CODEWITHSUNDEEP
amazon-web-servicespermissionsamazon-imagebuilder
Arno
Arno

Reputation: 361

Auto-deploying an EC2 Image Builder recipe with AWS CLI: "You are not authorized to use the provided image."

I have a script that creates this JSON EC2 Image Builder recipe:

{
    "name": "MyRecipe",
    "description": "Create image recipe.",
    "semanticVersion": "1.1.0",
    "components": [
        {
            "componentArn": "arn:aws:imagebuilder:us-east-1:MyAccountID:component/MyComponent"
        }
    ],
    "parentImage": "ami-05d47d29a4c2d19e1"
}

then runs this command to deploy it:

aws imagebuilder create-image-recipe --cli-input-json file:///tmp/tmpuvshobis/create-recipe.json

The parentImage is supposed to point to an Ubuntu 22.04 LTS arm64 AMI.

Success with admin account

Deployment succeeds using an account with these permission policies:

AmazonEC2FullAccess
AmazonS3FullAccess
AWSImageBuilderFullAcces

Failure with role

But it fails when using a role with limited permissions:

Stderr:

An error occurred (InvalidParameterValueException) when calling the CreateImageRecipe operation: The value supplied for parameter 'parentImage' is not valid. You are not authorized to use the provided image.

The role has these permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:UntagResource",
                "ecr:CompleteLayerUpload",
                "ecr:TagResource",
                "ec2:ModifyLaunchTemplate",
                "ecr:UploadLayerPart",
                "ecr:InitiateLayerUpload",
                "ec2:CreateLaunchTemplateVersion",
                "ecr:PutImage",
                "sts:AssumeRoleWithWebIdentity",
                "imagebuilder:CreateComponent",
                "imagebuilder:UpdateImagePipeline",
                "imagebuilder:CreateImageRecipe",
                "imagebuilder:StartImagePipelineExecution",
                "imagebuilder:CreateImagePipeline",
                "imagebuilder:TagResource",
                "imagebuilder:UntagResource",
                "imagebuilder:GetComponent",
                "ec2:DescribeImages",
                "ec2:DescribeImageAttribute",
                "imagebuilder:ListImages",
                "imagebuilder:GetImage"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:MyAccountID:launch-template/lt-MyLaunchTemplate",
                "arn:aws:ecr:us-east-1:MyAccountID:repository/MyRepo",
                "arn:aws:imagebuilder:us-east-1:MyAccountID:image/*",
                "arn:aws:imagebuilder:us-east-1:MyAccountID:image-recipe/*/*",
                "arn:aws:imagebuilder:us-east-1:MyAccountID:image-pipeline/*",
                "arn:aws:imagebuilder:us-east-1:MyAccountID:component/*/*/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}

Which permissions is the role missing? It's not clear from the error message.

Upvotes: 0

Views: 197

Answers (1)

Ramon G.
Ramon G.

Reputation: 143

You are adding the ec2 actions for the ami, but then limiting them to resources that only contain a ec2 launch template.

Upvotes: 1

Related Questions