AWS AMI deprecation (API: ec2:RunInstances Not authorized for images)

Question

So I've been using AWS AMI in my cloud formation template.

It seems they create new images every month and deprecate the old ones 2 weeks or so after the new one's released. This creates many problems:

1. Old template stacks becomes broken.
2. Templates need to be updated.

Am I missing something?

E.G. I'm staring at

API: ec2:RunInstances Not authorized for images: [ami-1523bd2f]

error in my cloud formation events.

Looking it up that's the 02.12 image id: http://thecloudmarket.com/image/ami-1523bd2f--windows-server-2012-rtm-english-64bit-sql-2012-sp1-web-2014-02-12

Where as now there's a new image id: http://thecloudmarket.com/image/ami-e976efd3--windows-server-2012-rtm-english-64bit-sql-2012-sp1-web-2014-03-12

Answer 1

You are correct indeed. Windows AMI are deprecated when a new version is released (see http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Basics_WinAMI.html)

There is no "point and click" solution as of today, documentation says : "AWS updates the AWS Windows AMIs several times a year. Updating involves deprecating the previous AMI and replacing it with a new AMI and AMI ID. To find an AMI after it's been updated, use the name instead of the ID. The basic structure of the AMI name is usually the same, with a new date added to the end. You can use a query or script to search for an AMI by name, confirm that you've found the correct AMI, and then launch your instance."

One possible solution might be to develop a CloudFormation Custom Resource that would check for AMI availability before launching an EC2 instance.

See this documentation about CFN Custom Resources : http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/crpg-walkthrough.html

And this talk from re:Invent : https://www.youtube.com/watch?v=ZhGMaw67Yu0#t=945 (and this sample code for AMI lookup)

You also have the option to create your own custom AMI based on an Amazon provided one.Even if you do not modify anything. Your custom AMI will be an exact copy of the one provided by Amazon but will stay available after Amazon AMI's deprecation.

Netflix has open sourced tools to help to manage AMIs, have a look at Aminator

Linux AMI are deprecated years after release (2003.11 is still available today !) but Windows AMI are deprecated as soon as a patched version is available. This is for security reason.

Answer 2

This ps script works for my purposes, we use windows 2012 base image:

$imageId = "xxxxxxx"

if ( (Get-EC2Image -ImageIds $imageId) -eq $null ) {

    $f1 = New-Object  Amazon.EC2.Model.Filter ; $f1.Name="owner-alias";$f1.Value="amazon"
    $f2 = New-Object  Amazon.EC2.Model.Filter ; $f2.Name="platform";$f2.Value="windows"

    $img = Get-EC2Image -Filters $f1,$f2 | ? {$_.Name.StartsWith("Windows_Server-2012-RTM-English-64Bit-Base")} | Select-Object -First 1

    $imageId =$img.ImageId

}

Answer 3

I recently ran into the same error. I had built a custom ami in one account, and was trying to run an EC2 instance from another account.

The issue for me was that the AMI did not have the correct permissions to enable my user from the other account to run it.

To fix it, I logged in the other account and added the required permissions to the ami:

aws ec2 modify-image-attribute --image-id youramiid --launch-permission "Add=[{UserId=youruserid}]"

---

More information at this documentation page.

Answer 4

If you are using a training material and copied the code, make sure to replace the AMI name with the correct AMI Image values available under list of AMI's visible under your account. Similar with other values. If you are just cut and paste the values from training code may not be available now.