Using a private AMI in CloudFormation script

Question

I have a private AMI created using my own account. This AMI I want other people to use (using CLoudFormation script that I have written) to stand up their own EC2 instances. But I cannot make AMI public, it should only be available to designated 100 people.

This can be done manually by giving access to AWS Account number as mentioned in this link here but for 100 people its too fiddly.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html

My question is, is there a way to provide my AWS accounts' aws_access_key_id and aws_secret_access_key on CloudFormation script to make it able to use the private AMI?

Answer 1

If your question is asking if you could give your access keys to the 100 people and they somehow use these keys to access your AMI, no this is not possible. When the other people run the CloudFormation template in their account it is being run in the context of the user associated with their account. If they used your credentials to do this, it would attempt to create the CloudFormation stack in your account.

It seems your best option is what Max suggested, write a simple script to share the AMI with the 100 accounts you have. Here is a simple example using the AWS CLI, assuming you have a file with each account number on a separate line.

#!/bin/bash
ami="ami-11235813"
file="accounts.txt"
while read -r line
do
    account="${line}"
    aws ec2 modify-image-attribute --image-id ${ami} --launch-permission "{\"Add\":[{\"UserId\":\"${ami}\"}]}"
done < "${file}"

Answer 2

You said adding the accounts one at a time is "too fiddly" but what about writing a simple script using the CLI or your favorite SDK to add the accounts? To me that seems the simplest approach.