-`access_key` (string) - The access key used to communicate with AWS. If not
*`access_key` (string) - The access key used to communicate with AWS. [Learn how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials)
-`access_key` (string) - The access key used to communicate with AWS. If not
*`access_key` (string) - The access key used to communicate with AWS. [Learn how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials)
*`ami_name` (string) - The name of the resulting AMI that will appear
file or fall back to environment variables `AWS_ACCESS_KEY_ID` or
when managing AMIs in the AWS console or via APIs. This must be unique.
`AWS_ACCESS_KEY` (in that order), if set.
To help make this unique, use a function like `timestamp` (see
[configuration templates](/docs/templates/configuration-templates.html) for more info)
-`ami_name` (string) - The name of the resulting AMI that will appear when
managing AMIs in the AWS console or via APIs. This must be unique. To help
*`instance_type` (string) - The EC2 instance type to use while building
make this unique, use a function like `timestamp` (see [configuration
the AMI, such as "m1.small".
templates](/docs/templates/configuration-templates.html) for more info)
*`region` (string) - The name of the region, such as "us-east-1", in which
-`instance_type` (string) - The EC2 instance type to use while building the
to launch the EC2 instance to create the AMI.
AMI, such as "m1.small".
*`secret_key` (string) - The secret key used to communicate with AWS. [Learn how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials)
-`region` (string) - The name of the region, such as "us-east-1", in which to
launch the EC2 instance to create the AMI.
*`source_ami` (string) - The initial AMI used as a base for the newly
created machine.
-`secret_key` (string) - The secret key used to communicate with AWS. If not
specified, Packer will use the secret from any
*`ssh_username` (string) - The username to use in order to communicate
-`access_key` (string) - The access key used to communicate with AWS. If not
*`access_key` (string) - The access key used to communicate with AWS. [Learn how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials)
file or fall back to environment variables `AWS_ACCESS_KEY_ID` or
`AWS_ACCESS_KEY` (in that order), if set.
-`account_id` (string) - Your AWS account ID. This is required for bundling
*`account_id` (string) - Your AWS account ID. This is required for bundling
the AMI. This is *not the same* as the access key. You can find your account
the AMI. This is _not the same_ as the access key. You can find your
ID in the security credentials page of your AWS account.
account ID in the security credentials page of your AWS account.
-`ami_name` (string) - The name of the resulting AMI that will appear when
*`ami_name` (string) - The name of the resulting AMI that will appear
managing AMIs in the AWS console or via APIs. This must be unique. To help
when managing AMIs in the AWS console or via APIs. This must be unique.
make this unique, use a function like `timestamp` (see [configuration
To help make this unique, use a function like `timestamp` (see
templates](/docs/templates/configuration-templates.html) for more info)
[configuration templates](/docs/templates/configuration-templates.html) for more info)
-`instance_type` (string) - The EC2 instance type to use while building the
*`instance_type` (string) - The EC2 instance type to use while building
AMI, such as "m1.small".
the AMI, such as "m1.small".
-`region` (string) - The name of the region, such as "us-east-1", in which to
*`region` (string) - The name of the region, such as "us-east-1", in which
launch the EC2 instance to create the AMI.
to launch the EC2 instance to create the AMI.
-`s3_bucket` (string) - The name of the S3 bucket to upload the AMI. This
*`s3_bucket` (string) - The name of the S3 bucket to upload the AMI.
bucket will be created if it doesn't exist.
This bucket will be created if it doesn't exist.
-`secret_key` (string) - The secret key used to communicate with AWS. If not
*`secret_key` (string) - The secret key used to communicate with AWS. [Learn how to set this.](/docs/builders/amazon.html#specifying-amazon-credentials)
If you use other AWS tools you may already have these configured. If so, packer will try to use them, *unless* they are specified in your packer template. Credentials are resolved in the following order:
1. Values hard-coded in the packer template are always authoritative.
2.*Variables* in the packer template may be resolved from command-line flags or from environment variables. Please read about [User Variables](https://packer.io/docs/templates/user-variables.html) for details.
3. If no credentials are found, packer falls back to automatic lookup.
### Automatic Lookup
If no AWS credentials are found in a packer template, we proceed on to the following steps:
1. Lookup via environment variables.
- First `AWS_ACCESS_KEY_ID`, then `AWS_ACCESS_KEY`
- First `AWS_SECRET_ACCESS_KEY`, then `AWS_SECRET_KEY`
2. Look for [local AWS configuration files](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files)
- First `~/.aws/credentials`
- Next based on `AWS_PROFILE`
3. Lookup an IAM role for the current EC2 instance (if you're running in EC2)
~> **Subtle details of automatic lookup may change over time.** The most reliable way to specify your configuration is by setting them in template variables (directly or indirectly), or by using the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables.
Environment variables provide the best portability, allowing you to run your packer build on your workstation, in Atlas, or on another build server.
## Using an IAM Instance Profile
## Using an IAM Instance Profile
...
@@ -74,3 +103,24 @@ Packer to work:
...
@@ -74,3 +103,24 @@ Packer to work:
}]
}]
}
}
```
```
## Troubleshooting
### Attaching IAM Policies to Roles
IAM policies can be associated with user or roles. If you use packer with IAM roles, you may encounter an error like this one:
==> amazon-ebs: Error launching source instance: You are not authorized to perform this operation.
You can read more about why this happens on the [Amazon Security Blog](http://blogs.aws.amazon.com/security/post/Tx3M0IFB5XBOCQX/Granting-Permission-to-Launch-EC2-Instances-with-IAM-Roles-PassRole-Permission). The example policy below may help packer work with IAM roles. Note that this example provides more than the minimal set of permissions needed for packer to work, but specifics will depend on your use-case.
If you're using OS X and [Homebrew](http://brew.sh), you can install Packer:
If you're using OS X and [Homebrew](http://brew.sh), you can install Packer:
``` {.text}
$ brew install packer
$ brew install packer
```
## Troubleshooting
On some RedHat-based Linux distributions there is another tool named `packer` installed by default. You can check for this using `which -a packer`. If you get an error like this it indicates there is a name conflict.
To fix this, you can create a symlink to packer that uses a different name like `packer.io`, or invoke the `packer` binary you want using its absolute path, e.g. `/usr/local/packer`.