Get set up to build images with EC2 Image Builder
This chapter helps you set up your environment to create an automated image pipeline or container pipeline for the first time, with the EC2 Image Builder Create image pipeline console wizard.
Before you build images with Image Builder
Verify the following prerequisites to create an image pipeline with EC2 Image Builder. Unless specifically stated otherwise, prerequisites are required for all types of pipelines.
Prerequisites
EC2 Image Builder service-linked role
EC2 Image Builder uses a service-linked role to grant permissions to other Amazon services on your behalf. You don't need to manually create a service-linked role. When you create your first Image Builder resource in the Amazon Management Console, the Amazon CLI, or the Amazon API, Image Builder creates the service-linked role for you. For more information about the service-linked role that Image Builder creates in your account, see Use IAM service-linked roles for EC2 Image Builder.
Configuration requirements
-
Image Builder supports Amazon PrivateLink. For more information about configuring VPC endpoints for Image Builder, see EC2 Image Builder and Amazon PrivateLink interface VPC endpoints.
-
The instances that Image Builder uses to build container images must have internet access to download the Amazon CLI from Amazon S3, and to download a base image from the Docker Hub repository, if applicable. Image Builder uses the Amazon CLI to get the Dockerfile from the container recipe, where it is stored as data.
-
The instances that Image Builder uses to build images and run tests must have access to the Systems Manager service. Installation requirements depend on your operating system.
To see the installation requirements for your base image, choose the tab that matches your base image operating system.
Container repository (container image pipelines)
For container image pipelines, the recipe defines the configuration for the Docker images that are produced and stored in the target container repository. You must create the target repository before you create the container recipe for your Docker image.
Image Builder uses Amazon ECR as its target repository for container images. To create an Amazon ECR repository, follow the steps described in Creating a repository in the Amazon Elastic Container Registry User Guide.
Amazon Identity and Access Management (IAM)
The IAM role that you associate with your instance profile must have permissions to run the build and test components included in your image. The following IAM role policies must be attached to the IAM role that is associated with the instance profile:
-
AmazonSSMManagedInstanceCore
If you configure logging, the instance profile specified in your infrastructure
configuration must have s3:PutObject permissions for the target bucket
(arn:aws:s3:::). For
example:BucketName/*
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::bucket-name/*" } ] }
Attach policy
The following steps guide you through the process of attaching the IAM policies to an IAM role to grant the preceding permissions.
-
Sign in to the Amazon Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the left navigation pane, choose Policies.
-
Filter the list of policies with EC2InstanceProfileForImageBuilder
-
Select the bullet next to the policy, and from the Policy actions dropdown list, select Attach.
-
Select the name of the IAM role to which to attach the policy.
-
Choose Attach policy.
-
Repeat steps 3-6 for the EC2InstanceProfileForImageBuilderECRContainerBuilds and AmazonSSMManagedInstanceCore policies.
Note
If you want to copy an image created with Image Builder to another account, you must
create the EC2ImageBuilderDistributionCrossAccountRole role in all
of the target accounts, and attach the Ec2ImageBuilderCrossAccountDistributionAccess policy managed policy to the role. For more information, see Share EC2 Image Builder resources.
Amazon Systems Manager Agent (Systems Manager Agent)
EC2 Image Builder runs Amazon Systems Manager (Systems Manager) Agent on the EC2 instances it launches to build and test your image. Image Builder collects additional information about the instance used during the build phase with Systems Manager Inventory. This information includes the operating system (OS) name and version, as well as the list of packages and their respective versions as reported by your operating system.
To opt out of collecting this information, select the method that matches your preferred environment:
-
Image Builder console – Deselect the Enable enhanced metadata collection check box.
-
Amazon CLI – Specify the
--no-enhanced-image-metadata-enabledoption -
Image Builder API or SDKs – Set the
enhancedImageMetadataEnabledparameter tofalse.
Image Builder uses RunCommand to send actions to your build and test instance
as part of the image build and test workflow. You can't opt out of the use of
RunCommand to send actions to your build and test instance.
Access EC2 Image Builder
You can manage EC2 Image Builder from one of the following interfaces.
-
EC2 Image Builder console landing page. From the EC2 Image Builder console
. -
Amazon Command Line Interface (Amazon CLI). You can use the Amazon CLI to access Amazon API operations. For more information, see Installing the Amazon Command Line Interface in the Amazon Command Line Interface User Guide.
-
Amazon Tools for SDKs. You can use Amazon SDKs and Tools
to access and manage Image Builder using your preferred language.