github.com/raghuse92/packer@v1.3.2/website/source/docs/builders/amazon.html.md (about) 1 --- 2 description: | 3 Packer is able to create Amazon AMIs. To achieve this, Packer comes with 4 multiple builders depending on the strategy you want to use to build the AMI. 5 layout: docs 6 page_title: 'Amazon AMI - Builders' 7 sidebar_current: 'docs-builders-amazon' 8 --- 9 10 # Amazon AMI Builder 11 12 Packer is able to create Amazon AMIs. To achieve this, Packer comes with 13 multiple builders depending on the strategy you want to use to build the AMI. 14 Packer supports the following builders at the moment: 15 16 - [amazon-ebs](/docs/builders/amazon-ebs.html) - Create EBS-backed AMIs by 17 launching a source AMI and re-packaging it into a new AMI 18 after provisioning. If in doubt, use this builder, which is the easiest to 19 get started with. 20 21 - [amazon-instance](/docs/builders/amazon-instance.html) - Create 22 instance-store AMIs by launching and provisioning a source instance, then 23 rebundling it and uploading it to S3. 24 25 - [amazon-chroot](/docs/builders/amazon-chroot.html) - Create EBS-backed AMIs 26 from an existing EC2 instance by mounting the root device and using a 27 [Chroot](https://en.wikipedia.org/wiki/Chroot) environment to provision 28 that device. This is an **advanced builder and should not be used by 29 newcomers**. However, it is also the fastest way to build an EBS-backed AMI 30 since no new EC2 instance needs to be launched. 31 32 - [amazon-ebssurrogate](/docs/builders/amazon-ebssurrogate.html) - Create EBS 33 -backed AMIs from scratch. Works similarly to the `chroot` builder but does 34 not require running in AWS. This is an **advanced builder and should not be 35 used by newcomers**. 36 37 -> **Don't know which builder to use?** If in doubt, use the [amazon-ebs 38 builder](/docs/builders/amazon-ebs.html). It is much easier to use and Amazon 39 generally recommends EBS-backed images nowadays. 40 41 # Amazon EBS Volume Builder 42 43 Packer is able to create Amazon EBS Volumes which are preinitialized with a 44 filesystem and data. 45 46 - [amazon-ebsvolume](/docs/builders/amazon-ebsvolume.html) - Create EBS volumes 47 by launching a source AMI with block devices mapped. Provision the instance, 48 then destroy it, retaining the EBS volumes. 49 50 <span id="specifying-amazon-credentials"></span> 51 52 ## Authentication 53 54 The AWS provider offers a flexible means of providing credentials for 55 authentication. The following methods are supported, in this order, and 56 explained below: 57 58 - Static credentials 59 - Environment variables 60 - Shared credentials file 61 - EC2 Role 62 63 ### Static Credentials 64 65 Static credentials can be provided in the form of an access key id and secret. 66 These look like: 67 68 ```json 69 { 70 "access_key": "AKIAIOSFODNN7EXAMPLE", 71 "secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", 72 "region": "us-east-1", 73 "type": "amazon-ebs" 74 } 75 ``` 76 77 ### Environment variables 78 79 You can provide your credentials via the `AWS_ACCESS_KEY_ID` and 80 `AWS_SECRET_ACCESS_KEY`, environment variables, representing your AWS Access 81 Key and AWS Secret Key, respectively. Note that setting your AWS credentials 82 using either these environment variables will override the use of 83 `AWS_SHARED_CREDENTIALS_FILE` and `AWS_PROFILE`. The `AWS_DEFAULT_REGION` and 84 `AWS_SESSION_TOKEN` environment variables are also used, if applicable: 85 86 87 Usage: 88 89 ``` 90 $ export AWS_ACCESS_KEY_ID="anaccesskey" 91 $ export AWS_SECRET_ACCESS_KEY="asecretkey" 92 $ export AWS_DEFAULT_REGION="us-west-2" 93 $ packer build packer.json 94 ``` 95 96 ### Shared Credentials file 97 98 You can use an AWS credentials file to specify your credentials. The default 99 location is $HOME/.aws/credentials on Linux and OS X, or 100 "%USERPROFILE%.aws\credentials" for Windows users. If we fail to detect 101 credentials inline, or in the environment, Packer will check this location. You 102 can optionally specify a different location in the configuration by setting the 103 environment with the `AWS_SHARED_CREDENTIALS_FILE` variable. 