AWS EC2 Image Builder share the encrypted AMI with other accounts
Hi,
I have a problem with sharing the encrypted AMI with other accounts. I have this error:
AMI Copy Reported Failure For 'ami-some_ami' when distributing the image from the source account (ID: 111) to the destination account (ID: 111) in Region eu-south-1.'
What I have:
- Account 111 is in AWS Organizations and have this KMS key and permissions:
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GetKeyPolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-000"
}
}
},
-
Account 222 is in Organization so this account should be able to access the key.
-
I read that
If you want to copy an image created with Image Builder to another account, you must create the EC2ImageBuilderDistributionCrossAccountRole role in all of the target accounts, and attach the Ec2ImageBuilderCrossAccountDistributionAccess policy managed policy to the role. For more information, see Share EC2 Image Builder resources.
So, I created this role in Account 222. Role looks this way:
Trusted ent:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*::image/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:CopyImage",
"ec2:ModifyImageAttribute"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:ReEncryptFrom",
"kms:ReEncryptTo"
],
"Resource": "*"
}
]
}
Maybe someone had a similar issue, thanks for the help.
- 最新
- 投票最多
- 评论最多
Fixed it by creating another KMS key in another region. Then by using Launch Configuration use this KMS key. Role is not needed.
So your source account is 111 and target 222
The Assume Role in Target 222 does not not look in correct. You need to allow 111 in the trust not 222 because your allowing account 111 to assume this role, so we "Trust" that account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Also the role in account 222 needs to have the policy Ec2ImageBuilderCrossAccountDistributionAccess attached to the role.
相关内容
AWS 官方已更新 1 年前- AWS 官方已更新 2 年前
- AWS 官方已更新 10 个月前
- AWS 官方已更新 7 个月前
Yes, I tried, but still I got the same error. I used those steps for account 222:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "imagebuilder.amazonaws.com", "AWS": "arn:aws:iam::111:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
Did you attach the policy?
Yes, policy is attached. I think that the problem could be that I need multi region KMS key, as this second account is in different region.
I don’t think you can have a service and AWS principal in the same statement.