You did something wrong when you tested with Debian. It's not possible to share an AMI backed by an encrypted snapshot since the other user (account) can't access your default EBS KMS key.
See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html On 5 February 2018 at 14:03, Salva <[email protected]> wrote: > Hi, > > I'm experiencing some problems while trying to encrypt an Ubuntu AMI. > I tried different Ubuntu AMIs but none of them works and the process fails > with "Error modify AMI attributes: UnsupportedOperation: The requested > operation is not supported. Images associated with encrypted Snapshots can > not be shared" > > The thing is that it works with Debian. > > I'm following this procedure: > 1.- Copy ubuntu / Debian AMI to our private AMIs > 2.- Encrypt the recent AMI (from our private AMIs). This step works with > "Debian" but not with "Ubuntu" > > > DEBIAN PACKER CODE > "builders" : [ > { > "type" : "amazon-ebs", > "region" : "eu-west-1", > "vpc_id" : "MY_VPC", > "subnet_id" : "MY_SUBNET", > "instance_type" : "t2.micro", > "source_ami" : "MY_DEBIAN_AMI", > "ami_name" : "Debian-Encrypted", > "ami_description" : "Debian-Encrypted", > "ami_virtualization_type" : "hvm", > "associate_public_ip_address" : "true", > "ssh_username" : "admin", > "ssh_timeout" : "5m", > "ami_users" : ["MY_ACCOUNT"], > "snapshot_users" : ["MY_ACCOUNT"], > "ami_block_device_mappings": [ > { > "device_name": "/dev/sda1", > "volume_type": "gp2", > "volume_size": 8, > "encrypted": true, > "delete_on_termination": true > }] > > UBUNTU PACKER CODE > "builders" : [ > { > "type" : "amazon-ebs", > "region" : "eu-west-1", > "vpc_id" : "MY_VPC", > "subnet_id" : "MY_SUBNET", > "instance_type" : "t2.micro", > "source_ami": "{{user `source_ami`}}", > "ami_name" : "Ubuntu14.04LTS-Encrypted", > "ami_description" : "Ubuntu14.04LTS-Encrypted", > "ami_virtualization_type" : "hvm", > "ami_users" : ["MY_ACCOUNT"], > "associate_public_ip_address" : true, > "ssh_username" : "ubuntu", > "ssh_timeout" : "5m", > "snapshot_users" : ["MY_ACCOUNT"], > "ami_block_device_mappings": [ > { > "device_name": "/dev/sda1", > "volume_type": "gp2", > "volume_size": 8, > "encrypted": true, > "delete_on_termination": true > }] > } > > > What I also tried is to manually encrypt (using the copy option) our > Ubuntu AMI (which works) and after that try to use packer to create another > AMI for script provisioning. > And of course I get the same message. > > Many thanks in advance! > > -- > This mailing list is governed under the HashiCorp Community Guidelines - > https://www.hashicorp.com/community-guidelines.html. Behavior in > violation of those guidelines may result in your removal from this mailing > list. > > GitHub Issues: https://github.com/mitchellh/packer/issues > IRC: #packer-tool on Freenode > --- > You received this message because you are subscribed to the Google Groups > "Packer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/packer-tool/e811e262-883b-407d-992a-8f3555db7ff3%40googlegroups.com > <https://groups.google.com/d/msgid/packer-tool/e811e262-883b-407d-992a-8f3555db7ff3%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CALz9Rt-AZ0UTTra715NHqRkSdoky46rDSsNTW79tXaqW1%2B_5sQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
