How to use AWS roles with Packer to create AMIs
Question
I'm currently building AMIs via Packer without a problem, but I am baking the AWS credentials into my scripts which is not what I want. Reading the Packer documentation they specify that if no credentials are found it can use an AWS role.
I have created the policy and the role, but it's unclear to me how to tell Packer to use this role. Do I have to pass the ARN in as a variable?
Any thoughts?
2 answers
solution1
3 2016-03-30 15:44:11
Roles only apply to instances running on AWS , and roles can only be applied when you create an instance (though you can change the permissions assigned to that role later) .
So in this case, if you want to use roles for AMI creation, you will need to...
- Create a role with permissions (ie the ones detailed in the link Kush provided) to create AMIs
- Create an instance with that role
- Install Packer on that instance
Using that instance, then you can create AMI's without specifying any credentials.
solution2
1 2016-03-30 17:54:09
If you'd like to set the IAM role that Packer uses during AMI creation from the command-line ( eg from Jenkins), then you can use variables for doing so, eg using the following in your Packer script:
"variables": {
"packer_profile": "packer",
...
},
"builders": [
{
"type": "amazon-ebs",
...
"iam_instance_profile": "{{user `packer_profile`}}",
...
}
],
"provisioners": [
...
]
So we provide a default "packer" value for our packer_profile variable. Then, when invoking Packer from the command-line in Jenkins, you override that default variable value using:
$ /path/to/packer -var packer_profile="MyNewProfileHere" ...
Hope this helps!
solution3
0 2022-08-11 19:08:49
Been scouring the web for a good answer to this and have yet to find one, so piggybacking off of this question to answer in full after struggling through it.
The first thing you want to get roles to work without needing "manual" temporary or permanent creds is a policy on your codebuild (or jenkins) service role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CopyImage",
"ec2:CreateImage",
"ec2:CreateKeypair",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:DeregisterImage",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DetachVolume",
"ec2:GetPasswordData",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:RegisterImage",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"iam:PassRole",
"iam:GetInstanceProfile"
],
"Resource": "*"
}
]
}
When you run your Packer.json you'll want to have the instance profile NAME *not* ARN in there like so:
{ "variables": { "aws_region": "{{env `AWS_REGION`}}", "ami_name": "redacted-{{isotime \"02-Jan-06 03_04_05\"}}" }, "builders": [{ "name": "AWS AMI Builder", "type": "amazon-ebs", "region": "{{user `aws_region`}}", "source_ami": "ami-redacted", "instance_type": "t3.medium", "ssh_username": "ec2-user", "ami_name": "{{user `ami_name`}}", "tags": { "Name": "{{user `ami_name`}}" }, "iam_instance_profile": "your_profile_name_here", "ami_description": "test" }] }
I hope this helps someone down the line!
EDIT: I should mention that this needs absolutely no setup on the command-line side... unlike most the answers I've seen.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.