .steps.waitForCompletion.outputs | tojson }}" next: cleanupSsmDocument
- name: cleanupSsmDocument type: action action: aws.systemsManager.deleteDocument version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} documentName: ${{ .steps.createSsmDocument.outputs.documentName }}This can be started with the following NerdGraph mutation, assuming the AWS temporary secrets have been previously stored with the secretsManagementCreateSecretNerdGraph mutations.
mutation { autoflowsStartWorkflowRun(accountId: 11933347, definition: { name: "aws-python-script", }, workflowInputs: [ {key: "key" value: "${{ :secrets:testUser123_AWS_ACCESS_KEY_ID }}"} {key: "access" value: "${{ :secrets:testUser123_AWS_SECRET_ACCESS_KEY }}"} {key: "token" value: "${{ :secrets:testUser123_AWS_SESSION_TOKEN }}"} {key: "region" value:"us-west-2"} {key: "username" value: "Julien"} ]) { runId } }Executing the mutation above, returns a runId, for example 207e8c23-2c89-4af2-a74f-3c9ea2ffd543. This runId can then be used to query the Logs and see the following output:
Example 3: A more complex SSM document
Get the list of API gateway rest APIs. Filter my api (
Test API) and get the rest API id.Get the list of all resources inside my api (
Test API). Filter my specific resource based on pathPart(/test) and get the resourceIDGet the list of versions for my lambda function (
ApiGwTestFn). Filter the specific version that I want to rollback to (version: 1) and get the functionArn of that version.Update the API gateway integration with the lambda functionArn acquired in the above step.
Create a new deployment for my rest API (
Test API).schemaVersion: '0.3'description: Test SSM for API gateway rollbackmainSteps:- name: ExecuteAwsApiaction: aws:executeAwsApinextStep: ExecuteGetApiResourcesinputs:Service: apigatewayApi: GetRestApisoutputs:- Name: resultApiIdSelector: $.items[?(@.name=='Test API')].idType: String- name: ExecuteGetApiResourcesaction: aws:executeAwsApinextStep: ExecuteListVersionsByFunctioninputs:Service: apigatewayApi: GetResourcesrestApiId: '{{ ExecuteAwsApi.resultApiId }}'outputs:- Name: resultResourceIdSelector: $.items[?(@.pathPart=='test')].idType: String- name: ExecuteListVersionsByFunctionaction: aws:executeAwsApinextStep: ExecuteApiGwUpdateIntginputs:Service: lambdaApi: ListVersionsByFunctionFunctionName: ApiGwTestFnoutputs:- Name: resultLambdaVersionArnSelector: $.Versions[?(@.Version=='1')].FunctionArnType: String- name: ExecuteApiGwUpdateIntgaction: aws:executeAwsApinextStep: ExecuteApiGwCreateDeploymentinputs:Service: apigatewayApi: UpdateIntegrationrestApiId: '{{ ExecuteAwsApi.resultApiId }}'resourceId: '{{ ExecuteGetApiResources.resultResourceId }}'httpMethod: GETpatchOperations:- op: replacepath: /urivalue: arn:aws:apigateway:us-east-2:lambda:path/2015-03-31/functions/{{ ExecuteListVersionsByFunction.resultLambdaVersionArn }}/invocations- name: ExecuteApiGwCreateDeploymentaction: aws:executeAwsApiinputs:Service: apigatewayApi: CreateDeploymentrestApiId: '{{ ExecuteAwsApi.resultApiId }}'outputs:- ExecuteGetApiResources.resultResourceId- ExecuteListVersionsByFunction.resultLambdaVersionArnThe sample SSM outputs
ExecuteGetApiResources.resultResourceIdandExecuteListVersionsByFunction.resultLambdaVersionArn. These outputs can be used in further steps in the workflow definition.
This action is to delete an AWS SSM document in the AWS account based on the credentials passed in the action input. See AWS Systems Manager Documentation
Input Field | Optionality | Type | Example |
|---|---|---|---|
awsRoleArn | Optional | String |
|
awsAccessKeyId | Required | String |
|
awsSecretAccessKey | Required | String |
|
awsSessionToken | Optional | String |
|
region | Required | String |
|
documentName | Required | String |
|
selectors | Optional | List |
|
Output Field | Type | Example |
|---|---|---|
documentName | String |
|
success | Boolean |
|
errorMessage | String |
|
중요
- In action input, only
awsAccessKeyIdandawsSecretAccessKeycan be provided but they should be static credentials of an IAM user. - If session credentials are to be used,
awsAccessKeyId,awsSecretAccessKeyandawsSessionTokenmust be passed to action input. - The selectors to get the only specified parameters as output.
