Document behavior of AWS {access,secret}_key in relation to credentials file and profile lookup via AWS_PROFILE

This commit is contained in:
Matthew Patton 2015-07-21 17:24:55 -04:00
parent 2010a0c966
commit 9007b1cc67
4 changed files with 15 additions and 20 deletions

View File

@ -58,11 +58,9 @@ can be configured for this builder.
### Required: ### Required:
* `access_key` (string) - The access key used to communicate with AWS. * `access_key` (string) - The access key used to communicate with AWS.
If not specified, Packer will use the key from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file If not specified, Packer will search the standard [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file using environment variable `AWS_PROFILE` as the profile name, will use the `[default]` entry,
or fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY` (in that order), if set. or will fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY`.
If the environmental variables aren't set and Packer is running on Finally, if Packer is running on an EC2 instance it will check the instance metadata for IAM role keys.
an EC2 instance, Packer will check the instance metadata for IAM role
keys.
* `ami_name` (string) - The name of the resulting AMI that will appear * `ami_name` (string) - The name of the resulting AMI that will appear
when managing AMIs in the AWS console or via APIs. This must be unique. when managing AMIs in the AWS console or via APIs. This must be unique.
@ -70,11 +68,7 @@ can be configured for this builder.
[configuration templates](/docs/templates/configuration-templates.html) for more info) [configuration templates](/docs/templates/configuration-templates.html) for more info)
* `secret_key` (string) - The secret key used to communicate with AWS. * `secret_key` (string) - The secret key used to communicate with AWS.
If not specified, Packer will use the secret from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file Lookup behavior is as above for `access_key` except the variables are `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY`.
or fall back to environment variables `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY` (in that order), if set.
If the environmental variables aren't set and Packer is running on
an EC2 instance, Packer will check the instance metadata for IAM role
keys.
* `source_ami` (string) - The source AMI whose root volume will be copied * `source_ami` (string) - The source AMI whose root volume will be copied
and provisioned on the currently running instance. This must be an and provisioned on the currently running instance. This must be an

View File

@ -38,8 +38,9 @@ can be configured for this builder.
### Required: ### Required:
* `access_key` (string) - The access key used to communicate with AWS. * `access_key` (string) - The access key used to communicate with AWS.
If not specified, Packer will use the key from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file If not specified, Packer will search the standard [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file using environment variable `AWS_PROFILE` as the profile name, will use the `[default]` entry,
or fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY` (in that order), if set. or will fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY`.
Finally, if Packer is running on an EC2 instance it will check the instance metadata for IAM role keys.
* `ami_name` (string) - The name of the resulting AMI that will appear * `ami_name` (string) - The name of the resulting AMI that will appear
when managing AMIs in the AWS console or via APIs. This must be unique. when managing AMIs in the AWS console or via APIs. This must be unique.
@ -53,8 +54,7 @@ can be configured for this builder.
to launch the EC2 instance to create the AMI. to launch the EC2 instance to create the AMI.
* `secret_key` (string) - The secret key used to communicate with AWS. * `secret_key` (string) - The secret key used to communicate with AWS.
If not specified, Packer will use the secret from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file Lookup behavior is as above for `access_key` except the variables are `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY`
or fall back to environment variables `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY` (in that order), if set.
* `source_ami` (string) - The initial AMI used as a base for the newly * `source_ami` (string) - The initial AMI used as a base for the newly
created machine. created machine.

View File

@ -43,8 +43,9 @@ can be configured for this builder.
### Required: ### Required:
* `access_key` (string) - The access key used to communicate with AWS. * `access_key` (string) - The access key used to communicate with AWS.
If not specified, Packer will use the key from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file If not specified, Packer will search the standard [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file using environment variable `AWS_PROFILE` as the profile name, will use the `[default]` entry,
or fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY` (in that order), if set. or will fall back to environment variables `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY`.
Finally, if Packer is running on an EC2 instance it will check the instance metadata for IAM role keys.
* `account_id` (string) - Your AWS account ID. This is required for bundling * `account_id` (string) - Your AWS account ID. This is required for bundling
the AMI. This is _not the same_ as the access key. You can find your the AMI. This is _not the same_ as the access key. You can find your
@ -65,8 +66,8 @@ can be configured for this builder.
This bucket will be created if it doesn't exist. This bucket will be created if it doesn't exist.
* `secret_key` (string) - The secret key used to communicate with AWS. * `secret_key` (string) - The secret key used to communicate with AWS.
If not specified, Packer will use the secret from any [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file Lookup behavior is as above for `access_key` except the variables are `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY`
or fall back to environment variables `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY` (in that order), if set.
* `source_ami` (string) - The initial AMI used as a base for the newly * `source_ami` (string) - The initial AMI used as a base for the newly
created machine. created machine.

View File

@ -33,8 +33,8 @@ much easier to use and Amazon generally recommends EBS-backed images nowadays.
## Using an IAM Instance Profile ## Using an IAM Instance Profile
If AWS keys are not specified in the template, a [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file or through environment variables If AWS keys are not specified in the template, Packer will consult the [credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files) file, try the standard AWS environment variables, and then
Packer will use credentials provided by the instance's IAM profile, if it has one. any IAM role credentials defined by the instance's metadata.
The following policy document provides the minimal set permissions necessary for Packer to work: The following policy document provides the minimal set permissions necessary for Packer to work: