file or fall back to environment variables `AWS_SECRET_ACCESS_KEY` or
`AWS_SECRET_KEY` (in that order), if set. If the environmental variables
aren't set and Packer is running on an EC2 instance, Packer will check the
instance metadata for IAM role keys.
-`source_ami` (string) - The source AMI whose root volume will be copied and
provisioned on the currently running instance. This must be an EBS-backed
AMI with a root volume snapshot that you have access to.
*`access_key` (string) - The access key used to communicate with AWS. [Learn how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials)
*`ami_name` (string) - The name of the resulting AMI that will appear
when managing AMIs in the AWS console or via APIs. This must be unique.
To help make this unique, use a function like `timestamp` (see
[configuration templates](/docs/templates/configuration-templates.html) for more info)
*`secret_key` (string) - The secret key used to communicate with AWS.
[Learn how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials)
*`source_ami` (string) - The source AMI whose root volume will be copied
and provisioned on the currently running instance. This must be an
EBS-backed AMI with a root volume snapshot that you have access to.
file or fall back to environment variables `AWS_SECRET_ACCESS_KEY` or
`AWS_SECRET_KEY` (in that order), if set.
-`source_ami` (string) - The initial AMI used as a base for the newly
created machine.
-`ssh_username` (string) - The username to use in order to communicate over
SSH to the running machine.
*`access_key` (string) - The access key used to communicate with AWS. [Learn how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials)
*`ami_name` (string) - The name of the resulting AMI that will appear
when managing AMIs in the AWS console or via APIs. This must be unique.
To help make this unique, use a function like `timestamp` (see
[configuration templates](/docs/templates/configuration-templates.html) for more info)
*`instance_type` (string) - The EC2 instance type to use while building
the AMI, such as "m1.small".
*`region` (string) - The name of the region, such as "us-east-1", in which
to launch the EC2 instance to create the AMI.
*`secret_key` (string) - The secret key used to communicate with AWS. [Learn how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials)
*`source_ami` (string) - The initial AMI used as a base for the newly
created machine.
*`ssh_username` (string) - The username to use in order to communicate
file or fall back to environment variables `AWS_ACCESS_KEY_ID` or
`AWS_ACCESS_KEY` (in that order), if set.
*`access_key` (string) - The access key used to communicate with AWS. [Learn how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials)
-`account_id` (string) - Your AWS account ID. This is required for bundling
the AMI. This is *not the same* as the access key. You can find your account
ID in the security credentials page of your AWS account.
*`account_id` (string) - Your AWS account ID. This is required for bundling
the AMI. This is _not the same_ as the access key. You can find your
account ID in the security credentials page of your AWS account.
-`ami_name` (string) - The name of the resulting AMI that will appear when
managing AMIs in the AWS console or via APIs. This must be unique. To help
make this unique, use a function like `timestamp` (see [configuration
templates](/docs/templates/configuration-templates.html) for more info)
*`ami_name` (string) - The name of the resulting AMI that will appear
when managing AMIs in the AWS console or via APIs. This must be unique.
To help make this unique, use a function like `timestamp` (see
[configuration templates](/docs/templates/configuration-templates.html) for more info)
-`instance_type` (string) - The EC2 instance type to use while building the
AMI, such as "m1.small".
*`instance_type` (string) - The EC2 instance type to use while building
the AMI, such as "m1.small".
-`region` (string) - The name of the region, such as "us-east-1", in which to
launch the EC2 instance to create the AMI.
*`region` (string) - The name of the region, such as "us-east-1", in which
to launch the EC2 instance to create the AMI.
-`s3_bucket` (string) - The name of the S3 bucket to upload the AMI. This
bucket will be created if it doesn't exist.
*`s3_bucket` (string) - The name of the S3 bucket to upload the AMI.
This bucket will be created if it doesn't exist.
-`secret_key` (string) - The secret key used to communicate with AWS. If not
file or fall back to environment variables `AWS_SECRET_ACCESS_KEY` or
`AWS_SECRET_KEY` (in that order), if set.
*`secret_key` (string) - The secret key used to communicate with AWS. [Learn how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials)
-`source_ami` (string) - The initial AMI used as a base for the newly
created machine.
*`source_ami` (string) - The initial AMI used as a base for the newly
created machine.
-`ssh_username` (string) - The username to use in order to communicate over
SSH to the running machine.
*`ssh_username` (string) - The username to use in order to communicate
over SSH to the running machine.
-`x509_cert_path` (string) - The local path to a valid X509 certificate for
your AWS account. This is used for bundling the AMI. This X509 certificate
must be registered with your account from the security credentials page in
the AWS console.
*`x509_cert_path` (string) - The local path to a valid X509 certificate for
your AWS account. This is used for bundling the AMI. This X509 certificate
must be registered with your account from the security credentials page
in the AWS console.
-`x509_key_path` (string) - The local path to the private key for the X509
certificate specified by `x509_cert_path`. This is used for bundling
the AMI.
*`x509_key_path` (string) - The local path to the private key for the X509
certificate specified by `x509_cert_path`. This is used for bundling the AMI.
If you use other AWS tools you may already have these configured. If so, packer will try to use them, *unless* they are specified in your packer template. Credentials are resolved in the following order:
1. Values hard-coded in the packer template are always authoritative.
2.*Variables* in the packer template may be resolved from command-line flags or from environment variables. Please read about [User Variables](https://packer.io/docs/templates/user-variables.html) for details.
3. If no credentials are found, packer falls back to automatic lookup.
### Automatic Lookup
If no AWS credentials are found in a packer template, we proceed on to the following steps:
1. Lookup via environment variables.
- First `AWS_ACCESS_KEY_ID`, then `AWS_ACCESS_KEY`
- First `AWS_SECRET_ACCESS_KEY`, then `AWS_SECRET_KEY`
2. Look for [local AWS configuration files](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files)
- First `~/.aws/credentials`
- Next based on `AWS_PROFILE`
3. Lookup an IAM role for the current EC2 instance (if you're running in EC2)
~> **Subtle details of automatic lookup may change over time.** The most reliable way to specify your configuration is by setting them in template variables (directly or indirectly), or by using the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables.
Environment variables provide the best portability, allowing you to run your packer build on your workstation, in Atlas, or on another build server.
## Using an IAM Instance Profile
...
...
@@ -74,3 +103,24 @@ Packer to work:
}]
}
```
## Troubleshooting
### Attaching IAM Policies to Roles
IAM policies can be associated with user or roles. If you use packer with IAM roles, you may encounter an error like this one:
==> amazon-ebs: Error launching source instance: You are not authorized to perform this operation.
You can read more about why this happens on the [Amazon Security Blog](http://blogs.aws.amazon.com/security/post/Tx3M0IFB5XBOCQX/Granting-Permission-to-Launch-EC2-Instances-with-IAM-Roles-PassRole-Permission). The example policy below may help packer work with IAM roles. Note that this example provides more than the minimal set of permissions needed for packer to work, but specifics will depend on your use-case.
If you're using OS X and [Homebrew](http://brew.sh), you can install Packer:
``` {.text}
$ brew install packer
```
$ brew install packer
## Troubleshooting
On some RedHat-based Linux distributions there is another tool named `packer` installed by default. You can check for this using `which -a packer`. If you get an error like this it indicates there is a name conflict.
To fix this, you can create a symlink to packer that uses a different name like `packer.io`, or invoke the `packer` binary you want using its absolute path, e.g. `/usr/local/packer`.
