The requirement is to do the patching of existing EC2 instances. So we decided to work with AWS Patch Manager under the Systems Manager.
Issue: We have added AmazonSSMManagedInstanceCore Policy Role to all instances. Whenever we try to do on-demand patching ( Patch Now ) it is working without error.
But when we need automatically scheduled patching which can be done by "Patch Policy" it gives an error into the installation part of the state manager. Currently, we are having EC2 instances of Amazon Linux2 OS and Ubuntu 16.04 OS. When we tried creating a new instance in a personal account with the same OS Amazon Linux 2, It is giving the same error.
Even tried with SSMFullaccess policy.
Sometimes we find this error.
No IMDS credentials were found on the instance.failed to run commands: exit status 156
Expecting to get the patch policy done without any fail.
I was facing the same issue I guess, my Patch policy was set up using quick-start and so the manual scan&patch was running fine whereas the quick-start association was failing instead. The catch is that I'm using a custom role on EC2 instances and solved it adding a missing tag on the ec2-role, as suggested on this page.. https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-patch-manager.html#patch-policy-instance-profile-service-role
It wasn't obvious at all, hope it helps!