Hi Rickard, I am trying to use ami_users to copy AMIs to multiple accounts and got the error below. I am currently using the Assume role and am I missing an IAM permission to modify a volume or something?
*Build 'xxx-ecs-xxx' errored: Error modify AMI attributes: InvalidAMIAttributeItemValue: Invalid attribute item value " 437677xxxxxxxx " for userId item type. ** status code: 400, request id: dsafdsa-2577-419a-b2ba-ba97c517d045* Thanks, John. On Friday, July 13, 2018 at 12:08:18 PM UTC-7, Rickard von Essen wrote: > > I'm wondering if it's possible to skip launching the instance and just do >> the encryption/sharing steps? > > No, if that is all you are doing you are probably better off with just aws > cli/boto etc. > > > On Fri, 13 Jul 2018 at 20:53, 'Andrew Thompson' via Packer < > [email protected] <javascript:>> wrote: > >> I have a very similar setup. I'm using Packer to create and share an >> unencrypted AMI with multiple accounts, then in those accounts I run Packer >> again to encrypt the source ami (no provisioners). I'm wondering if it's >> possible to skip launching the instance and just do the encryption/sharing >> steps? I was doing this myself previously, but I think Packer handles this >> much better than I can. >> >> On Friday, June 1, 2018 at 5:53:26 AM UTC-4, Rickard von Essen wrote: >>> >>> Since this is more of image life cycle management this is out of scope >>> for Packer. (Packer would need to access multiple AWS accounts, etc). >>> >>> I would write a simple Python + Boto3 script since you seem to have a >>> fairly complex setup. Or a bash script if you wan't to be quick and dirty. >>> >>> On 1 June 2018 at 11:28, Sumit Joshi <[email protected]> wrote: >>> >>>> Thank you again for replying Rickard. >>>> >>>> I have to create AMI in 7 different AWS accounts using encrypted >>>> snapshots >>>> ami_users = ["88682111111", "9951111111", "4801111111", "111114799942", >>>> "86411113717", "2271111124", "482111111127"] >>>> >>>> I have a query regarding this: >>>> Now, Each AWS account has encrypted snapshot access, I need to perform >>>> the following for each AWS account >>>> - Copy snapshot in target account >>>> - specify Region and Master Key >>>> - Create Image (AMI) using that snapshot in atleast one region >>>> >>>> >>>> *My Question is:* >>>> As a part of packer JSON file how to do this ? (Need to use Post >>>> processor ?) >>>> Or If I am writing one python script, which uses aws cli and loops over >>>> 7 AWS accounts and perform the above steps or Use terraform after packer >>>> build command ? >>>> >>>> Can you suggest the better way to do this? >>>> >>>> On Friday, June 1, 2018 at 1:02:37 PM UTC+5:30, Rickard von Essen wrote: >>>>> >>>>> Yeah sorry about that, forgot about that limitation. You should use >>>>> register-image *). >>>>> >>>>> Rickard >>>>> >>>>> *) >>>>> https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html >>>>> >>>>> On 1 June 2018 at 08:39, Sumit Joshi <[email protected]> wrote: >>>>> >>>>>> Thank you for the reply, Rickard! >>>>>> >>>>>> But we can't share the encrypted AMI with the other AWS accounts, >>>>>> right? >>>>>> >>>>>> I have used "ami_users" in the JSON config and I got below error: >>>>>> *Error modify AMI attributes: UnsupportedOperation: * >>>>>> *The requested operation is not supported. Images associated with >>>>>> encrypted Snapshots can not be shared* >>>>>> >>>>>> due to which I have used only "snaphot_users" which shares the >>>>>> encrypted snapshot with other AWS account. >>>>>> >>>>>> Mainly I am trying, In the source AWS account I have created >>>>>> encrypted AMI and in the target AWS Account has access for encrypted >>>>>> snapshot. In the target I need to create AMI from copied snaphot (from >>>>>> shared encrypted snapshot). >>>>>> >>>>>> Any pointers on this? >>>>>> >>>>>> >>>>>> Thanks, >>>>>> Sumit >>>>>> >>>>>> On Thursday, May 31, 2018 at 11:49:59 PM UTC+5:30, Rickard von Essen >>>>>> wrote: >>>>>>> >>>>>>> Why don't you just use ami_users to authorize the other accounts to >>>>>>> lunch instances from the AMI? >>>>>>> >>>>>>> https://www.packer.io/docs/builders/amazon-ebs.html#ami_users >>>>>>> >>>>>>> >>>>>>> On Thu, May 31, 2018, 16:35 Sumit Joshi <[email protected]> wrote: >>>>>>> >>>>>>>> I have created encrypted AMI (backed by EBS) using packer and >>>>>>>> sharing the encrypted EBS snapshots with other AWS accounts (Using >>>>>>>> "snapshot_users" parameter). Also, given access to other AWS accounts >>>>>>>> for >>>>>>>> KMS keys. >>>>>>>> >>>>>>>> Now in the target AWS account, I want to create AMI using the >>>>>>>> shared encrypted snapshot. I know the manual steps that needs to be >>>>>>>> done in >>>>>>>> target AWS account: >>>>>>>> - Copy the snapshots to the target region and reencrypt them using >>>>>>>> the target account’s KMS encryption keys in the target region. >>>>>>>> - Have the target account create an AMI using the encrypted EBS >>>>>>>> snapshots in the target region. >>>>>>>> >>>>>>>> >>>>>>>> But, How