Undocumented IAM permissions required by Packer EBS builder

Raghav Dua
Feb 3 · 2 min read

Packer’s Amazon EBS builder exhaustively lists the IAM permissions it requires to operate correctly in AWS. However, at the time of this writing, there are a few additional permissions that may be required depending on your use case, but are not documented.

Scenario

You use Packer’s EBS builder for building your AMIs. Your environment is configured with AWS credentials that contain all IAM permissions listed by the builder.

You’re building a new AMI. To achieve this, Packer creates an EC2 instance for provisioning. This instance needs to access another AWS service. For example, it needs to pull some cached packages from S3. Understandably, the machine needs to be configured with IAM permissions to do so.

The recommended way to do this is to assign this instance an Instance Profile. The EBS builder allows you to assign a profile to the instance by using the iam_instance_profile option. So you use this option.

Now, you trigger your Packer build, and boom!

==> amazon-ebs: Launching a source AWS instance...==> amazon-ebs: Adding tags to source instance    amazon-ebs: Adding tag: "Name": "Packer Builder"==> amazon-ebs: Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: otX5J2DYKoU8w8_jW1NK4tkpflhmZV7RPr4b0849Q1xZXb2aStSd810GBZ30UE-80pgrzIXsf6VYU5L30-bmGFSQOsm8CwyM-Ixka6l0y80suznZoRghP3m5inNwZ3pWOqzivgcqh32D27u_EorICB3Eql3RwzjFtJ7nu1wsDK6n3f-vw5bsRQblTd7QeIBp-u_0jWTyUHacROWtsgZXEiGPzoe-a2yA0lpZw187smnW5y8_yiDjlTS7AgSU6fFfawNHh_7a11_5DxbBlTNTLD5A1rT7caf44kSsoBxAhMtehWrqCZyOn4Ma5ZlSq7g7o-M0pp793NlxcKWUSVNp8zBX9UFwxv_6EIg2fhMsszjMsDcXk_wlHxrOKrhWiy9McaNfrgnT4J96qo2aILA3516_xBBfpzVSIMkeLblYpc7y8Cm6nCz81mnVf2ocPhmHIbJrJFmV0mlW00hLNXHp2xbGybd6Y10Jg-lBk7bYfybBSSgrv0Dxj_UMh7sY9LN0Q9d3b9sw2Qc_WdpDCCWJok2EsMZ0bd2Kf4RLfbpnfh76==> amazon-ebs:  status code: 403, request id: xxxxx-xxxxx-xxxxx

If you’d like to, decode the encoded authorization failure message using STS

aws sts decode-authorization-message --encoded-message <ENCODED MESSAGE HERE>

Output

An error occurred (InvalidAuthorizationMessageException) when calling the DecodeAuthorizationMessage operation: Not authorized to decode message

The problem

Packer wasn’t able to assign an instance profile to an EC2 machine that it provisions. This is because the instance profile itself could have permissions different from Packer.

AWS intends it to be this way because this could easily become an attack vector — Packer can be used to create machines that are assigned sensitive permissions and hence, to escalate privileges indirectly.

To allow Packer to be able to assign the profile to the instance, you must give it 3 additional permissions:

iam:PassRole
ec2:AssociateIamInstanceProfile
ec2:ReplaceIamInstanceProfileAssociation

See IAM roles for EC2, under the title Granting an IAM User Permission to Pass an IAM Role to an Instance.

It took me some time to figure this out myself, because I didn’t think it could be a permissions problem, since I had given Packer every permission listed in the documentation.

I’m hoping this short post will save someone a lot of time.

Raghav Dua

Written by

SRE @shuttl | www.ethlint.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade