Help with encryption. Debian working but Ubuntu failing

26 views
Skip to first unread message

Salva

unread,
Feb 5, 2018, 8:03:07 AM2/5/18
to Packer
Hi,

I'm experiencing some problems while trying to encrypt an Ubuntu AMI.
I tried different Ubuntu AMIs but none of them works and the process fails with "Error modify AMI attributes: UnsupportedOperation: The requested operation is not supported. Images associated with encrypted Snapshots can not be shared"

The thing is that it works with Debian.

I'm following this procedure:
 1.- Copy ubuntu / Debian AMI to our private AMIs
 2.- Encrypt the recent AMI (from our private AMIs). This step works with "Debian" but not with "Ubuntu"


DEBIAN PACKER CODE
"builders" : [
  {
    "type" : "amazon-ebs",
    "region" : "eu-west-1",
    "vpc_id" : "MY_VPC",
    "subnet_id" : "MY_SUBNET",
    "instance_type" : "t2.micro",
    "source_ami" : "MY_DEBIAN_AMI",
    "ami_name" : "Debian-Encrypted",
    "ami_description" : "Debian-Encrypted",
    "ami_virtualization_type" : "hvm",
    "associate_public_ip_address" : "true",
    "ssh_username" : "admin",
    "ssh_timeout" : "5m",
    "ami_users" : ["MY_ACCOUNT"],
    "snapshot_users" : ["MY_ACCOUNT"],
    "ami_block_device_mappings": [
    {
      "device_name": "/dev/sda1",
      "volume_type": "gp2",
      "volume_size": 8,
      "encrypted": true,
      "delete_on_termination": true
    }]

UBUNTU PACKER CODE
"builders" : [
  {
    "type" : "amazon-ebs",
    "region" : "eu-west-1",
    "vpc_id" : "MY_VPC",
    "subnet_id" : "MY_SUBNET",
    "instance_type" : "t2.micro",
    "source_ami": "{{user `source_ami`}}",
    "ami_name" : "Ubuntu14.04LTS-Encrypted",
    "ami_description" : "Ubuntu14.04LTS-Encrypted",
    "ami_virtualization_type" : "hvm",
    "ami_users" : ["MY_ACCOUNT"],
    "associate_public_ip_address" : true,
    "ssh_username" : "ubuntu",
    "ssh_timeout" : "5m",
    "snapshot_users" : ["MY_ACCOUNT"],
    "ami_block_device_mappings": [
    {
      "device_name": "/dev/sda1",
      "volume_type": "gp2",
      "volume_size": 8,
      "encrypted": true,
      "delete_on_termination": true
    }]
  }


What I also tried is to manually encrypt (using the copy option) our Ubuntu AMI (which works) and after that try to use packer to create another AMI for script provisioning.
And of course I get the same message.

Many thanks in advance!

Rickard von Essen

unread,
Feb 5, 2018, 10:03:51 AM2/5/18
to packe...@googlegroups.com
You did something wrong when you tested with Debian. It's not possible to share an AMI backed by an encrypted snapshot since the other user (account) can't access your default EBS KMS key.



--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/e811e262-883b-407d-992a-8f3555db7ff3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages