Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Difference between "Region settings-Target accounts" and "AMI sharing-AWS accounts" in ImageBuilder
Hi all
I'm using the ImageBuilder to create an AMI, and share it with another account. Let's say the source account ID is 111111111111 and the target account ID is 222222222222. From the "distribution settings" menu, I can see two confusing concepts as follows - https://docs.aws.amazon.com/imagebuilder/latest/userguide/cr-upd-ami-distribution-settings.html:
- Region settings-Target accounts: Image Builder copies the AMI to the Target accounts that you specify for the Region.
- AMI sharing-AWS accounts: Grant access to a specific AWS account.
So I set both to 222222222222 but failed.
Distribution failed with JobId 'a463dbf3-f372-44e0-9ea9-abcdefghijk', status = 'Failed' for ARN 'arn:aws-us-gov:imagebuilder:us-gov-east-1:111111111111:image/test-build/1.0.0/5'. Error:'Not all distribution jobs are completed. 1) AMI Copy Reported Failure For 'ami-abcdefghijklmnop' when distributing the image from the source account (ID: 111111111111) to the destination account (ID: 222222222222) in Region us-gov-east-1.'
How can I set the distribution settings in my case? I created the role in the destination account as described in https://docs.aws.amazon.com/imagebuilder/latest/userguide/cross-account-dist.html. And I did not use encryption.
I also looked at https://repost.aws/questions/QUcXB9zrVwQ7-Z1Vo3RW0Iaw/imagebuilder-cross-account-distribution-error which covers the same issue, but I'm working through the console.
Thanks.
- Newest
- Most votes
- Most comments
The difference between "Region settings-Target accounts" and "AMI sharing-AWS accounts" in EC2 Image Builder lies in how the AMI is distributed and accessed:
-
Region settings-Target accounts: This option creates a copy of the AMI in the specified target accounts. The AMI is actually replicated to these accounts, and they become the owners of the new AMI copy. This is useful when you want the target accounts to have full control over the AMI.
-
AMI sharing-AWS accounts: This option grants launch permissions to the specified AWS accounts without creating a copy. The original account retains ownership of the AMI, and the shared accounts can only use it to launch instances.
In your case, since you're trying to distribute the AMI to another account (222222222222), you should use the "Region settings-Target accounts" option. This will create a copy of the AMI in the target account.
The error message you're seeing suggests that there might be an issue with the permissions or the role setup in the destination account. Here are some steps to troubleshoot:
-
Ensure that you've created the correct IAM role in the destination account (222222222222) as described in the cross-account distribution documentation.
-
Verify that the role in the destination account has the necessary permissions to create and manage AMIs.
-
Check that the source account (111111111111) has permission to assume the role in the destination account.
-
If you're using KMS encryption, make sure the key policies are set up correctly to allow cross-account access.
-
Double-check that you're not hitting any service limits in either account.
If you're not using encryption and have set up the roles correctly, you might need to contact AWS support for further assistance, as there could be an underlying issue with the Image Builder service or account configurations.
Remember, when using the "Region settings-Target accounts" option, you don't need to also use the "AMI sharing-AWS accounts" option for the same account, as the AMI will be copied to the target account rather than shared.
Sources
Set up cross-account AMI distribution with Image Builder - EC2 Image Builder
Share an AMI with specific AWS accounts - Amazon Elastic Compute Cloud
Resolve tags that aren't visible in EC2 Image Builder for Linux | AWS re:Post
Relevant content
- asked 3 years ago
- asked 2 years ago
