- 최신
- 최다 투표
- 가장 많은 댓글
Hello,
The common reasons for cross-account distribution failures are as follows:
- The destination account doesn't have the
EC2ImageBuilderDistributionCrossAccountRoleIAM role. EC2ImageBuilderDistributionCrossAccountRolerole in destination account doesn't have permissions to use the KMS key specified in the distribution configuration and/or recipe's storage configuration.- The Image Builder service role
AWSServiceRoleForImageBuilderin the source account doesn't have permissions to use the KMS key specified in the distribution configuration.
For more details of cross-account AMI distribution with Image Builder, refer to following documentation.
https://docs.aws.amazon.com/imagebuilder/latest/userguide/cross-account-dist.html
Systems Manager Automation is not used for distributing the AMI. It is only used during build and test phases of an AMI build. To check the distribution failures, review the CloudTrail events in both source and destination account sand look for any failed (AccessDenied) KMS API events around the time of failure.
Jesse, Were you able to figure this out? I am facing the same issue, trying to Terraform the distribution configuration for image builder. It isn't clear from the documentation what key needs to be supplied in the ami_distribution_configuration{kms_key_id}. Is it the source account key or the destination account key? I also receive the exact same error message regarding ami copy failures.
관련 콘텐츠
AWS 공식업데이트됨 2년 전
I think I found the issue. In the distribution settings, I see in the 2nd region I am pushing to, the encryption key arn states its for the source region. I am using Terraform to create the key and the distribution settings. I am not sure how to make the key for the destination region. I tried creating a replica key and using that arn, but that fails as well. If I manually add the key from the console, all goes well.