github.com/kikitux/packer@v0.10.1-0.20160322154024-6237df566f9f/website/source/docs/builders/amazon.html.md (about) 1 --- 2 description: | 3 Packer is able to create Amazon AMIs. To achieve this, Packer comes with 4 multiple builders depending on the strategy you want to use to build the AMI. 5 layout: docs 6 page_title: Amazon AMI Builder 7 ... 8 9 # Amazon AMI Builder 10 11 Packer is able to create Amazon AMIs. To achieve this, Packer comes with 12 multiple builders depending on the strategy you want to use to build the AMI. 13 Packer supports the following builders at the moment: 14 15 - [amazon-ebs](/docs/builders/amazon-ebs.html) - Create EBS-backed AMIs by 16 launching a source AMI and re-packaging it into a new AMI 17 after provisioning. If in doubt, use this builder, which is the easiest to 18 get started with. 19 20 - [amazon-instance](/docs/builders/amazon-instance.html) - Create 21 instance-store AMIs by launching and provisioning a source instance, then 22 rebundling it and uploading it to S3. 23 24 - [amazon-chroot](/docs/builders/amazon-chroot.html) - Create EBS-backed AMIs 25 from an existing EC2 instance by mounting the root device and using a 26 [Chroot](https://en.wikipedia.org/wiki/Chroot) environment to provision 27 that device. This is an **advanced builder and should not be used by 28 newcomers**. However, it is also the fastest way to build an EBS-backed AMI 29 since no new EC2 instance needs to be launched. 30 31 -> **Don't know which builder to use?** If in doubt, use the [amazon-ebs 32 builder](/docs/builders/amazon-ebs.html). It is much easier to use and Amazon 33 generally recommends EBS-backed images nowadays. 34 35 <span id="specifying-amazon-credentials"></span> 36 37 ## Specifying Amazon Credentials 38 39 When you use any of the amazon builders, you must provide credentials to the API 40 in the form of an access key id and secret. These look like: 41 42 access key id: AKIAIOSFODNN7EXAMPLE 43 secret access key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 44 45 If you use other AWS tools you may already have these configured. If so, packer 46 will try to use them, *unless* they are specified in your packer template. 47 Credentials are resolved in the following order: 48 49 1. Values hard-coded in the packer template are always authoritative. 50 2. *Variables* in the packer template may be resolved from command-line flags 51 or from environment variables. Please read about [User 52 Variables](https://www.packer.io/docs/templates/user-variables.html) 53 for details. 54 3. If no credentials are found, packer falls back to automatic lookup. 55 56 ### Automatic Lookup 57 58 If no AWS credentials are found in a packer template, we proceed on to the 59 following steps: 60 61 1. Lookup via environment variables. 62 - First `AWS_ACCESS_KEY_ID`, then `AWS_ACCESS_KEY` 63 - First `AWS_SECRET_ACCESS_KEY`, then `AWS_SECRET_KEY` 64 65 2. Look for [local AWS configuration 66 files](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) 67 - First `~/.aws/credentials` 68 - Next based on `AWS_PROFILE` 69 70 3. Lookup an IAM role for the current EC2 instance (if you're running in EC2) 71 72 \~> **Subtle details of automatic lookup may change over time.** The most 73 reliable way to specify your configuration is by setting them in template 74 variables (directly or indirectly), or by using the `AWS_ACCESS_KEY_ID` and 75 `AWS_SECRET_ACCESS_KEY` environment variables. 76 77 Environment variables provide the best portability, allowing you to run your 78 packer build on your workstation, in Atlas, or on another build server. 79 80 ## Using an IAM Instance Profile 81 82 If AWS keys are not specified in the template, a 83 [credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) 84 file or through environment variables Packer will use credentials provided by 85 the instance's IAM profile, if it has one. 86 87 The following policy document provides the minimal set permissions necessary for 88 Packer to work: 89 90 ``` {.javascript} 91 { 92 "Statement": [{ 93 "Effect": "Allow", 94 "Action" : [ 95 "ec2:AttachVolume", 96 "ec2:CreateVolume", 97 "ec2:DeleteVolume", 98 "ec2:CreateKeypair", 99 "ec2:DeleteKeypair", 100 "ec2:DescribeSubnets", 101 "ec2:CreateSecurityGroup", 102 "ec2:DeleteSecurityGroup", 103 "ec2:AuthorizeSecurityGroupIngress", 104 "ec2:CreateImage", 105 "ec2:CopyImage", 106 "ec2:RunInstances", 107 "ec2:TerminateInstances", 108 "ec2:StopInstances", 109 "ec2:DescribeVolumes", 110 "ec2:DetachVolume", 111 "ec2:DescribeInstances", 112 "ec2:CreateSnapshot", 113 "ec2:DeleteSnapshot", 114 "ec2:DescribeSnapshots", 115 "ec2:DescribeImages", 116 "ec2:RegisterImage", 117 "ec2:CreateTags", 118 "ec2:ModifyImageAttribute" 119 ], 120 "Resource" : "*" 121 }] 122 } 123 ``` 124 125 ## Troubleshooting 126 127 ### Attaching IAM Policies to Roles 128 129 IAM policies can be associated with user or roles. If you use packer with IAM 130 roles, you may encounter an error like this one: 131 132 ==> amazon-ebs: Error launching source instance: You are not authorized to perform this operation. 133 134 You can read more about why this happens on the [Amazon Security 135 Blog](https://blogs.aws.amazon.com/security/post/Tx3M0IFB5XBOCQX/Granting-Permission-to-Launch-EC2-Instances-with-IAM-Roles-PassRole-Permission). 136 The example policy below may help packer work with IAM roles. Note that this 137 example provides more than the minimal set of permissions needed for packer to 138 work, but specifics will depend on your use-case. 139 140 ``` {.json} 141 { 142 "Sid": "PackerIAMPassRole", 143 "Effect": "Allow", 144 "Action": "iam:PassRole", 145 "Resource": [ 146 "*" 147 ] 148 } 149 ```