packer-plugin-amazon
packer-plugin-amazon copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation.
Hi!
I'm building AMI image using AWS CodeBuild and Packer v1.7.2.
At least 6-7 months ago everything worked fine, but now I get the following error (not always, but in most cases):
Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation.
logs:
...
2022/04/29 13:37:57 packer-builder-amazon-ebs plugin: Retryable error: InvalidParameterValue: Value (packer-626bea32-fadd-9b71-aa87-9583008105fc) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name
2022/04/29 13:37:57 packer-builder-amazon-ebs plugin: status code: 400, request id: 5e96adda-9a86-4e57-b7c7-4b112b1ec13e
2022/04/29 13:37:58 packer-builder-amazon-ebs plugin: Retryable error: InvalidParameterValue: Value (packer-626bea32-fadd-9b71-aa87-9583008105fc) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name
2022/04/29 13:37:58 packer-builder-amazon-ebs plugin: status code: 400, request id: 9ada1b08-5f7a-4e40-92c4-64f8fe25ac5d
2022/04/29 13:37:58 packer-builder-amazon-ebs plugin: Retryable error: InvalidParameterValue: Value (packer-626bea32-fadd-9b71-aa87-9583008105fc) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name
2022/04/29 13:37:58 packer-builder-amazon-ebs plugin: status code: 400, request id: 791ec522-4246-43f5-a18b-e9b80d04707d
2022/04/29 13:38:00 packer-builder-amazon-ebs plugin: Retryable error: InvalidParameterValue: Value (packer-626bea32-fadd-9b71-aa87-9583008105fc) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name
2022/04/29 13:38:00 packer-builder-amazon-ebs plugin: status code: 400, request id: 4e8f68f5-5055-41e7-92d9-f46a87324b92
2022/04/29 13:38:02 packer-builder-amazon-ebs plugin: Retryable error: InvalidParameterValue: Value (packer-626bea32-fadd-9b71-aa87-9583008105fc) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name
2022/04/29 13:38:02 packer-builder-amazon-ebs plugin: status code: 400, request id: a53cfb8a-6f0d-4442-b480-206c2628e397
==> amazon-ebs.test: status code: 403, request id: b7c3f9fe-f6d8-435a-973b-2a50d49e866c
==> amazon-ebs.test: Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation.
==> amazon-ebs.test: status code: 403, request id: b7c3f9fe-f6d8-435a-973b-2a50d49e866c
==> amazon-ebs.test: No volumes to clean up, skipping
==> amazon-ebs.test: Detaching temporary role from instance profile...
==> amazon-ebs.test: Removing policy from temporary role...
==> amazon-ebs.test: Deleting temporary role...
==> amazon-ebs.test: Deleting temporary instance profile...
==> amazon-ebs.test: Deleting temporary security group...
==> amazon-ebs.test: Deleting temporary keypair...
2022/04/29 13:38:07 [INFO] (telemetry) ending
status code: 403, request id: b7c3f9fe-f6d8-435a-973b-2a50d49e866c
==> Wait completed after 15 seconds 193 milliseconds
2022/04/29 13:38:07 machine readable: error-count []string{"1"}
==> Some builds didn't complete successfully and had errors:
2022/04/29 13:38:07 machine readable: amazon-ebs.test,error []string{"Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation.\n\tstatus code: 403, request id: b7c3f9fe-f6d8-435a-973b-2a50d49e866c"}
status code: 403, request id: b7c3f9fe-f6d8-435a-973b-2a50d49e866c
==> Builds finished but no artifacts were created.
2022/04/29 13:38:07 [INFO] (telemetry) Finalizing.
...
hcl file contains temporary_iam_instance_profile_policy_document:
temporary_iam_instance_profile_policy_document {
Statement {
Action = [
"s3:GetObject", "s3:GetObjectVersion"
]
Effect = "Allow"
Resource = [
"arn:aws:s3:::${var.bucket}/test/*"
]
}
Statement {
Action = [
"ssm:GetParameter*"
]
Effect = "Allow"
Resource = [
"arn:aws:ssm:us-west-2:*:parameter/TEST_PARAM/*"
]
}
Version = "2012-10-17"
}
If I remove temporary_iam_instance_profile_policy_document - build runs fine.