104 105 The format for the credentials file is like so 106 107 ``` 108 [default] 109 aws_access_key_id=<your access key id> 110 aws_secret_access_key=<your secret access key> 111 ``` 112 113 You may also configure the profile to use by setting the `profile` 114 configuration option, or setting the `AWS_PROFILE` environment variable: 115 116 ```json 117 { 118 "profile": "customprofile", 119 "region": "us-east-1", 120 "type": "amazon-ebs" 121 } 122 ``` 123 124 125 ### IAM Task or Instance Role 126 127 Finally, Packer will use credentials provided by the task's or instance's IAM 128 role, if it has one. 129 130 This is a preferred approach over any other when running in EC2 as you can 131 avoid hard coding credentials. Instead these are leased on-the-fly by Packer, 132 which reduces the chance of leakage. 133 134 The following policy document provides the minimal set permissions necessary 135 for Packer to work: 136 137 ``` json 138 { 139 "Version": "2012-10-17", 140 "Statement": [{ 141 "Effect": "Allow", 142 "Action" : [ 143 "ec2:AttachVolume", 144 "ec2:AuthorizeSecurityGroupIngress", 145 "ec2:CopyImage", 146 "ec2:CreateImage", 147 "ec2:CreateKeypair", 148 "ec2:CreateSecurityGroup", 149 "ec2:CreateSnapshot", 150 "ec2:CreateTags", 151 "ec2:CreateVolume", 152 "ec2:DeleteKeyPair", 153 "ec2:DeleteSecurityGroup", 154 "ec2:DeleteSnapshot", 155 "ec2:DeleteVolume", 156 "ec2:DeregisterImage", 157 "ec2:DescribeImageAttribute", 158 "ec2:DescribeImages", 159 "ec2:DescribeInstances", 160 "ec2:DescribeRegions", 161 "ec2:DescribeSecurityGroups", 162 "ec2:DescribeSnapshots", 163 "ec2:DescribeSubnets", 164 "ec2:DescribeTags", 165 "ec2:DescribeVolumes", 166 "ec2:DetachVolume", 167 "ec2:GetPasswordData", 168 "ec2:ModifyImageAttribute", 169 "ec2:ModifyInstanceAttribute", 170 "ec2:ModifySnapshotAttribute", 171 "ec2:RegisterImage", 172 "ec2:RunInstances", 173 "ec2:StopInstances", 174 "ec2:TerminateInstances" 175 ], 176 "Resource" : "*" 177 }] 178 } 179 ``` 180 181 Note that if you'd like to create a spot instance, you must also add: 182 183 ``` 184 ec2:RequestSpotInstances, 185 ec2:CancelSpotInstanceRequests, 186 ec2:DescribeSpotInstanceRequests 187 ``` 188 189 If you have the `spot_price` parameter set to `auto`, you must also add: 190 191 ``` 192 ec2:DescribeSpotPriceHistory 193 ``` 194 195 ## Troubleshooting 196 197 ### Attaching IAM Policies to Roles 198 199 IAM policies can be associated with users or roles. If you use packer with IAM 200 roles, you may encounter an error like this one: 201 202 ==> amazon-ebs: Error launching source instance: You are not authorized to perform this operation. 203 204 You can read more about why this happens on the [Amazon Security 205 Blog](https://blogs.aws.amazon.com/security/post/Tx3M0IFB5XBOCQX/Granting-Permission-to-Launch-EC2-Instances-with-IAM-Roles-PassRole-Permission). 206 The example policy below may help packer work with IAM roles. Note that this 207 example provides more than the minimal set of permissions needed for packer to 208 work, but specifics will depend on your use-case. 209 210 ``` json 211 { 212 "Sid": "PackerIAMPassRole", 213 "Effect": "Allow", 214 "Action": "iam:PassRole", 215 "Resource": [ 216 "*" 217 ] 218 } 219 ``` 220 221 ### Checking that system time is current 222 223 Amazon uses the current time as part of the [request signing 224 process](http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html). If 225 your system clock is too skewed from the current time, your requests might 226 fail. If that's the case, you might see an error like this: 227 228 ==> amazon-ebs: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials 229 230 If you suspect your system's date is wrong, you can compare it against 231 <http://www.time.gov/>. On Linux/OS X, you can run the `date` command to get the 232 current time. If you're on Linux, you can try setting the time with ntp by 233 running `sudo ntpd -q`. 234 235 ### `exceeded wait attempts` while waiting for tasks to complete 236 We use the AWS SDK's built-in waiters to wait for longer-running tasks to 237 complete. These waiters have default delays between queries and maximum number 238 of queries that don't always work for our users. 239 240 If you find that you are being rate-limited or have exceeded your max wait 241 attempts, you can override the defaults by setting the following packer 242 environment variables (note that these will apply to all aws tasks that we have 243 to wait for): 244 245 `AWS_MAX_ATTEMPTS` - This is how many times to re-send a status update request. 246 Excepting tasks that we know can take an extremely long time, this defaults to 247 40tries. 248 249 `AWS_POLL_DELAY_SECONDS` - How many seconds to wait in between status update 250 requests. Generally defaults to 2 or 5 seconds, depending on the task.