how to copy AMI from one aws account to other aws account?

Question

Am trying to copy the custom built ami using packer from one AWS account to another AWS account; however, i was able to copy ami across regions within one account.

"builders": [{ "account_id": "12345678910", "s3_bucket": "xyz/xqas/asd", "x509_cert_path": "/Users/txyz/packer/certificate.pem", "x509_key_path": "/Users/txyz/packer/private-key.pem", "type": "amazon-instance", "access_key": "{{useraccess_key}}", "secret_key": "{{usersecret_key}}", "region": "us-east-1", "source_ami": "ami-452bd728", "instance_type": "r3.xlarge", "ssh_username": "ubuntu", "ami_name": "packer-test-hvm {{timestamp}}", "ami_virtualization_type": "hvm", "force_deregister": true, "ami_regions": ["us-east-1", "us-west-2"] }],

Answer 1

Use AWS ClI and run the following command in the AMI that needs to be transferred

ec2-modify-image-attribute ami-2bb65342 -l -a 111122223333 

For other options that are available please refer this guide

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html

Answer 2

The following awscli command will add launch permissions to a specified account id. This achieves a similar effect although does not technically copy the ami over.

aws ec2 modify-image-attribute --image-id <image id> --launch-permission "Add=[{UserId=<account-id>}]"

Answer 3

Using Packer this is the way you can share the AMIs from one account to the other. Always refer the Packer docs:-https://www.packer.io/docs/builders/amazon/ebs here you can find all the information.

in the "ami_users" section you can mention the AWS accounts you need to share with.

"ami_users": ["{{user `REMOTE_AWS_ACCOUNT_ID`}}"]

full code

   "builders": [
  {
    "type": "amazon-ebs",
    "access_key": "{{ user `aws_access_key` }}",
    "secret_key": "{{ user `aws_secret_key` }}",
    "region": "{{ user `region` }}",
    "launch_block_device_mappings" : [
        {
           "device_name": "/dev/sda1",
           "volume_size": 60
        }
      ],
    "instance_type": "t2.large",
    "ami_users": "{{ user `REMOTE_AWS_ACCOUNT_ID` }}",
    "source_ami": "{{ user `source_ami` }}",
    "ami_name": "xyz-ami",
    "user_data_file": "./bootstrap_win.txt",
    "communicator": "winrm",
    "winrm_username": "Administrator",
    "winrm_password": "XXXXXXXXX",
    "tags": [{"Name":"testing","release":"packer"}],
    "ami_regions": [
      "ap-southeast-2",
      "us-east-2"
    ]
  }
],

Answer 4

Let's say you want to move the AMI from Account A to Account B, then you can use AWS CLI to do it.

Assume you already set the 2 AWS account credential.

#  cat ~/.aws/credentials
[account_a]
aws_access_key_id = aaaaaaaaaaaaaaaaaaa
aws_secret_access_key = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

[account_b]
aws_access_key_id = bbbbbbbbbbbbbbbbbb
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Then using the account_a run the command below to build an image (AMI) from a running instance: (you can skip this step if you already have an AMI)

# aws ec2 create-image --profile account_a --region $region --instance-id i-0aaaaaaaaaaaaa1 --name "image_name_here" --no-reboot

Share the AMI from account_a to account_b

# aws ec2 --profile account_a --region $region modify-image-attribute --image-id ami-aaaaaaaaaaa --launch-permission "Add=[{UserId=$account_b_id}]"

Use account_b to see if you get the shared AMI from account_a

# aws ec2 describe-images --profile account_b --region $region --executable-users self

The output should show if you get the shared AMI, or you also can go to AWS EC2 console, click Images --> AMIs, then change the Owned by me to Prviate images, you should be able to see the shared image as well.

extra:

if you want to launch an instance from the shared AMI on account_b

# aws ec2 run-instances --profile account_b --region $region --image-id ami-aaaaaaaaaaaaa --instance-type t2.micro --key-name $key_pair_for_access_ec2

Don't forget to edit the security group inbound rule for the SSH port open