I have created the image in dev (acct-id - 1111111) and need to use the same image on prod (22222222) (same region). But i'm getting the following error. Image is build on Dev workspace and then use it in PROD workspace. Dev is working without any issue, I have AWS::ImageBuilder::DistributionConfiguration configured with launch permission configured for those two workspaces.
WEBAutoScalingGroup - AWS::AutoScaling::AutoScalingGroup - CREATE_FAILED - API: autoscaling:CreateAutoScalingGroup Not authorized for images: [ami-02adsdsw4d8216f7b0a]
My Image builder permission as follows.
---
AWSTemplateFormatVersion: '2010-09-09'
Description: image builder policy
Parameters:
Dev:
Default: 11111111111
Type: String
Prod:
Default: 22222222222
Type: String
Resources:
ImageBuilderpolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Extra permission for Image builder role
Roles:
- EC2InstanceProfileForImageBuilder
PolicyDocument:
Version: '2012-10-17'
Statement:
# s3 get object permission for image builder
- Effect: Allow
Action:
- s3:Get*
- s3:List*
Resource:
- "arn:aws:s3:::dev-imagebuilder-cicd/*"
- "arn:aws:s3:::dev-imagebuilder-cicd"
#Imagebuilder policy to cicd role
IAMPolicyEC2ImageBuilder:
Type: AWS::IAM::ManagedPolicy
Properties:
Roles:
- CICDRole
Description: Policy to access AWS EC2 Image Builder Service
ManagedPolicyName: 'EC2ImageBuilderIAMPolicy'
Path: '/ImageBuilder-Management/'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'imagebuilder:CreateComponent'
- 'imagebuilder:CreateDistributionConfiguration'
- 'imagebuilder:CreateImage'
- 'imagebuilder:CreateImagePipeline'
- 'imagebuilder:CreateImageRecipe'
Resource: '*'
- Effect: Allow
Action:
- 'imagebuilder:CreateInfrastructureConfiguration'
Resource: '*'
- Effect: Allow
Action:
- 'imagebuilder:CancelImageCreation'
- 'imagebuilder:Get*'
- 'imagebuilder:DeleteComponent'
- 'imagebuilder:DeleteDistributionConfiguration'
- 'imagebuilder:DeleteImage'
- 'imagebuilder:DeleteImagePipeline'
- 'imagebuilder:DeleteImageRecipe'
- 'imagebuilder:DeleteInfrastructureConfiguration'
- 'imagebuilder:ImportComponent'
- 'imagebuilder:StartImagePipelineExecution'
- 'imagebuilder:TagResource'
- 'imagebuilder:UntagResource'
- 'imagebuilder:UpdateDistributionConfiguration'
- 'imagebuilder:UpdateImagePipeline'
- 'imagebuilder:UpdateInfrastructureConfiguration'
Resource: '*'
- Effect: Allow
Action:
- 'sns:Publish'
Resource: !Sub 'arn:aws:sns:${AWS::Region}:${AWS::AccountId}:*imagebuilder*'
- Effect: Allow
Action: iam:PassRole
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:instance-profile/EC2InstanceProfileForImageBuilder
- !Sub arn:aws:iam::${AWS::AccountId}:role/EC2InstanceProfileForImageBuilder
Condition:
StringEquals:
iam:PassedToService: ec2.amazonaws.com
- Effect: Allow
Action: iam:CreateServiceLinkedRole
Resource: arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder
Condition:
StringLike:
iam:AWSServiceName: imagebuilder.amazonaws.com
- Effect: Deny
Action:
- ec2:RunInstances
- ec2:AssociateIamInstanceProfile
Resource: "*"
Condition:
StringEquals:
ec2:InstanceProfile: !Sub arn:aws:iam::${AWS::AccountId}:instance-profile/EC2InstanceProfileForImageBuilder
Ec2ImageBuilderCrossAccountDistributionAccessPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Roles:
- CICDRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "ec2:CreateTags"
Resource: "arn:aws:ec2:*::image/*"
- Effect: Allow
Action:
- "ec2:DescribeImages"
- "ec2:CopyImage"
- "ec2:ModifyImageAttribute"
Resource: "*"
EC2ImageBuilderDistributionCrossAccountRole:
Type: AWS::IAM::Role
Properties:
RoleName: EC2ImageBuilderDistributionCrossAccountRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action:
- "sts:AssumeRole"
- Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${Dev}:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder
- !Sub arn:aws:iam::${Prod}:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: EC2ImageBuilderKMSInlinePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
- 'kms:CreateGrant'
- 'kms:ListGrants'
- 'kms:RevokeGrant'
- 'ec2:CreateLaunchTemplateVersion'
- 'ec2:ModifyLaunchTemplate'
- 'ec2:DescribeLaunchTemplates'
- 'ec2:CreateTags'
Resource: '*'
- Effect: Allow
Action:
- ec2:CreateLaunchTemplateVersion
- ec2:ModifyLaunchTemplate
Resource: "*"
- Effect: Allow
Action:
- ec2:DescribeLaunchTemplates
Resource: "*"
- Effect: Allow
Action:
- ec2:CreateTags
Resource: arn:aws:ec2:*:*:launch-template/*
ManagedPolicyArns:
- !Ref Ec2ImageBuilderCrossAccountDistributionAccessPolicy
Not sure why it's failing with "Not authorised for images" error.
I am not sure if Image Builder is relevant to solving the problem that you are having. When you create AMI, you need to share it with Account 222222. If you are building AMI with Image Builder pipeline, just add
aws ec2 modify-image-attribute
command to the pipelineFor testing, before using AMI in autoscaling group, try to launch an instance from it in prod account. If you can't - solve this problem first.