From 9007b1cc6762b12a98f39ccdd2ec5460391aeb35 Mon Sep 17 00:00:00 2001 From: Matthew Patton Date: Tue, 21 Jul 2015 17:24:55 -0400 Subject: [PATCH] Document behavior of AWS {access,secret}_key in relation to credentials file and profile lookup via AWS_PROFILE --- .../docs/builders/amazon-chroot.html.markdown | 14 ++++---------- .../source/docs/builders/amazon-ebs.html.markdown | 8 ++++---- .../docs/builders/amazon-instance.html.markdown | 9 +++++---- website/source/docs/builders/amazon.html.markdown | 4 ++-- 4 files changed, 15 insertions(+), 20 deletions(-) diff --git a/website/source/docs/builders/amazon-chroot.html.markdown b/website/source/docs/builders/amazon-chroot.html.markdown index d6b61ca8b..b3d1644dd 100644 --- a/website/source/docs/builders/amazon-chroot.html.markdown +++ b/website/source/docs/builders/amazon-chroot.html.markdown @@ -58,11 +58,9 @@ can be configured for this builder. ### Required: * `access_key` (string) - The access key used to communicate with AWS. - If not specified, Packer will use the key from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file - or fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY` (in that order), if set. - If the environmental variables aren't set and Packer is running on - an EC2 instance, Packer will check the instance metadata for IAM role - keys. + If not specified, Packer will search the standard [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file using environment variable `AWS_PROFILE` as the profile name, will use the `[default]` entry, + or will fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY`. + Finally, if Packer is running on an EC2 instance it will check the instance metadata for IAM role keys. * `ami_name` (string) - The name of the resulting AMI that will appear when managing AMIs in the AWS console or via APIs. This must be unique. @@ -70,11 +68,7 @@ can be configured for this builder. [configuration templates](/docs/templates/configuration-templates.html) for more info) * `secret_key` (string) - The secret key used to communicate with AWS. - If not specified, Packer will use the secret from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file - or fall back to environment variables `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY` (in that order), if set. - If the environmental variables aren't set and Packer is running on - an EC2 instance, Packer will check the instance metadata for IAM role - keys. + Lookup behavior is as above for `access_key` except the variables are `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY`. * `source_ami` (string) - The source AMI whose root volume will be copied and provisioned on the currently running instance. This must be an diff --git a/website/source/docs/builders/amazon-ebs.html.markdown b/website/source/docs/builders/amazon-ebs.html.markdown index 69a9a5c04..fc78901a6 100644 --- a/website/source/docs/builders/amazon-ebs.html.markdown +++ b/website/source/docs/builders/amazon-ebs.html.markdown @@ -38,8 +38,9 @@ can be configured for this builder. ### Required: * `access_key` (string) - The access key used to communicate with AWS. - If not specified, Packer will use the key from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file - or fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY` (in that order), if set. + If not specified, Packer will search the standard [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file using environment variable `AWS_PROFILE` as the profile name, will use the `[default]` entry, + or will fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY`. + Finally, if Packer is running on an EC2 instance it will check the instance metadata for IAM role keys. * `ami_name` (string) - The name of the resulting AMI that will appear when managing AMIs in the AWS console or via APIs. This must be unique. @@ -53,8 +54,7 @@ can be configured for this builder. to launch the EC2 instance to create the AMI. * `secret_key` (string) - The secret key used to communicate with AWS. - If not specified, Packer will use the secret from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file - or fall back to environment variables `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY` (in that order), if set. + Lookup behavior is as above for `access_key` except the variables are `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY` * `source_ami` (string) - The initial AMI used as a base for the newly created machine. diff --git a/website/source/docs/builders/amazon-instance.html.markdown b/website/source/docs/builders/amazon-instance.html.markdown index fa3c8a190..81e425c9a 100644 --- a/website/source/docs/builders/amazon-instance.html.markdown +++ b/website/source/docs/builders/amazon-instance.html.markdown @@ -43,8 +43,9 @@ can be configured for this builder. ### Required: * `access_key` (string) - The access key used to communicate with AWS. - If not specified, Packer will use the key from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file - or fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY` (in that order), if set. + If not specified, Packer will search the standard [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file using environment variable `AWS_PROFILE` as the profile name, will use the `[default]` entry, + or will fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY`. + Finally, if Packer is running on an EC2 instance it will check the instance metadata for IAM role keys. * `account_id` (string) - Your AWS account ID. This is required for bundling the AMI. This is _not the same_ as the access key. You can find your @@ -65,8 +66,8 @@ can be configured for this builder. This bucket will be created if it doesn't exist. * `secret_key` (string) - The secret key used to communicate with AWS. - If not specified, Packer will use the secret from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file - or fall back to environment variables `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY` (in that order), if set. + Lookup behavior is as above for `access_key` except the variables are `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY` + * `source_ami` (string) - The initial AMI used as a base for the newly created machine. diff --git a/website/source/docs/builders/amazon.html.markdown b/website/source/docs/builders/amazon.html.markdown index ad336ad1c..f82457f1a 100644 --- a/website/source/docs/builders/amazon.html.markdown +++ b/website/source/docs/builders/amazon.html.markdown @@ -33,8 +33,8 @@ much easier to use and Amazon generally recommends EBS-backed images nowadays. ## Using an IAM Instance Profile -If AWS keys are not specified in the template, a [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file or through environment variables -Packer will use credentials provided by the instance's IAM profile, if it has one. +If AWS keys are not specified in the template, Packer will consult the [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file, try the standard AWS environment variables, and then +any IAM role credentials defined by the instance's metadata. The following policy document provides the minimal set permissions necessary for Packer to work: