Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

imagebuilder cross account distribution error

0

I am getting an error distributing to another region / account with ec2 imagebuilder. The error is a bit vague and I am unable to locate any further detail of what is erroring. The "Reason for failure" states: "Not all distribution jobs are completed. 1)ami copy reported failure for ami... when distributing the image from the source account (IDxxx to the destination account IDxxx in Region us-east-2)" I guess the first step of my question is, is there further logging somewhere? I have looked under System Manager/Automation, but everything looks good there. I have looked under cloudwatch, but that just seems to be the ami build itself and that is successful. The distribution part of it to the other region / account is the failure.

Topics
Compute
Tags
EC2 Image Builder
Language
English
asked 3 years ago2.1K views
3 Answers
0

Hello,

The common reasons for cross-account distribution failures are as follows:

  1. The destination account doesn't have the EC2ImageBuilderDistributionCrossAccountRole IAM role.
  2. EC2ImageBuilderDistributionCrossAccountRole role in destination account doesn't have permissions to use the KMS key specified in the distribution configuration and/or recipe's storage configuration.
  3. The Image Builder service role AWSServiceRoleForImageBuilder in the source account doesn't have permissions to use the KMS key specified in the distribution configuration.

For more details of cross-account AMI distribution with Image Builder, refer to following documentation.

https://docs.aws.amazon.com/imagebuilder/latest/userguide/cross-account-dist.html

Systems Manager Automation is not used for distributing the AMI. It is only used during build and test phases of an AMI build. To check the distribution failures, review the CloudTrail events in both source and destination account sand look for any failed (AccessDenied) KMS API events around the time of failure.

AWS
answered 3 years ago
  • Jesse
    3 years ago

    I think I found the issue. In the distribution settings, I see in the 2nd region I am pushing to, the encryption key arn states its for the source region. I am using Terraform to create the key and the distribution settings. I am not sure how to make the key for the destination region. I tried creating a replica key and using that arn, but that fails as well. If I manually add the key from the console, all goes well.

0

Jesse, Were you able to figure this out? I am facing the same issue, trying to Terraform the distribution configuration for image builder. It isn't clear from the documentation what key needs to be supplied in the ami_distribution_configuration{kms_key_id}. Is it the source account key or the destination account key? I also receive the exact same error message regarding ami copy failures.

answered 3 years ago
0

For those trying distribute an AMI with an encrypted EBS across multiple accounts, and are facing the error:

Distribution failed with JobId 'job123', status = 'Failed' for ARN 'arn:aws:imagebuilder:ap-southeast-1:222222222222:image/image-123/1.0.0/5'. Error:'Not all distribution jobs are completed. 1) AMI Copy Reported Failure For 'ami-09c028d3c2b238cf4' when distributing the image from the source account (ID: 222222222222) to the destination account (ID: 333333333333) in Region ap-southeast-1.'

After creating the IAM role EC2ImageBuilderDistributionCrossAccountRole in the target account 333333333333 with trust policy to allow your source account 222222222222 to assume role. You need to attach a custom IAM policy that allows this role to use the KMS key in your source account. The official documentation has this covered here.

To address the distribution error, what worked for me was to ensure the target account IDs, KMS Key and launch permission are configured (correctly). Furthermore, the EBS would also need to be encrypted with your CMK. If you are using Terraform, note that the KMS key ID should actually be the KMS key ARN.

Distribution snippet

resource "aws_imagebuilder_distribution_configuration" "windows_image" {
  name = "my-windows-image"
  distribution {
    ami_distribution_configuration {
      ami_tags = {
        platform     = "windows"
      }
      name               = "my-windows-image-{{ imagebuilder:buildDate }}"
      target_account_ids = toset(["333333333333"])
      kms_key_id         = "arn:aws:kms:ap-southeast-1:222222222222:key/bb34264d-b264-4c82-84a9-2a83ebac5215"

      launch_permission {
        user_ids = ["333333333333"]
      }
    }
    region = "ap-southeast-1"
  }
}

Image Recipe snippet

resource "aws_imagebuilder_image_recipe" "windows_image" {
  block_device_mapping {
    device_name = "/dev/sda1"
    ebs {
      encrypted             = true
      kms_key_id            = "arn:aws:kms:ap-southeast-1:222222222222:key/bb34264d-b264-4c82-84a9-2a83ebac5215"
      delete_on_termination = true
      volume_size           = 50
      volume_type           = "gp2"
    }
  }
  component {
    component_arn = "arn:aws:imagebuilder:ap-southeast-1:aws:component/aws-cli-version-2-windows/1.0.0"
  }
  component {
    component_arn = "arn:aws:imagebuilder:ap-southeast-1:aws:component/update-windows/1.0.1"
  }

  name         = var.image_name
  parent_image = "ami-005a195cd6b0d96zz"
  version      = "1.0.0"

}
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content