From efe4c5623165db850d2b52e4a6a0e2f591294891 Mon Sep 17 00:00:00 2001 From: Jesus Osuna Date: Thu, 18 Dec 2025 00:26:50 -0300 Subject: [PATCH 1/3] improve docs about aws ssm timeout --- docs/learning/howto/cross-account-aws-ssm.md | 9 +++ .../manual/projects/node-execution/aws-ssm.md | 58 ++++++++++++++++--- 2 files changed, 60 insertions(+), 7 deletions(-) diff --git a/docs/learning/howto/cross-account-aws-ssm.md b/docs/learning/howto/cross-account-aws-ssm.md index 3025ada70..ab2594aaf 100644 --- a/docs/learning/howto/cross-account-aws-ssm.md +++ b/docs/learning/howto/cross-account-aws-ssm.md @@ -298,6 +298,15 @@ The SSM Node Executor can be set as the **Default Node Executor** - thereby maki * If you have more than one remote account, you can leave this blank. 6. See below for using **CloudWatch Logs** for larger log-output. 7. Optionally modify the **Log Filter Delay** property to be the number of seconds to wait before retrieving logs. + +:::tip Extended Execution Time +SSM executions support extended timeout configurations: +- With Assume Role: up to 12 hours +- Without Assume Role: up to 48 hours +- Inline Scripts: maximum 8 hours + +See the [Execution Timeout Configuration](/manual/projects/node-execution/aws-ssm.md#execution-timeout-configuration) section for complete details and configuration methods. +:::
The SSM File Copier can also be set as the **Default File Copier** for the whole project: diff --git a/docs/manual/projects/node-execution/aws-ssm.md b/docs/manual/projects/node-execution/aws-ssm.md index 99f69d50a..27a52a141 100644 --- a/docs/manual/projects/node-execution/aws-ssm.md +++ b/docs/manual/projects/node-execution/aws-ssm.md @@ -199,17 +199,61 @@ Similarly, scripts that are executed using the **Inline Script** Job step will t ### Execution Timeout Configuration AWS SSM has a default execution timeout of 1 hour (3600 seconds). You can configure a custom timeout value using the **`ssm-execution-timeout`** property to allow longer-running commands and scripts. -To set the execution timeout for all SSM executions in a project: +#### Maximum Timeout Limits + +The maximum execution timeout depends on your authentication method and execution type: + +- **With Assume Role**: Up to **12 hours (43200 seconds)** + - Applies when using cross-account access with IAM role assumption + - Limited by AWS IAM temporary credentials duration + +- **Without Assume Role**: Up to **48 hours (172800 seconds)** + - Applies when using direct IAM role attachment or access keys + - Suitable for very long-running operations + +- **Inline Scripts (RBA and RBA-SH)**: Maximum **8 hours (28800 seconds)** + - This limit applies specifically to inline script steps in both Runbook Automation (RBA) and Runbook Automation Self-Hosted (RBA-SH) + - Applies regardless of assume role usage + +:::warning Important +Ensure your IAM policies and AWS service limits support your configured timeout duration. For assume role configurations, verify the maximum session duration is set appropriately in the IAM role settings. +::: + +:::tip Best Practice: Timeout Configuration +Configure your `ssm-execution-timeout` to be **longer than your expected job duration**, with a safety margin of a few minutes. For example, if your job typically runs for 2 hours, set the timeout to 2 hours and 5-10 minutes (7500-7800 seconds) to ensure the job completes successfully without timing out. This buffer accounts for variable execution times and system delays. +::: + +#### Configuration Methods + +**1. Project-wide Configuration (Default Node Executor)** 1. Navigate to **Project Settings** -> **Edit Configuration** -> **Default Node Executor**. -2. In the **AWS / SSM / Node Executor** configuration, add the **Execution Timeout** value in seconds. +2. Select **AWS / SSM / Node Executor** +3. Set the **Execution Timeout** value in seconds (e.g., 7200 for 2 hours) -To set the execution timeout on project config file: -**`project.ssm-execution-timeout=3600`** +**2. Node Source Level (EC2 Node Source)** -To set the execution timeout at node level, add the following node-attribute to the nodes by using the [Attribute Match](/manual/node-enhancers.md#attribute-match) -**`ssm-execution-timeout=3600`** +Using the **Mapping Params** field: +``` +ssm-execution-timeout.default=7200 +``` +(Example: 2 hours = 7200 seconds) + +**3. Project Configuration File** + +Add to your project configuration file: +``` +project.ssm-execution-timeout=7200 +``` + +**4. Node Level (Individual Nodes)** + +Using the [Attribute Match](/manual/node-enhancers.md#attribute-match) node enhancer, add as a node-attribute: +``` +ssm-execution-timeout=7200 +``` -**Default Value**: If not specified, the execution timeout defaults to **3600 seconds (1 hour)**. +#### Default Value +If not specified, the execution timeout defaults to **3600 seconds (1 hour)**. ## Using CloudWatch Logs (Optional) The example policies in the prior sections enable Runbook Automation to retrieve logs directly from SSM. From ad10772ddb90ca551adff5a3501f0cf642a9a769 Mon Sep 17 00:00:00 2001 From: Forrest Evans Date: Wed, 17 Dec 2025 21:10:09 -0800 Subject: [PATCH 2/3] Update docs/manual/projects/node-execution/aws-ssm.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/manual/projects/node-execution/aws-ssm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/manual/projects/node-execution/aws-ssm.md b/docs/manual/projects/node-execution/aws-ssm.md index 27a52a141..63f1ca867 100644 --- a/docs/manual/projects/node-execution/aws-ssm.md +++ b/docs/manual/projects/node-execution/aws-ssm.md @@ -211,7 +211,7 @@ The maximum execution timeout depends on your authentication method and executio - Applies when using direct IAM role attachment or access keys - Suitable for very long-running operations -- **Inline Scripts (RBA and RBA-SH)**: Maximum **8 hours (28800 seconds)** +- **Inline Scripts (Runbook Automation/RBA and Runbook Automation Self-Hosted/RBA-SH)**: Maximum **8 hours (28800 seconds)** - This limit applies specifically to inline script steps in both Runbook Automation (RBA) and Runbook Automation Self-Hosted (RBA-SH) - Applies regardless of assume role usage From 537e16c2435175efa96330a6ed8b869131ff1f91 Mon Sep 17 00:00:00 2001 From: Jesus Osuna <87494173+Jesus-Osuna-M@users.noreply.github.com> Date: Thu, 18 Dec 2025 10:30:20 -0300 Subject: [PATCH 3/3] Update docs/learning/howto/cross-account-aws-ssm.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/learning/howto/cross-account-aws-ssm.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/learning/howto/cross-account-aws-ssm.md b/docs/learning/howto/cross-account-aws-ssm.md index ab2594aaf..6c34090a8 100644 --- a/docs/learning/howto/cross-account-aws-ssm.md +++ b/docs/learning/howto/cross-account-aws-ssm.md @@ -301,9 +301,9 @@ The SSM Node Executor can be set as the **Default Node Executor** - thereby maki :::tip Extended Execution Time SSM executions support extended timeout configurations: -- With Assume Role: up to 12 hours -- Without Assume Role: up to 48 hours -- Inline Scripts: maximum 8 hours +- With Assume Role: up to **12 hours (43200 seconds)** +- Without Assume Role: up to **48 hours (172800 seconds)** +- Inline Scripts: maximum **8 hours (28800 seconds)** See the [Execution Timeout Configuration](/manual/projects/node-execution/aws-ssm.md#execution-timeout-configuration) section for complete details and configuration methods. :::