AWS EC2 Image Builder share the encrypted AMI with other accounts
Hi,
I have a problem with sharing the encrypted AMI with other accounts. I have this error:
AMI Copy Reported Failure For 'ami-some_ami' when distributing the image from the source account (ID: 111) to the destination account (ID: 111) in Region eu-south-1.'
What I have:
- Account 111 is in AWS Organizations and have this KMS key and permissions:
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GetKeyPolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-000"
}
}
},
-
Account 222 is in Organization so this account should be able to access the key.
-
I read that
If you want to copy an image created with Image Builder to another account, you must create the EC2ImageBuilderDistributionCrossAccountRole role in all of the target accounts, and attach the Ec2ImageBuilderCrossAccountDistributionAccess policy managed policy to the role. For more information, see Share EC2 Image Builder resources.
So, I created this role in Account 222. Role looks this way:
Trusted ent:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*::image/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:CopyImage",
"ec2:ModifyImageAttribute"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:ReEncryptFrom",
"kms:ReEncryptTo"
],
"Resource": "*"
}
]
}
Maybe someone had a similar issue, thanks for the help.
- Newest
- Most votes
- Most comments
Fixed it by creating another KMS key in another region. Then by using Launch Configuration use this KMS key. Role is not needed.
So your source account is 111 and target 222
The Assume Role in Target 222 does not not look in correct. You need to allow 111 in the trust not 222 because your allowing account 111 to assume this role, so we "Trust" that account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Also the role in account 222 needs to have the policy Ec2ImageBuilderCrossAccountDistributionAccess attached to the role.
Relevant content
- asked 2 years ago
- asked 3 months ago
- asked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
Yes, I tried, but still I got the same error. I used those steps for account 222:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "imagebuilder.amazonaws.com", "AWS": "arn:aws:iam::111:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
Did you attach the policy?
Yes, policy is attached. I think that the problem could be that I need multi region KMS key, as this second account is in different region.
I don’t think you can have a service and AWS principal in the same statement.