How to use AWS roles with Packer to create AMIs

2019-07-07 01:13发布

I'm currently building AMIs via Packer without a problem, but I am baking the AWS credentials into my scripts which is not what I want. Reading the Packer documentation they specify that if no credentials are found it can use an AWS role.

I have created the policy and the role, but it's unclear to me how to tell Packer to use this role. Do I have to pass the ARN in as a variable?

Any thoughts?

2条回答
做自己的国王
2楼-- · 2019-07-07 01:35

If you'd like to set the IAM role that Packer uses during AMI creation from the command-line (e.g. from Jenkins), then you can use variables for doing so, e.g. using the following in your Packer script:

"variables": {
  "packer_profile": "packer",
  ...
},
"builders": [
  {
    "type": "amazon-ebs",
    ...
    "iam_instance_profile": "{{user `packer_profile`}}",
    ...
  }
],
"provisioners": [
  ...
]

So we provide a default "packer" value for our packer_profile variable. Then, when invoking Packer from the command-line in Jenkins, you override that default variable value using:

$ /path/to/packer -var packer_profile="MyNewProfileHere" ...

Hope this helps!

查看更多
虎瘦雄心在
3楼-- · 2019-07-07 01:36

Roles only apply to instances running on AWS, and roles can only be applied when you create an instance (though you can change the permissions assigned to that role later).

So in this case, if you want to use roles for AMI creation, you will need to...

  1. Create a role with permissions (i.e. the ones detailed in the link Kush provided) to create AMIs
  2. Create an instance with that role
  3. Install Packer on that instance

Using that instance, then you can create AMI's without specifying any credentials.

查看更多
登录 后发表回答