Packer: Can Packer share encrypted AMI's with other AWS accounts?

Created on 6 Apr 2017  路  8Comments  路  Source: hashicorp/packer

I use packer to build encrypted Ubuntu AMI in us-east-1 and copy to other regions.

FOR FEATURES:

Would it be possible to share the same encrypted AMI with other AWS accounts and then copy to
their regions?

buildeamazon duplicate waiting-reply
Source
picture afaleti

All 8 comments

If I understand this correctly this is a duplicate of #4249 ?

rickard-von-essen picture rickard-von-essen on 6 Apr 2017

The first part is not a duplicate but the second has already been resolved but not in the context of #1.

  1. Share with other accounts
  2. Copy to other region of other accounts.
afaleti picture afaleti on 6 Apr 2017

Strictly speaking you can't copy an encrypted AMI from another account. You can only copy the underlying snapshot _if_ that has been shared with the other account _and_ you have access to the KMS key.

The second thing is that you can only copy AMI _from_ another account not _to_ an account. Thus if Packer is building in one account and then want to copy an AMI into another account it needs to switch to that account and that would require separate credentials. That complexity is IMHO out of scope.

I sugest that if you want to build in one account and then copy into another account that you do that in a pipeline where the first is Packer building and sharing with the second account. In the second step a script copies the AMI from the first account and into appropriate regions.

rickard-von-essen picture rickard-von-essen on 6 Apr 2017

I would recommend against sharing an encrypted AMI with another account. Technically it is possible, but it's very bad practice - because then one encryption key is being used in multiple accounts. The entire point of multiple accounts is for separation - if one account were to be compromised, if you're sharing encrypted AMIs, then the other account's data can also be compromised.

What I would recommend to you is what I do - I run multiple packer builds in parallel on several accounts - all producing an encrypted AMI, using the same packer json file, same scripts, etc. For all intensive purposes, the resultant AMIs are identical - however encrypted using each account's keys - and not shared among accounts.

wayneworkman picture wayneworkman on 23 Apr 2017
👎4

Resolved in #4023 and #4948

rickard-von-essen picture rickard-von-essen on 18 Jun 2017

I want to copy my golden ami with has 2 encrypted volumes attached to a different AWS account. Is it possible?

ghost picture ghost on 17 Jul 2018

You can't share an AMI with encrypted snapshots, but you can share the snapshots, this requires that they are encrypted with a CMK and that that is also shared with the other account.

rickard-von-essen picture rickard-von-essen on 17 Jul 2018

Please only use _GitHub Issues_ for reporting bugs and feature requests. Do not ask for general help here. Use _IRC #packer-tool on Freenode_ or the mailing list for that.

See https://www.packer.io/community/

_If you are describing a bug or a feature request please reopen and try to add some more details to make it clearer._

rickard-von-essen picture rickard-von-essen on 17 Jul 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Nikoos picture Nikoos  路  3Comments
mushon4 picture mushon4  路  3Comments
shantanugadgil picture shantanugadgil  路  3Comments
mvermaes picture mvermaes  路  3Comments
s4mur4i picture s4mur4i  路  3Comments