to do this using Packer ? with below packer config, Once >>>>>>>> encrypted AMI is generated & shared, how to perform above manual step >>>>>>>> using >>>>>>>> packer. >>>>>>>> >>>>>>>> My JSON config: >>>>>>>> ... >>>>>>>> "builders": [ >>>>>>>> >>>>>>>> { "type": "amazon-ebs", >>>>>>>> "access_key": "{{user `aws_access_key_id`}}", >>>>>>>> "secret_key": "{{user `aws_secret_access_key`}}", >>>>>>>> "token": "{{user `aws_session_token`}}", >>>>>>>> "region": "us-east-1", >>>>>>>> "source_ami": "ami-f2368c8d", >>>>>>>> "ami_regions": ["us-west-1","us-west-2","eu-west-1"], >>>>>>>> "instance_type": "t2.large", >>>>>>>> "ssh_username": "cloud-user", >>>>>>>> "ssh_pty": true, >>>>>>>> "ami_name": "centos7_aws_packer_{{timestamp}}_{{user >>>>>>>> `build_tag`}}", >>>>>>>> "vpc_id": "{{user `aws_vpc_id`}}", >>>>>>>> "subnet_id": "{{user `aws_subnet_id`}}", >>>>>>>> "encrypt_boot": true, >>>>>>>> "kms_key_id": "ddddaaaww-ccv-wwwa-ddsds-fddd", >>>>>>>> "region_kms_key_ids": { >>>>>>>> "us-west-1": >>>>>>>> "arn:aws:kms:us-west-1:11111211:key/xxxxxxxxxx-xxxxx-xxxxxx-1111-xxxxx", >>>>>>>> "us-west-2": >>>>>>>> "arn:aws:kms:us-west-2:11111211:key/xxxxxx-7xxxx26f-xxxx-xxxx-xxxxxxxx", >>>>>>>> "eu-west-1": >>>>>>>> "arn:aws:kms:eu-west-1:11111211:key/xxxx-xxxxxxxxxxx-xxxxxxx-xxxxx-xxx" >>>>>>>> }, >>>>>>>> "snapshot_users": ["88682111111", "9951111111", "4801111111", >>>>>>>> "111114799942", "86411113717", "2271111124", "482111111127"] >>>>>>>> } >>>>>>>> ] >>>>>>>> >>>>>>>> >>>>>>>> Any help/pointer is appriciated. >>>>>>>> Thanks! >>>>>>>> >>>>>>>> -- >>>>>>>> This mailing list is governed under the HashiCorp Community >>>>>>>> Guidelines - https://www.hashicorp.com/community-guidelines.html. >>>>>>>> Behavior in violation of those guidelines may result in your removal >>>>>>>> from >>>>>>>> this mailing list. >>>>>>>> >>>>>>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>>>>>> IRC: #packer-tool on Freenode >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "Packer" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/d/msgid/packer-tool/d2f5cc92-f081-4c67-83e4-77b9fe92a29c%40googlegroups.com >>>>>>>> >>>>>>>> <https://groups.google.com/d/msgid/packer-tool/d2f5cc92-f081-4c67-83e4-77b9fe92a29c%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> -- >>>>>> This mailing list is governed under the HashiCorp Community >>>>>> Guidelines - https://www.hashicorp.com/community-guidelines.html. >>>>>> Behavior in violation of those guidelines may result in your removal >>>>>> from >>>>>> this mailing list. >>>>>> >>>>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>>>> IRC: #packer-tool on Freenode >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Packer" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/packer-tool/7e112a47-9a75-4140-a5cf-cd37d98cde78%40googlegroups.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/packer-tool/7e112a47-9a75-4140-a5cf-cd37d98cde78%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> This mailing list is governed under the HashiCorp Community Guidelines >>>> - https://www.hashicorp.com/community-guidelines.html. Behavior in >>>> violation of those guidelines may result in your removal from this mailing >>>> list. >>>> >>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>> IRC: #packer-tool on Freenode >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "Packer" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/packer-tool/59e64b2a-507d-4d7d-9267-dff11bd42f61%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/packer-tool/59e64b2a-507d-4d7d-9267-dff11bd42f61%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >> ------------------------------ >> >> *CONFIDENTIALITY NOTICE:* The information contained in this message may be >> privileged and/or confidential. It is the property of CrowdStrike. If you >> are not the intended recipient, or responsible for delivering this message >> to the intended recipient, any review, forwarding, dissemination, >> distribution or copying of this communication or any attachment(s) is >> strictly prohibited. If you have received this message in error, please >> notify the sender immediately, and delete it and all attachments from your >> computer and network. >> >> -- >> This mailing list is governed under the HashiCorp Community Guidelines - >> https://www.hashicorp.com/community-guidelines.html. Behavior in >> violation of those guidelines may result in your removal from this mailing >> list. >> >> GitHub Issues: https://github.com/mitchellh/packer/issues >> IRC: #packer-tool on Freenode >> --- >> You received this message because you are subscribed to the Google Groups >> "Packer" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/packer-tool/85090d4f-d17c-4bfe-ace1-dca7f43288e8%40googlegroups.com >> >> <https://groups.google.com/d/msgid/packer-tool/85090d4f-d17c-4bfe-ace1-dca7f43288e8%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/7debe6cc-c13d-473b-815a-3fb5543ee7f2%40googlegroups.com.
