Undocumented IAM permissions required by Packer EBS builder
Packer’s Amazon EBS builder exhaustively lists the IAM permissions it requires to operate correctly in AWS. However, at the time of this writing, there are a few additional permissions that may be required depending on your use case, but are not documented.
You use Packer’s EBS builder for building your AMIs. Your environment is configured with AWS credentials that contain all IAM permissions listed by the builder.
You’re building a new AMI. To achieve this, Packer creates an EC2 instance for provisioning. This instance needs to access another AWS service. For example, it needs to pull some cached packages from S3. Understandably, the machine needs to be configured with IAM permissions to do so.
The recommended way to do this is to assign this instance an Instance Profile. The EBS builder allows you to assign a profile to the instance by using the iam_instance_profile option. So you use this option.
Now, you trigger your Packer build, and boom!
==> amazon-ebs: Launching a source AWS instance...==> amazon-ebs: Adding tags to source instance amazon-ebs: Adding tag: "Name": "Packer Builder"==> amazon-ebs: Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: otX5J2DYKoU8w8_jW1NK4tkpflhmZV7RPr4b0849Q1xZXb2aStSd810GBZ30UE-80pgrzIXsf6VYU5L30-bmGFSQOsm8CwyM-Ixka6l0y80suznZoRghP3m5inNwZ3pWOqzivgcqh32D27u_EorICB3Eql3RwzjFtJ7nu1wsDK6n3f-vw5bsRQblTd7QeIBp-u_0jWTyUHacROWtsgZXEiGPzoe-a2yA0lpZw187smnW5y8_yiDjlTS7AgSU6fFfawNHh_7a11_5DxbBlTNTLD5A1rT7caf44kSsoBxAhMtehWrqCZyOn4Ma5ZlSq7g7o-M0pp793NlxcKWUSVNp8zBX9UFwxv_6EIg2fhMsszjMsDcXk_wlHxrOKrhWiy9McaNfrgnT4J96qo2aILA3516_xBBfpzVSIMkeLblYpc7y8Cm6nCz81mnVf2ocPhmHIbJrJFmV0mlW00hLNXHp2xbGybd6Y10Jg-lBk7bYfybBSSgrv0Dxj_UMh7sY9LN0Q9d3b9sw2Qc_WdpDCCWJok2EsMZ0bd2Kf4RLfbpnfh76==> amazon-ebs: status code: 403, request id: xxxxx-xxxxx-xxxxx
If you’d like to, decode the encoded authorization failure message using STS
aws sts decode-authorization-message --encoded-message <ENCODED MESSAGE HERE>
An error occurred (InvalidAuthorizationMessageException) when calling the DecodeAuthorizationMessage operation: Not authorized to decode message
Packer wasn’t able to assign an instance profile to an EC2 machine that it provisions. This is because the instance profile itself could have permissions different from Packer.
AWS intends it to be this way because this could easily become an attack vector — Packer can be used to create machines that are assigned sensitive permissions and hence, to escalate privileges indirectly.
To allow Packer to be able to assign the profile to the instance, you must give it 3 additional permissions:
See IAM roles for EC2, under the title Granting an IAM User Permission to Pass an IAM Role to an Instance.
It took me some time to figure this out myself, because I didn’t think it could be a permissions problem, since I had given Packer every permission listed in the documentation.
I’m hoping this short post will save someone a lot of time.