I created an AMI on EC2 and shared with another EC2 account, but I can't access the AMI from the other EC2 account. Any help will be appreciated.
Here is what I did so far:
Created an instance using ubuntu 14.04
Logged into the instance and install all tools needed
Created a new AMI based on the instance
Shared the AMI with another EC2 account
Logged into the other EC2 account, but I could not find the AMI under AMIs list
Any help where I can find the AMI?
Thanks a lot.
I am presuming that you have shared the AMI per this document: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html
Once shared, then when you login to the other EC2 account, Make sure you have selected Private Images as shown below.
Only private Images option will list./show the AMI that you have shared from another account.
I just had the same issue recently. I know this question is old but it's the first one that comes up on google.
The docs for sharing an encrypted AMI:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-cross-account-access
I was using an autoscaling group so I made use of the default service linked role (arn:aws:iam::(account_id):role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling)
If sharing from (ACCOUNT 1) -> (ACCOUNT 2):
In (ACCOUNT 1) where the KMS key used to encrypt the AMI lives. Add the following policy:
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::(ACCOUNT 1 ID):root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::(ACCOUNT 2 ID):role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
"arn:aws:iam::(ACCOUNT 1 ID):role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
"arn:aws:iam::(ACCOUNT 2 ID):root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
Now in the console find your AMI, right click, and share with (ACCOUNT 2 ID). You should now see your AMI listed as a "Private" ami in (ACCOUNT 2).
If you try to launch the AMI in (ACCOUNT 2) it will auto stop and throw the ClientError on you. You have to run the next step (via aws cli):
aws kms create-grant --region (REGION WHERE KMS KEY LIVES) --key-id arn:aws:kms:us-west-2:(ACCOUNT 1 ID):key/(ACCOUNT 1 KMS KEY ID) --grantee-principal arn:aws:iam::(ACCOUNT 2 ID):role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling --operations "Encrypt" "Decrypt" "ReEncryptFrom" "ReEncryptTo" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "DescribeKey" "CreateGrant"
Now it should all work.
