Create AMI in target AWS account using shared encrypted snapshot

[Sumit Joshi]

I have created encrypted AMI (backed by EBS) using packer and sharing the encrypted EBS snapshots with other AWS accounts (Using "snapshot_users" parameter). Also, given access to other AWS accounts for KMS keys.

Now in the target AWS account, I want to create AMI using the shared encrypted snapshot. I know the manual steps that needs to be done in target AWS account:

- Copy the snapshots to the target region and reencrypt them using the target account’s KMS encryption keys in the target region.

- Have the target account create an AMI using the encrypted EBS snapshots in the target region.

But, How to do this using Packer ? with below packer config, Once encrypted AMI is generated & shared, how to perform above manual step using packer.

My JSON config:

...

 "builders": [

        { "type": "amazon-ebs",

    "access_key": "{{user `aws_access_key_id`}}",

    "secret_key": "{{user `aws_secret_access_key`}}",

    "token": "{{user `aws_session_token`}}",

    "region": "us-east-1",

    "source_ami": "ami-f2368c8d",

    "ami_regions": ["us-west-1","us-west-2","eu-west-1"],

    "instance_type": "t2.large",

    "ssh_username": "cloud-user",

    "ssh_pty": true,

    "ami_name": "centos7_aws_packer_{{timestamp}}_{{user `build_tag`}}",

    "vpc_id": "{{user `aws_vpc_id`}}",

    "subnet_id": "{{user `aws_subnet_id`}}",

    "encrypt_boot": true,

    "kms_key_id": "ddddaaaww-ccv-wwwa-ddsds-fddd",

    "region_kms_key_ids": {

           "us-west-1": "arn:aws:kms:us-west-1:11111211:key/xxxxxxxxxx-xxxxx-xxxxxx-1111-xxxxx",

           "us-west-2": "arn:aws:kms:us-west-2:11111211:key/xxxxxx-7xxxx26f-xxxx-xxxx-xxxxxxxx",

           "eu-west-1": "arn:aws:kms:eu-west-1:11111211:key/xxxx-xxxxxxxxxxx-xxxxxxx-xxxxx-xxx"

    },

    "snapshot_users": ["88682111111", "9951111111", "4801111111", "111114799942", "86411113717", "2271111124", "482111111127"]

        }

  ]

Any help/pointer is appriciated.

Thanks!

[Rickard von Essen]

Why don't you just use ami_users to authorize the other accounts to lunch instances from the AMI?

https://www.packer.io/docs/builders/amazon-ebs.html#ami_users

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/d2f5cc92-f081-4c67-83e4-77b9fe92a29c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sumit Joshi]

Thank you for the reply, Rickard!

But we can't share the encrypted AMI with the other AWS accounts, right?

I have used "ami_users" in the JSON config and I got below error: 

Error modify AMI attributes: UnsupportedOperation: 

The requested operation is not supported. Images associated with encrypted Snapshots can not be shared

due to which I have used only "snaphot_users" which shares the encrypted snapshot with other AWS account.

Mainly I am trying, In the source AWS account I have created encrypted AMI and in the target AWS Account has access for encrypted snapshot. In the target I need to create AMI from copied snaphot (from shared encrypted snapshot). 

Any pointers on this? 

Thanks,

Sumit 

[Sumit Joshi]

Hey Rickard, 

after using ami_users the actual error is 

1 error(s) occurred:

* Cannot share AMI with encrypted boot volume

Thanks,

Sumit

[Rickard von Essen]

Yeah sorry about that, forgot about that limitation. You should use register-image *).

Rickard

*) https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html

To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/7e112a47-9a75-4140-a5cf-cd37d98cde78%40googlegroups.com.

[Sumit Joshi]

Thank you again for replying Rickard.

I have to create AMI in 7 different AWS accounts using encrypted snapshots 

ami_users = ["88682111111", "9951111111", "4801111111", "111114799942", "86411113717", "2271111124", "482111111127"]

I have a query regarding this:

Now, Each AWS account has encrypted snapshot access, I need to perform the following for each AWS account

- Copy snapshot in target account

- specify Region and Master Key

- Create Image (AMI) using that snapshot in atleast one region 

My Question is:

As a part of packer JSON file how to do this ? (Need to use Post processor ?)

Or If I am writing one python script, which uses aws cli and loops over 7 AWS accounts and perform the above steps or Use terraform after packer build command ?

Can you suggest the better way to do this?

[Rickard von Essen]

Since this is more of image life cycle management this is out of scope for Packer. (Packer would need to access multiple AWS accounts, etc).

I would write a simple Python + Boto3 script since you seem to have a fairly complex setup. Or a bash script if you wan't to be quick and dirty.

To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/59e64b2a-507d-4d7d-9267-dff11bd42f61%40googlegroups.com.

[Andrew Thompson]

I have a very similar setup.  I'm using Packer to create and share an unencrypted AMI with multiple accounts, then in those accounts I run Packer again to encrypt the source ami (no provisioners).  I'm wondering if it's possible to skip launching the instance and just do the encryption/sharing steps?  I was doing this myself previously, but I think Packer handles this much better than I can.

[Rickard von Essen]

I'm wondering if it's possible to skip launching the instance and just do the encryption/sharing steps?

No, if that is all you are doing you are probably better off with just aws cli/boto etc. 

CONFIDENTIALITY NOTICE: The information contained in this message may be privileged and/or confidential. It is the property of CrowdStrike.  If you are not the intended recipient, or responsible for delivering this message to the intended recipient, any review, forwarding, dissemination, distribution or copying of this communication or any attachment(s) is strictly prohibited. If you have received this message in error, please notify the sender immediately, and delete it and all attachments from your computer and network.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/85090d4f-d17c-4bfe-ace1-dca7f43288e8%40googlegroups.com.

[John Roh]

 Hi Rickard, 

I am trying to use ami_users to copy AMIs to multiple accounts and got the error below. I am currently using the Assume role and am I missing an IAM permission to modify a volume or something? 

Build 'xxx-ecs-xxx' errored: Error modify AMI attributes: InvalidAMIAttributeItemValue: Invalid attribute item value " 437677xxxxxxxx " for userId item type.
	status code: 400, request id: dsafdsa-2577-419a-b2ba-ba97c517d045

Thanks,

John.

To unsubscribe from this group and stop receiving emails from it, send an email to packe...@googlegroups.com.

[Shashank]

Ami_users is not meant for copying the image. It is used for sharing the image or in other words giving access to other aws accounts.

When you give access to other aws accounts on an ami, tags don't shared. Other user will not be able to see tags. It is the original behavior by AWS. There is nothing to do with packer in this.

[Shashank]

I read earlier this year that aws simplifies the process of sharing the encrypted amis. Refer this article https://aws.amazon.com/blogs/security/how-to-share-encrypted-amis-across-accounts-to-launch-encrypted-ec2-instances/

[Harish Panwar]

We did it little differently. We create unencrypted ami using packer and then copied it to all other accounts using small python boto3 script, while copying enabled the encryption flag in api to create the encrypted ami. I think this is simpler than what you have.

Regards,

Harish Panwar

CONFIDENTIALITY NOTICE: The information contained in this message may be privileged and/or confidential. It is the property of CrowdStrike.  If you are not the intended recipient, or responsible for delivering this message to the intended recipient, any review, forwarding, dissemination, distribution or copying of this communication or any attachment(s) is strictly prohibited. If you have received this message in error, please notify the sender immediately, and delete it and all attachments from your computer and network.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/85090d4f-d17c-4bfe-ace1-dca7f43288e8%40googlegroups.com.