问题
I'm currently building AMIs via Packer without a problem, but I am baking the AWS credentials into my scripts which is not what I want. Reading the Packer documentation they specify that if no credentials are found it can use an AWS role.
I have created the policy and the role, but it's unclear to me how to tell Packer to use this role. Do I have to pass the ARN in as a variable?
Any thoughts?
回答1:
Roles only apply to instances running on AWS, and roles can only be applied when you create an instance (though you can change the permissions assigned to that role later).
So in this case, if you want to use roles for AMI creation, you will need to...
- Create a role with permissions (i.e. the ones detailed in the link Kush provided) to create AMIs
- Create an instance with that role
- Install Packer on that instance
Using that instance, then you can create AMI's without specifying any credentials.
回答2:
If you'd like to set the IAM role that Packer uses during AMI creation from the command-line (e.g. from Jenkins), then you can use variables for doing so, e.g. using the following in your Packer script:
"variables": {
"packer_profile": "packer",
...
},
"builders": [
{
"type": "amazon-ebs",
...
"iam_instance_profile": "{{user `packer_profile`}}",
...
}
],
"provisioners": [
...
]
So we provide a default "packer" value for our packer_profile
variable. Then, when invoking Packer from the command-line in Jenkins, you override that default variable value using:
$ /path/to/packer -var packer_profile="MyNewProfileHere" ...
Hope this helps!
来源:https://stackoverflow.com/questions/36311048/how-to-use-aws-roles-with-packer-to-create-amis