Packer: [amazon-import] post-processor fails with Rename-AMI / Copy-AMI Error

Created on 15 May 2018  ·  9Comments  ·  Source: hashicorp/packer

Followed the instructions for amazon-import but seems like the output of the packer build is a little misleading. I followed the instructions for the vmimport role but seems like there might be another permission that is needed.

vmware-iso (amazon-import): Import task import-xxxyyzz complete
vmware-iso (amazon-import): Import task import-xxxyyzz complete
2018/05/15 12:29:03 ui: vmware-iso (amazon-import): Starting rename of AMI (ami-xyz)
vmware-iso (amazon-import): Starting rename of AMI (ami-xyz)
2018/05/15 12:29:03 [INFO] (telemetry) ending amazon-import
2018/05/15 12:29:03 ui error: Build 'vmware-iso' errored: 1 error(s) occurred:

  • Post-processor failed: Error Copying AMI (ami-xyz): UnauthorizedOperation: You are not authorized to perform this operation.
    status code: 403, request id: 48abf81d-b056-4346-9046-71b9c0a5327c
    2018/05/15 12:29:03 Builds completed. Waiting on interrupt barrier...
    2018/05/15 12:29:03 machine readable: error-count []string{"1"}
    2018/05/15 12:29:03 ui error:
    ==> Some builds didn't complete successfully and had errors:
    2018/05/15 12:29:03 machine readable: vmware-iso,error []string{"1 error(s) occurred:\n\n* Post-processor failed: Error Copying AMI (ami-fab52385): UnauthorizedOperation: You are not authorized to perform this operation.\n\tstatus code: 403, request id: 48abf81d-b056-4346-9046-71b9c0a5327c"}
    Build 'vmware-iso' errored: 1 error(s) occurred:

2018/05/15 12:29:03 ui error: --> vmware-iso: 1 error(s) occurred:

  • Post-processor failed: Error Copying AMI (ami-fab52385): UnauthorizedOperation: You are not authorized to perform this operation.
    status code: 403, request id: 48abf81d-b056-4346-9046-71b9c0a5327c
    2018/05/15 12:29:03 ui:
    ==> Builds finished but no artifacts were created.
    2018/05/15 12:29:03 [INFO] (telemetry) Finalizing.
  • Post-processor failed: Error Copying AMI (ami-xyz): UnauthorizedOperation: You are not authorized to perform this operation.
    status code: 403, request id: 48abf81d-b056-4346-9046-71b9c0a5327c

==> Some builds didn't complete successfully and had errors:
--> vmware-iso: 1 error(s) occurred:

  • Post-processor failed: Error Copying AMI (ami-fab52385): UnauthorizedOperation: You are not authorized to perform this operation.
    status code: 403, request id: 48abf81d-b056-4346-9046-71b9c0a5327c
post-processoamazon-import question
Source
picture lmayorga1980

All 9 comments

@lmayorga1980 When I worked through this I made myself some detailed notes that I've posted HERE for you to take a look at.

I can't make any guarantee's that the instructions will still work as I did this a while back.

Hopefully they'll still be OK and of some use to you.

DanHam picture DanHam on 15 May 2018

@DanHam Thank you for your notes but I think the issue was related to permissions related to.

Definitely not Packer's fault since it relies on the results of the API requests but wondering if something in the documentation can be expanded to explain a little better. Of course, there is the other issue of documenting some external product behavior that can be easily outdated.

Describe*
ModifyImageAttribute

lmayorga1980 picture lmayorga1980 on 21 May 2018

We definitely want to try to make the experience as seamless as possible, so if you've found permissions that we need to add to our docs I'd love to add them -- either make a PR or share some copy you'd like to see added and I'll do it for the next release :)

SwampDragons picture SwampDragons on 21 May 2018

@SwampDragons will be glad to send a PR for it.

lmayorga1980 picture lmayorga1980 on 21 May 2018
1

Thank you for your notes but I think the issue was related to permissions related to.

@lmayorga1980 @SwampDragons So steps 1 & 2 of those notes basically fulfilled the pre-requisites for using the Amazon Import/Export service outlined in the AWS docs HERE.

However, those docs assume that you will then manually import the VM uploaded to the S3 bucket using the AWS CLI tools. This won't be the case if you are using the Amazon Import Post Processor as this automates these steps for you.

To allow Packer to automate these steps, among other things, the AWS user you are using will also need permissions to:

  • Import the uploaded VM into EC2
  • Convert the imported VM into an AMI
  • Copy the AMI to create a new AMI (This is essentially what a rename of the AMI does)

Some (or perhaps most?) of the permissions there will be granted to a standard EC2 user. However, the last permission there is the one that I think your user is missing. Step 3 of those notes covers creating a user and group with these required additional S3 and EC2 permissions - these aren't mentioned at all in the Packer docs.

I agree 100% that the set up is far from trivial and that the Packer documentation could help out a bit more here. The fact that you need to set up those extra permissions was (at least for me!) far from obvious to begin with.

With regard to updating the docs - perhaps we could first point users to the Amazon S3 Bucket and VM Import Service Role sections from the AWS documentation. This would cover bucket creation along with the upload and vmimport role and permissions.
We could then add a section to the docs to make the user aware they need the additional permissions outlined in step 3 of those notes...

DanHam picture DanHam on 23 May 2018
👍1

I've had a lot of trouble getting amazon-import to work in my environment. There's incomplete information in both Amazon's documentation and Hashicorp's. I finally have a more restrictive IAM policy that will give the user only what they need for Packer's side of the amazon-import post-processor to work. I have some example Terraform code that will setup everything that is needed here: https://github.com/andrewfraley/packer_vmimport_example/blob/master/vmimport.tf

Below are the just the IAM permissions needed for the user.

{
      "Effect": "Allow",
      "Action": [
        "ec2:CancelConversionTask",
        "ec2:CancelImportTask",
        "ec2:CopyImage",
        "ec2:CreateImage",
        "ec2:CreateTags",
        "ec2:DeregisterImage",
        "ec2:DescribeConversionTasks",
        "ec2:DescribeImageAttribute",
        "ec2:DescribeImportImageTasks",
        "ec2:DescribeImportSnapshotTasks",
        "ec2:DescribeTags",
        "ec2:ImportImage",
        "ec2:ImportSnapshot",
        "ec2:ImportVolume",
        "ec2:ModifyImageAttribute",
        "ec2:RegisterImage"
      ],
      "Resource": "*"
    }
andrewfraley picture andrewfraley on 6 Feb 2019
👍1

I'll add these permissions to the docs.

SwampDragons picture SwampDragons on 7 Feb 2019

@SwampDragons 👍

lmayorga1980 picture lmayorga1980 on 10 Feb 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 29 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mushon4 picture mushon4  ·  3Comments
frezbo picture frezbo  ·  3Comments
PartyImp picture PartyImp  ·  3Comments
brettswift picture brettswift  ·  3Comments
paulcdejean picture paulcdejean  ·  3Comments