Having problems with Packer: amazon-ebs: Timeout waiting for SSH

Question

I'm new with Packer and I'm trying to create an image using a private network of the VPC and I'm continually having the error *amazon-ebs: Timeout waiting for SSH.*

The version of Packer in use is 1.3.4 and, the private subnet has access to a NAT Gateway through a public subnet and a route table. Butas the problem can be not be able to reach the instance then I also had tried with other parameters, like: ssh_interface with the value of private_dns and associate_public_ip_address. But even the changes I get the same error.

The template I'm using has the next content

"builders": [
{
  "type": "amazon-ebs",
  "access_key": "{{user `aws_access_key`}}",
  "secret_key": "{{user `aws_secret_key`}}",
  "region": "{{user `region`}}",
  "source_ami": "{{user `source_ami`}}",
  "instance_type": "{{user `instance_type`}}",
  "iam_instance_profile": "{{user `role`}}",
  "ssh_username": "{{user `ssh_username`}}",
  "ssh_timeout": "15m",
  "vpc_id": "{{user `vpc_id`}}",
  "subnet_id": "{{user `subnet_id`}}",
  "associate_public_ip_address": true,
  "ami_name": "{{user `name`}}.{{isotime \"2006-01-02T150405Z\"}}",
  "ami_description": "based on {{user `source_ami`}}",
  "tags": {
    "Name": "{{user `name`}}"
  }]

In the template I'm not defining the Security Group, but in the logs of Packer I'm seeing that it's able to create a temporary security group, then also the access to port 22 should be available

==> amazon-ebs: Pausing after run of step 'StepKeyPair'. Press enter to continue. 
==> amazon-ebs: Creating temporary security group for this instance: packer_5
c6b3667-c41f-92bc-aa89-efc5f3a2d8a8
==> amazon-ebs: Authorizing access to port 22 from 0.0.0.0/0 in the temporary security group...
==> amazon-ebs: Pausing after run of step 'StepSecurityGroup'. Press enter to continue. 
==> amazon-ebs: Pausing after run of step 'StepCleanupVolumes'. Press enter to continue. 
==> amazon-ebs: Launching a source AWS instance...

But the problem persists. Is there something that I'm missing in the template? or something that I should do different to generate the AMI?

Answer 1

This might help if you don't have a bastion host associate_public_ip_address = true

Answer 2

I had a Security Group (firewall) setting in place that prevented connection from mobile network. It worked fine, when I connected from the trusted (allowed) network.

Note the following step:

2022/07/31 05:58:15 packer-builder-amazon-ebs plugin: Using specified security groups: [sg-0123456789abcd sg-0123456789abce]

Answer 3

I had the same issue and what caused it for me was using an AMI that was encrypted, while I specifically stated "false".

  "builders": [
    {
      "launch_block_device_mappings": [
        {
          "device_name": "/dev/sda1",
          "volume_type": "gp2",
          "encrypted": true      <-- I was setting it to 'false' while only 'true' works
        }
      ],
      ...
    }
  ],

Answer 4

I was facing the same issue. The problem i had found was that all my instances were being launched in Default VPC. Even though i had setup SG and route table to allow ingress ssh traffic from 0.0.0.0/0. Still was unbale to access even from console. So had to create custom VPC with proper internet gateway, security group and route table and my final builders was something like this.

  "builders": [{
        "type": "amazon-ebs",
        "access_key": "{{user `aws_access_key`}}",
        "secret_key": "{{user `aws_secret_key`}}",
        "region": "us-******",
        "source_ami": "ami-*********",
        "instance_type": "t2.micro",
        "ssh_username": "ubuntu",
        "ami_name": "packer-example {{timestamp}}",
        "vpc_id": "{VPC id i had created}",
        "subnet_id": "{Subnet i had created}",
        "security_group_id": "sg with proper ingress port 22 rule enabled from 0.0.0.0"

  }],

Hope that solved your issue and pardon my vocabulary :)

Answer 5

there is one more possibility that the packer is not able to locate the key to login to bastion host and waiting other methods to login.

collected logs with export PACKER_LOG=1 as below.

==> amazon-ebs: Waiting for SSH to become available...
2020/07/30 12:19:22 packer: 2020/07/30 12:19:22 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [publickey none], no supported methods remain
2020/07/30 12:19:27 packer: 2020/07/30 12:19:27 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
2020/07/30 12:19:32 packer: 2020/07/30 12:19:32 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
2020/07/30 12:19:37 packer: 2020/07/30 12:19:37 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
2020/07/30 12:19:43 packer: 2020/07/30 12:19:43 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
2020/07/30 12:19:48 packer: 2020/07/30 12:19:48 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

also, to verify ssh-add -l should not list the keys and then we know that the packer is not able to find the key to login.

In this case we just need to add the ssh key using ssh-add <path to your ssh keys> and it should fix the issue.

Answer 6

You cannot access to an ec2 through a NAT Gateway. NAT Gateways in AWS are used to give Internet access from a VPC not to a VPC.

You have several options:

1. Make packer launches the ec2 in a public subnet with a public ip. Have an IGW properly configured in the VPC and routing table
2. Have a secure bastion host deployed in AWS and use it to jump from the workstation with packer to the ec2. You will need to configure few things in your packer.json using a custom communicator. Here the documentation https://www.packer.io/docs/templates/communicator.html#ssh

Regards