Reputation: 23781
Copy AMI from one AWS account to another AWS account using boto
I did some RnD but didn't find any answer or hint on this topic. Can anyone give an hint or answer if it is possible to copy AMI from one AWS account to another using boto.
Upvotes: 5
Views: 5135
Answers (3)
Reputation: 1398
You cannot directly copy the AMI from one account to another but can share the AMI with other account and then copy the image in second account locally. Here is how:
# Copying image from src_account to dest_account
SRC_ACCOUNT_ID = '111111'
DEST_ACCOUNT_ID = '222222'
IMAGE_ID = '333333'
SRC_REGION = 'us-west-1'
DEST_REGION = 'us-east-1'
# Create CrossAccountole Role in src_account which will give permission to operations in the acount
sts = boto3.client('sts')
credentials = sts.assume_role(
RoleArn='arn:aws:iam::'+SRC_ACCOUNT_ID +':role/CrossAccountRole',
RoleSessionName="RoleSession1"
)['Credentials']
ec2 = boto3.resource('ec2', region_name=SRC_REGION,
aws_access_key_id = credentials['AccessKeyId'],
aws_secret_access_key = credentials['SecretAccessKey'],
aws_session_token = credentials['SessionToken']
)
# Access the image that needs to be copied
image = ec2.Image(IMAGE_ID)
# Share the image with the destination account
image.modify_attribute(
ImageId = image.id,
Attribute = 'launchPermission',
OperationType = 'add',
LaunchPermission = {
'Add' : [{ 'UserId': DEST_ACCOUNT_ID }]
}
)
# We have to now share the snapshots associated with the AMI so it can be copied
devices = image.block_device_mappings
for device in devices:
if 'Ebs' in device:
snapshot_id = device["Ebs"]["SnapshotId"]
snapshot = ec2.Snapshot(snapshot_id)
snapshot.modify_attribute(
Attribute = 'createVolumePermission',
CreateVolumePermission = {
'Add' : [{ 'UserId': DEST_ACCOUNT_ID }]
},
OperationType = 'add',
)
# Access destination account so we can now copy the image
credentials = sts.assume_role(
RoleArn='arn:aws:iam::'+DEST_ACCOUNT_ID+':role/CrossAccountRole',
RoleSessionName="RoleSession1"
)['Credentials']
# Copy image to failover regions
ec2fra = boto3.client('ec2', DEST_REGION,
aws_access_key_id = credentials['AccessKeyId'],
aws_secret_access_key = credentials['SecretAccessKey'],
aws_session_token = credentials['SessionToken']
)
# Copy the shared AMI to dest region
ec2fra.copy_image(
Name = 'MY_COPIED_IMAGE_FROM_OTHER_ACCOUNT',
SourceImageId = image.id,
SourceRegion = SRC_REGION
)
There it is, simple :)
Read about commands here
Upvotes: 10
Reputation: 485
It's not possible to copy the AMI, but you can share it as @byumark said. Sharing is pretty easy with boto3. I wouldn't use the client like he did, I would use the resource.
Now if dealing with encrypted AMI's its a bit trickier. You need to allow access to the CMK used for the encryption, share the snapshot its self not the ami. Then copy the snapshot and when copying set encryption again to make sure its encrypted with the target account default KMS key.
Upvotes: 0
Reputation: 298
You could share the AMI from one account to another. Try this:
Sharing an AMI with Specific AWS Accounts
Does that do what you want it to do?
Here it is in boto3.
After sharing the image, perhaps then you can copy it with boto3.
Upvotes: 2
Related Questions
- How to get free-tier AMI in AWS using python with boto3
- Issue when copy AMI owned by another account
- Copy AMI to another region using boto3
- How can I copy an AMI to another account using Packer?
- How do I copy an encrypted AMI from one aws account to another?
- How to use boto3 to create an AMI from an Amazon EBS Snapshot
- Switching AWS Accounts in Python
- Copy EC2 instance from one Amazon account to another one(for testing)
- Getting AWS AMI properties
- How do I create an EC2 image from a running instance using boto?