Is it possible to share an AMI using AWS SDK? I know I can share AMI images using AWS console or CLI as described in http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html . I searched through the AWS documentation but I have not been able to find any documentation/examples that let you share AMIs using AWS SDK. Is it possible at all?
EDIT: Also, is it possible to share AMI images to other IAM users?
On
That's right to modify and attribute on an AMI (or Amazon Image) you want to follow the link that you provided. (http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-ModifyImageAttribute.html)
The AMI section of EC2 only allows you to create minimal permissions. One is the permissions given an AWS account Id which is usually something like: 123456789012. Keep in mind that an account Id is associated to the main or primary user of the AWS account (for example your email address). The other type of permission it allows you to do is group permissions but it looks like Amazon hasn't gotten around implementing it yet since the only value allow for Group is all.
AIM provides you more granular permission access for users that are below in hierarchy from main account id (or the main email address).
Now to use AIM to give permissions to Amazon Images (AMIs) you need to associate an AIM policy to a user or group that has AMI permissions. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1388772918000",
"Effect": "Allow",
"Action": [
"ec2:CreateImage",
"ec2:DeregisterImage"
],
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/*",
"arn:aws:ec2:us-east-1:123456789012:image/*"
]
}
]
}
This policy gives permissions to create and deregister and image on all the instances and images under us-east-1 for account id 123456789012.
You can do all of the above programmatically too.
[Edit]
This is the list of possible EC2 ARN values from http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-ec2 :
arn:aws:ec2:region:account:instance/instance-id
arn:aws:iam::account:instance-profile/instance-profile-name
arn:aws:ec2:region:account:placement-group/placement-group-name
arn:aws:ec2:region::snapshot/snapshot-id
arn:aws:ec2:region:account:volume/volume-id
Absolutely. For example look at the boto.ec2.image class. (The python sdk)
http://boto.readthedocs.org/en/latest/ref/ec2.html#module-boto.ec2.image
I'm sure the ruby, js and java SDKs can do it too as they all use the AWS API.
As a matter of fact the cli also uses the API.
Also here's for example the EC2 API reference on how to create an image.
http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-CreateImage.html
And yes you can share AMIs with other users depending on the AIM policies on the users.