CodeBuild role contains following policies:
- PolicyName: CodeBuildBasePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:test"
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:test:*"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- Effect: "Allow"
Resource:
- !Sub "arn:aws:s3:::codepipeline-${AWS::Region}-*"
Action:
- "s3:PutObject"
- "s3:GetObject"
- "s3:GetObjectVersion"
- "s3:GetBucketAcl"
- "s3:GetBucketLocation"
- Effect: "Allow"
Resource:
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/test-*"
Action:
- "codebuild:CreateReportGroup"
- "codebuild:CreateReport"
- "codebuild:UpdateReport"
- "codebuild:BatchPutTestCases"
- "codebuild:BatchPutCodeCoverages"
- PolicyName: codebuild-packer-permissions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Resource: "*"
Action:
- "iam:PassRole"
- "iam:CreateInstanceProfile"
- "iam:DeleteInstanceProfile"
- "iam:GetRole"
- "iam:GetInstanceProfile"
- "iam:DeleteRolePolicy"
- "iam:RemoveRoleFromInstanceProfile"
- "iam:CreateRole"
- "iam:DeleteRole"
- "iam:PutRolePolicy"
- "iam:AddRoleToInstanceProfile"
- Effect: "Allow"
Resource:
- "*"
Action:
- "ec2:AttachVolume"
- "ec2:AuthorizeSecurityGroupIngress"
- "ec2:CopyImage"
- "ec2:CreateImage"
- "ec2:CreateKeypair"
- "ec2:CreateSecurityGroup"
- "ec2:CreateSnapshot"
- "ec2:CreateTags"
- "ec2:CreateVolume"
- "ec2:DeleteKeyPair"
- "ec2:DeleteSecurityGroup"
- "ec2:DeleteSnapshot"
- "ec2:DeleteVolume"
- "ec2:DeregisterImage"
- "ec2:DescribeImageAttribute"
- "ec2:DescribeImages"
- "ec2:DescribeInstances"
- "ec2:DescribeInstanceStatus"
- "ec2:DescribeRegions"
- "ec2:DescribeSecurityGroups"
- "ec2:DescribeSnapshots"
- "ec2:DescribeSubnets"
- "ec2:DescribeTags"
- "ec2:DescribeVolumes"
- "ec2:DetachVolume"
- "ec2:GetPasswordData"
- "ec2:ModifyImageAttribute"
- "ec2:ModifyInstanceAttribute"
- "ec2:ModifySnapshotAttribute"
- "ec2:RegisterImage"
- "ec2:RunInstances"
- "ec2:StopInstances"
- "ec2:TerminateInstances"
- "ec2:AssociateIamInstanceProfile"
- "ec2:ReplaceIamInstanceProfileAssociation"
- PolicyName: codebuild-network-interface-permissions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Resource: !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*"
Condition:
StringEquals:
"ec2:subnet":
- !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${SubnetId}"
"ec2:AuthorizedService": "codebuild.amazonaws.com"
Action:
- "ec2:CreateNetworkInterfacePermission"
- Effect: "Allow"
Resource:
- "*"
Action:
- "ec2:CreateNetworkInterface"
- "ec2:DescribeDhcpOptions"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DeleteNetworkInterface"
- "ec2:DescribeSubnets"
- "ec2:DescribeSecurityGroups"
- "ec2:DescribeVpcs"
Assume role policy:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "codebuild.amazonaws.com"
Action:
- "sts:AssumeRole"
Source AMI filter:
source_ami_filter {
filters = {
name = "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server*"
root-device-type = "ebs"
virtualization-type = "hvm"
}
most_recent = true
owners = ["099720109477"]
}
