Undocumented IAM permissions required by Packer EBS builder

Packer’s Amazon EBS builder exhaustively lists the IAM permissions it requires to operate correctly in AWS. However, at the time of this writing, there are a few additional permissions that may be required depending on your use case, but are not documented.

Image for post
Image for post

Scenario

You use Packer’s EBS builder for building your AMIs. Your environment is configured with AWS credentials that contain all IAM permissions listed by the builder.

You’re building a new AMI. To achieve this, Packer creates an EC2 instance for provisioning. This instance needs to access another AWS service. For example, it needs to pull some cached packages from S3. Understandably, the machine needs to be configured with IAM permissions to do so.

The recommended way to do this is to assign this instance an Instance Profile. The EBS builder allows you to assign a profile to the instance by using the iam_instance_profile option. So you use this option.

Now, you trigger your Packer build, and boom!

==> amazon-ebs: Launching a source AWS instance...

If you’d like to, decode the encoded authorization failure message using STS

aws sts decode-authorization-message --encoded-message <ENCODED MESSAGE HERE>

Output

An error occurred (InvalidAuthorizationMessageException) when calling the DecodeAuthorizationMessage operation: Not authorized to decode message

The problem

Packer wasn’t able to assign an instance profile to an EC2 machine that it provisions. This is because the instance profile itself could have permissions different from Packer.

AWS intends it to be this way because this could easily become an attack vector — Packer can be used to create machines that are assigned sensitive permissions and hence, to escalate privileges indirectly.

To allow Packer to be able to assign the profile to the instance, you must give it 3 additional permissions:

iam:PassRole
ec2:AssociateIamInstanceProfile
ec2:ReplaceIamInstanceProfileAssociation

See IAM roles for EC2, under the title Granting an IAM User Permission to Pass an IAM Role to an Instance.

It took me some time to figure this out myself, because I didn’t think it could be a permissions problem, since I had given Packer every permission listed in the documentation.

I’m hoping this short post will save someone a lot of time.

Written by

Site Reliability Engineer at shuttl.com | github.com/duaraghav8

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store