By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

imagebuilder cross account distribution error

0

I am getting an error distributing to another region / account with ec2 imagebuilder. The error is a bit vague and I am unable to locate any further detail of what is erroring. The "Reason for failure" states: "Not all distribution jobs are completed. 1)ami copy reported failure for ami... when distributing the image from the source account (IDxxx to the destination account IDxxx in Region us-east-2)" I guess the first step of my question is, is there further logging somewhere? I have looked under System Manager/Automation, but everything looks good there. I have looked under cloudwatch, but that just seems to be the ami build itself and that is successful. The distribution part of it to the other region / account is the failure.

Topics
Compute
Tags
EC2 Image Builder
Language
English
Jesse
asked 2 years ago1099 views
2 Answers
0

Hello,

The common reasons for cross-account distribution failures are as follows:

  1. The destination account doesn't have the EC2ImageBuilderDistributionCrossAccountRole IAM role.
  2. EC2ImageBuilderDistributionCrossAccountRole role in destination account doesn't have permissions to use the KMS key specified in the distribution configuration and/or recipe's storage configuration.
  3. The Image Builder service role AWSServiceRoleForImageBuilder in the source account doesn't have permissions to use the KMS key specified in the distribution configuration.

For more details of cross-account AMI distribution with Image Builder, refer to following documentation.

https://docs.aws.amazon.com/imagebuilder/latest/userguide/cross-account-dist.html

Systems Manager Automation is not used for distributing the AMI. It is only used during build and test phases of an AMI build. To check the distribution failures, review the CloudTrail events in both source and destination account sand look for any failed (AccessDenied) KMS API events around the time of failure.

profile pictureAWS
Renjith_R
answered 2 years ago
  • Jesse
    2 years ago

    I think I found the issue. In the distribution settings, I see in the 2nd region I am pushing to, the encryption key arn states its for the source region. I am using Terraform to create the key and the distribution settings. I am not sure how to make the key for the destination region. I tried creating a replica key and using that arn, but that fails as well. If I manually add the key from the console, all goes well.

0

Jesse, Were you able to figure this out? I am facing the same issue, trying to Terraform the distribution configuration for image builder. It isn't clear from the documentation what key needs to be supplied in the ami_distribution_configuration{kms_key_id}. Is it the source account key or the destination account key? I also receive the exact same error message regarding ami copy failures.

cloudops
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content