Can't run SSM RunCommand – Access Denied even with correct IAM role and policies

Cloud AWS
#1

Hi everyone,
I’m trying to use AWS Systems Manager RunCommand to execute commands on my EC2 instances.

Here’s the situation:

  • I can successfully connect to my instances via SSM Session Manager, so the SSM agent is working and the instance is managed.
  • The instance has an IAM role with the following policies:
    • AmazonSSMManagedInstanceCore
    • AmazonSSMFullAccess
    • CloudWatchAgentServerPolicy
  • Despite that, every time I try to run a command from SSM → RunCommand, it fails with AccessDenied.
  • I also created an IAM role for myself with those same permissions and switched to it, but the issue remains.

:white_check_mark: SSM agent logs show successful registration
:x: RunCommand status: Failed → Detailed Status: “Access Denied”
:x: I’m unable to view my own user’s permissions due to iam:ListAttachedUserPolicies being denied

What could be the problem? Is there anything else I’m missing – trust policy, instance profile refresh, or session permissions?

Thanks in advance!

#2

Hi @Nikola97,

I think we need the ssm:SendCommand permission in this case. Are you working in a lab environment or just practicing in the KodeKloud playground? If it’s a lab or KKE task, please share the lab link or the course level and task name. I’ll take a closer look.

#3

Hello @raymond.baoly ,

I am just practicing a KodeKloud playground.
I am able to use the session manager function of SSM, but not able to use run command function.
I suppose there is a permission missing on kk_user acc, but not able to check.

#4

Hi @Nikola97,

I’m also having this problem with Playground. I’ll look into it more to find the root cause and keep you updated.

Screenshot 2025-05-13 at 18.16.33
Screenshot 2025-05-13 at 18.16.331913×771 87.4 KB

#5

"I can test it on my personal account where it seems to work fine. The issue might be that the playground account doesn’t have enough permissions. I’ll look into it further and share my findings with the team to see if we can update it.

Screenshot 2025-05-19 at 17.52.23
Screenshot 2025-05-19 at 17.52.231896×688 101 KB

1 Like
#6

Hi @Nikola97,

I think the root cause is that the playground user is missing the ssm:SendCommand permission. I’ve passed this on to the team to look into it.

#7

Hello @raymond.baoly

Do you have an update on this? Did you add this permission to playground user?

Thank you in advance!

#8

Hi @Nikola97,

Just a reminder to the team, there’s no new update yet

#9

Hello @raymond.baoly do you have an update on this? Thank you!

#10

Hello @raymond.baoly do you have an update on this? Thank you!

#11

Hi @Nikola97,

The team is working on fixing the issue. I’ll let you know as soon as the playground is updated.