Use a base image parameter in your recipe - EC2 Image Builder
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use a base image parameter in your recipe

When you create a recipe for image customizations, there are several ways to identify the base image that you start with. If you specify the Amazon Machine Image (AMI) ID for your base image and that base image is updated, its AMI ID might change and you would need to update your recipe to match.

Instead of changing your recipe each time the base image ID changes, you can define an Amazon Systems Manager Parameter Store parameter (SSM parameter) to store the value of your base image AMI ID, and then use the parameter to specify the base image in your recipe. For Amazon managed AMIs, you can use a public parameter for the latest version.

This tutorial walks you through the process of creating an AMI ID parameter and using it in an image recipe. Image Builder steps in this tutorial are console-based.

Step 1: Find or create a Parameter Store parameter

The process for this step depends on the type of AMI that you specify for your base image. For Amazon managed AMIs, you can use a public parameter that refers to the current version. Some parameters might not be available in all Amazon Web Services Regions.

To begin, open the tab that corresponds to your AMI.

Amazon managed AMI

If your base image is an Amazon managed AMI, you can use public parameters to specify the AMI ID, rather than creating your own parameter. To find the public parameter for your AMI, see Discovering public parameters in the Amazon Systems Manager User Guide.

Custom AMI

To create an AMI ID parameter, follow the instructions for Creating Parameter Store parameters in Systems Manager with the console, Amazon CLI, or PowerShell. Provide the following values to ensure that the parameter value is an AMI ID.

Parameter tier: Standard

Type: String

Data type: Select aws:ec2:image. When you specify this type, the system validates the value that's entered to ensure that it's an AMI ID.

Value: Enter a valid AMI ID (for example, ami-1234567890abcdef1).

Step 2: Configure IAM permissions

To use a Systems Manager Parameter Store parameter (SSM parameter), whether public or private, you must specify the following Systems Manager Parameter Store actions in your Image Builder execution role, with the parameter listed as a resource.

  • ssm:GetParameter – This action allows you to use an SSM parameter to specify the base image in your recipe.

  • ssm:PutParameter – This action allows you to store the output AMI ID in an SSM parameter during distribution. Policy definition looks the same, but this tutorial does not include the put action in the example policy.

To use SSM parameters in a custom component, you must specify ssm:GetParameter in the instance profile role instead. For more information, see Use Systems Manager Parameter Store parameters.

When you create a pipeline or use the create-image command in the Amazon CLI, you can only specify one Image Builder execution role. If you have defined an Image Builder workflow execution role, you would add the parameter permissions to that role. Otherwise, you would create a new custom role that includes permissions that are required for SSM parameters.

  1. Create a custom role (optional)

    If you already have a custom role defined for Image Builder permissions, you can skip this step.

    Follow the process for Creating a role to delegate permissions to an Amazon service in the Amazon Identity and Access Management User Guide.

  2. Add permissions to your custom role

    To add the SSM parameter permissions to your custom role, follow the Update the permissions policy for a role process in the Amazon Identity and Access Management User Guide.

    The following policy example shows the ssm:GetParameter action with a parameter that's created in your account.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ssm:GetParameter", "Resource": "arn:aws:ssm:*:111122223333:parameter/ImageBuilder-*" } ] }

For more information about public parameter resources, see Calling AMI public parameters in the Amazon Systems Manager User Guide.

Step 3: Create an Image Recipe that uses the parameter

  1. Open the EC2 Image Builder console at https://console.amazonaws.cn/imagebuilder/.

  2. Choose Image recipes, then choose Create image recipe from the list page.

  3. Fill out the Base image section, as follows:

    1. Choose the Use custom AMI option. This displays additional fields where you can enter the AMI ID or an SSM parameter that contains the AMI ID.

    2. Choose the SSM parameter option.

    3. In the SSM parameter field, enter the parameter name or Amazon Resource Name (ARN) of the parameter that you created in Step 1. If you enter the name, it will not have the prefix in the console.

  4. Complete the remaining recipe configuration as needed.

Note

If you set the parent image through other interfaces, such as the Amazon CLI, the parameter name must have a prefix of ssm: (for example, ssm:/ImageBuilder-Tutorial/BaseAMI.