Hi,
I have a problem with sharing the encrypted AMI with other accounts. I have this error:
AMI Copy Reported Failure For 'ami-some_ami' when distributing the image from the source account (ID: 111) to the destination account (ID: 111) in Region eu-south-1.'
What I have:
- Account 111 is in AWS Organizations and have this KMS key and permissions:
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GetKeyPolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-000"
}
}
},
-
Account 222 is in Organization so this account should be able to access the key.
-
I read that
If you want to copy an image created with Image Builder to another account, you must create the EC2ImageBuilderDistributionCrossAccountRole role in all of the target accounts, and attach the Ec2ImageBuilderCrossAccountDistributionAccess policy managed policy to the role. For more information, see Share EC2 Image Builder resources.
So, I created this role in Account 222. Role looks this way:
Trusted ent:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*::image/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:CopyImage",
"ec2:ModifyImageAttribute"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:ReEncryptFrom",
"kms:ReEncryptTo"
],
"Resource": "*"
}
]
}
Maybe someone had a similar issue, thanks for the help.
Yes, I tried, but still I got the same error. I used those steps for account 222:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "imagebuilder.amazonaws.com", "AWS": "arn:aws:iam::111:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
Did you attach the policy?
Yes, policy is attached. I think that the problem could be that I need multi region KMS key, as this second account is in different region.
I don’t think you can have a service and AWS principal in the same statement.