A simple SSM document to list all lambda function
schemaVersion: '0.3' description: List all Lambda function names. mainSteps: - name: ExecuteAwsApi action: aws:executeAwsApi isEnd: true inputs: Service: lambda Api: ListFunctions outputs: - Name: resultFunctionName Selector: $..FunctionName Type: StringList outputs: - ExecuteAwsApi.resultFunctionNameThe complete workflow definition with SSM:
name: aws-api
workflowInputs: key: type: String defaultValue: "${{ :secrets:11933347:USERNAME_AWS_ACCESS_KEY_ID }}" access: type: String defaultValue: "${{ :secrets:11933347:USERNAME_AWS_SECRET_ACCESS_KEY }}" token: type: String defaultValue: "${{ :secrets:11933347:USERNAME_AWS_SESSION_TOKEN }}" region: type: String defaultValue: us-east-2
steps: - name: createSsmDocument type: action action: aws.systemsManager.writeDocument version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} selectors: - name: documentName expression: '.documentName' - name: documentType expression: '.documentType' - name: documentStatus expression: '.documentStatus' - name: success expression: '.success' documentName: "LambdaListFunctionNames" documentContent: | schemaVersion: '0.3' description: List all Lambda function names. mainSteps: - name: ExecuteAwsApi action: aws:executeAwsApi isEnd: true inputs: Service: lambda Api: ListFunctions outputs: - Name: resultFunctionName Selector: $..FunctionName Type: StringList outputs: - ExecuteAwsApi.resultFunctionName
- name: generateIdempotencyToken type: action action: utils.uuid.generate version: 1
- name: start1 type: action action: aws.systemsManager.startAutomation version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} documentName: "${{ .steps.createSsmDocument.outputs.documentName }}" idempotencyToken: ${{ .steps.generateIdempotencyToken.outputs.uuid }}
- name: waitForCompletion type: action action: aws.systemsManager.waitForAutomationStatus version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} automationExecutionId: ${{ .steps.start1.outputs.automationExecutionId }} # Optional, default is Success and Failed automationExecutionStatuses: - "Success" - "Failed" timeout: 60
- name: hasCompleted type: switch switch: - condition: ${{ .steps.waitForCompletion.outputs.automationExecutionStatus == "Failed" }} next: displayError - condition: ${{ .steps.waitForCompletion.outputs.automationExecutionStatus == "Success" }} next: displaySuccess next: displayUnexpected
- name: displayUnexpected type: action action: newrelic.instrumentation.log version: 1 inputs: message: "Unexpected status ${{ .steps.waitForCompletion.outputs.automationExecutionStatus | tojson }}" next: cleanupSsmDocument
- name: displaySuccess type: action action: newrelic.instrumentation.log version: 1 inputs: message: "This is all the lambda function names on the region ${{ .workflowInputs.region }}:${{ .steps.waitForCompletion.outputs.automationExecutionOutputs.ExecuteAwsApi.resultFunctionName | join(\",\") }}" next: cleanupSsmDocument
- name: displayError type: action action: newrelic.instrumentation.log version: 1 inputs: message: "Error while executing document ${{ .steps.createSsmDocument.outputs.documentName }}, detail: ${{ .steps.waitForCompletion.outputs.errorMessage }}" next: cleanupSsmDocument
- name: cleanupSsmDocument type: action action: aws.systemsManager.deleteDocument version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} documentName: ${{ .steps.createSsmDocument.outputs.documentName }}Starts an automation using an AWS SSM document. See AWS Systems Manager Documentation
Input Field | Optionality | Type | Example |
|---|---|---|---|
awsRoleArn | Optional | String |
|
awsAccessKeyId | Optional | String |
|
awsSecretAccessKey | Optional | String |
|
awsSessionToken | Optional | String |
|
region | Required | String |
|
documentName | Required | String |
|
parameters | Optional | Map |
|
idempotencyToken | Optional | UUID |
This will be passed as client token for idempotency to start aws ssm automation. |
selectors | Optional | List |
|
Output Field | Type | Example |
|---|---|---|
automationExecutionId | String |
|
success | Boolean |
|
errorMessage | String |
|
중요
- In the action input, if
awsAccessKeyIdandawsSecretAccessKeyare to be provided, make sure they are static credentials of an IAM user. - If session credentials are to be used,
awsAccessKeyId,awsSecretAccessKeyandawsSessionTokenmust be passed to the action input. - Refer to AWS credentials for instructions.
- Use selectors to get only the specified parameters as output.
Workflow definition | Inputs | Outputs |
|---|---|---|
| | |
Waits for an automation using an AWS document. See AWS Systems Manager Documentation for more information.
Input Field | Optionality | Type | Example |
|---|---|---|---|
awsRoleArn | Optional | String |
|
awsAccessKeyId | Optional | String |
|
awsSecretAccessKey | Optional | String |
|
awsSessionToken | Optional | String |
|
region | Required | String |
|
automationExecutionId | Required | String |
|
automationExecutionStatuses | Optional | List |
List of automation execution statuses from AutomationExecution that can stop the waiting. Default: |
timeout | Optional | int |
The duration in seconds we can wait for automation status to be one of the expected If timeout occurred, the output contains |
selectors | Optional | List |
|
Output Field | Type | Example |
|---|---|---|
automationExecutionId | String |
|
automationExecutionStatus | String |
If action is successful, It will either of the values passed in Else, this will be null. |
automationExecutionOutputs | Map | The output will be a map of output values from the document. Any output in the document can be collected using this output field and can be used in subsequent steps of the workflow automation definition. |
success | Boolean |
|
errorMessage | String |
|
중요
- In the action input, only
awsAccessKeyIdandawsSecretAccessKeycan be provided, but they should be static credentials of an IAM user. - If session credentials are to be used,
awsAccessKeyId,awsSecretAccessKeyandawsSessionTokenmust be passed to the action input. - Refer to the instructions to set up AWS credentials.
- Use selectors to get only the specified parameters as output.
Workflow definition | Inputs | Outputs |
|---|---|---|
| | |